Trust

Data Processing Addendum

Last updated

This Data Processing Addendum (“DPA”) supplements the Mentionwell Terms of Service and applies whenever Mentionwell processes Personal Data on behalf of a Customer. It is pre-signed by ZipLyne (the parent organisation that operates Mentionwell). To execute, fill in your company details below and email a counter-signed copy to admin@mentionwell.com.

1. Overview

Mentionwell is a Software-as-a-Service product operated by ZipLyne (the “Processor” or “we”) that helps customers (the “Controller” or “you”) generate, optimise, measure, and publish content optimised for AI answer engines. In delivering the Service we may process Personal Data on your behalf. This DPA describes the parties’ obligations under the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”), the UK GDPR, and the Swiss Federal Act on Data Protection.

2. Definitions

Terms not defined in this DPA carry the meaning given in the GDPR. Specifically:

  • Personal Data: any information relating to an identified or identifiable natural person processed under the Agreement.
  • Customer Data: data Customer or its end-users provide to the Service, including Personal Data.
  • Sub-processor: any third party we engage to process Personal Data on Customer’s behalf.
  • Standard Contractual Clauses (“SCCs”): the EU Commission Decision 2021/914 SCCs, as amended.

3. Processing of Personal Data

3.1 Roles. The parties acknowledge that Customer is the Controller and Mentionwell is the Processor of Personal Data processed under the Agreement.

3.2 Subject matter. Provision of the Service: AEO scanning, article generation, image generation, headless delivery, indexing, and analytics integrations.

3.3 Categories of data. Account identifiers (name, email, organisation), authentication metadata, content authored on the Service, configuration metadata for connected sites, and usage telemetry.

3.4 Categories of data subjects. Customer’s personnel and authorised users; readers of Customer’s connected sites only insofar as their requests transit our public Reader API.

3.5 Documented instructions. Mentionwell will process Personal Data only on documented instructions from the Controller, which include the Agreement, this DPA, and configuration the Controller sets within the Service.

3.6 Confidentiality. All personnel authorised to process Personal Data are bound by confidentiality obligations.

4. Sub-processors

Customer hereby authorises Mentionwell to engage Sub-processors to provide infrastructure, AI inference, image generation, email delivery, error monitoring, and analytics. The current list of Sub-processors is published at /subprocessors and may be updated from time to time. We will give Customer at least fifteen (15) days’ notice of any new Sub-processor by updating that page. Customer may object to a new Sub-processor on reasonable grounds in writing; if the parties cannot agree on a remedy, Customer may terminate the affected Service.

5. Data subject rights

Mentionwell will, taking into account the nature of the Processing, assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer’s obligations to respond to requests for the exercise of data-subject rights. Where a data subject contacts Mentionwell directly, we will redirect them to Customer.

6. International data transfers

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a third country that has not been the subject of an adequacy decision, the parties agree that the SCCs (with the UK Addendum and Swiss-specific reading where applicable) are incorporated by reference and apply to such transfer. Customer is the data exporter; Mentionwell is the data importer. Module Two (Controller-to-Processor) applies.

7. Security measures

Mentionwell implements the technical and organisational measures described at /security, which include encryption in transit and at rest, role-based access control, secret management, logging, monitoring, least-privilege production access, and personnel training. We will not materially decrease the overall security of the Service during the term.

8. Personal data breach

Mentionwell will notify Customer without undue delay, and in any event within seventy-two (72) hours of confirmation, of a Personal Data Breach affecting Customer Data. The notification will include the information available to Mentionwell at that time, including: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

9. Term, deletion, and return

This DPA remains in effect for as long as Mentionwell processes Personal Data on Customer’s behalf. On termination of the Agreement, Mentionwell will, at Customer’s choice, delete or return all Personal Data unless retention is required by applicable law. Routine logs and backups expire on their normal cycle (security-relevant logs up to twelve months, backups up to thirty days).

10. How to execute

This DPA is pre-signed by ZipLyne, operating Mentionwell. To execute it for your organisation:

  1. Print this page or save it as a PDF.
  2. Counter-sign on behalf of your organisation; include legal name, registered address, and signatory title.
  3. Email the executed copy to admin@mentionwell.com.

Procurement teams that prefer to use their own DPA template can email admin@mentionwell.com; we will turn around redlines within five business days for Growth tier and above.

Signed for the Processor

ZipLyne — operating Mentionwell
Authorised signatory: Isaac Horowitz
Title: Founder
Date: 2026-05-10

See also

Subprocessors Security overview Privacy Policy AI Disclosure
66 beta testing now