Data Processing Agreement (DPA)

Last updated: June 30, 2026

1. Scope and Applicability

This Data Processing Agreement ("DPA") forms part of the Terms of Service between CEYMOB LLC ("Processor") and the customer ("Controller") and applies where the Processor processes personal data on behalf of the Controller in the provision of MobVex services. This DPA complies with Article 28 of the General Data Protection Regulation (GDPR).

This DPA is applicable to enterprise and business customers. To execute this DPA, please contact info@ceymob.com.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data (collection, storage, use, etc.).
  • Controller: The customer who determines the purposes and means of processing.
  • Processor: CEYMOB LLC, which processes data on behalf of the Controller.
  • Data Subject: The individual whose personal data is being processed.
  • Subprocessor: A third party engaged by the Processor to process personal data.

3. Nature and Purpose of Processing

The Processor processes personal data for the purpose of providing the MobVex Service to the Controller. Processing activities include:

  • Account Data: Email addresses, names, and authentication tokens for account management.
  • Billing Data: Payment information processed via Stripe (subprocessor).
  • Usage Data: Tool usage logs, credit consumption, and feature interaction metrics.
  • App Inventory: Package names and app identifiers provided by the Controller.
  • Analysis Results: Reports, keyword rankings, and review analyses generated for the Controller.

4. Duration of Processing

Processing continues for the duration of the Controller's account and for up to 30 days after account termination, unless longer retention is required by law.

5. Processor Obligations

The Processor agrees to:

  • Process personal data only on documented instructions from the Controller, including with regard to transfers.
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures (see Section 7).
  • Assist the Controller in responding to data subject rights requests.
  • Assist the Controller in meeting GDPR obligations regarding security, breach notification, and DPIA.
  • Notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach.
  • Delete or return all personal data to the Controller upon termination of services.
  • Make available to the Controller all information necessary to demonstrate compliance.
  • Allow and contribute to audits conducted by the Controller or an authorized auditor.

6. Subprocessors

The Controller authorizes the Processor to engage the following subprocessors:

SubprocessorPurposeLocation
Google Firebase (GCP)Authentication, database, hosting, analyticsUnited States (us-central1)
StripePayment processingUnited States
DeepSeek AIAI analysis of anonymized app store reviews (primary)China
Google AI (Gemini)AI analysis of anonymized app store reviews (fallback)United States
Serper (Google Search API)Search engine results for analysisUnited States
Scrape.doPlay Store / App Store data retrievalGlobal
OxylabsPlay Store data retrievalGlobal
ScrapingBeePlay Store data retrievalGlobal
FirecrawlPlay Store data retrievalGlobal
SerpAPIPlay Store search data retrievalUnited States
SmartproxyPlay Store reviews retrievalGlobal
BrightDataPlay Store reviews retrievalGlobal
SmartGPlayPlay Store search data retrievalGlobal
GPlayScraperPlay Store top charts retrievalGlobal

The Processor will inform the Controller of any intended changes concerning the addition or replacement of subprocessors, giving the Controller the opportunity to object.

7. Security Measures

The Processor implements and maintains the following technical and organizational measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Firebase Authentication for access control with secure session management
  • Content Security Policy (CSP) and security headers (X-Frame-Options, XSS Protection)
  • Regular security updates and dependency vulnerability scanning
  • Firewall and DDoS protection via Google Cloud infrastructure
  • Access logging and monitoring for administrative actions
  • Principle of least privilege for internal access to production systems
  • Data stored exclusively in us-central1 region unless otherwise specified

8. Data Subject Rights

The Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller's obligation to respond to data subject requests under GDPR (Articles 12-23).

Data subject requests should be directed to info@ceymob.com.

9. International Data Transfers

Personal data is processed and stored in the United States. For transfers from the EEA to the US, the Processor relies on Standard Contractual Clauses (SCCs) and supplementary measures where applicable. Google Cloud Platform's GDPR-compliant data processing terms apply to Firebase services.

10. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits either party's liability for data breaches caused by its negligence or willful misconduct, or where liability cannot be limited by law.

11. Execution

This DPA is incorporated by reference into the Terms of Service for qualifying customers. For a separate signed agreement, enterprise customers may contact us at info@ceymob.com.

12. Contact

CEYMOB LLC
30 N Gould St, Suite 50327
Sheridan, WY 82801
Phone: (307) 487-8607
Data Protection: info@ceymob.com