Data Processing Agreement

1. Introduction and Purpose

This Data Processing Agreement ("DPA") forms part of the Sight Terms of Service between Sight Limited ("Sight") and the customer ("Customer") who has accepted the Terms of Service. This DPA governs the processing of personal data by Sight on behalf of the Customer in connection with the Sight AI visibility platform (the "Service").

This DPA applies to Pro and Enterprise plan customers. It is intended to satisfy the requirements of applicable data protection law, including the New Zealand Privacy Act 2020, the General Data Protection Regulation (GDPR) (EU) 2016/679, and the UK GDPR where applicable.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to data processing matters.

2. Definitions

ControllerThe natural or legal person who determines the purposes and means of processing personal data. In this DPA, the Customer is the Controller of Customer Personal Data.

ProcessorA natural or legal person who processes personal data on behalf of the Controller. In this DPA, Sight acts as Processor when processing Customer Personal Data.

Data SubjectAn identified or identifiable natural person to whom personal data relates.

Personal DataAny information relating to an identified or identifiable natural person.

ProcessingAny operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.

GDPRGeneral Data Protection Regulation (EU) 2016/679, including the UK GDPR as applicable.

NZ Privacy ActThe New Zealand Privacy Act 2020, as amended from time to time.

Sub-processorAny third party engaged by Sight to process Customer Personal Data on Sight's behalf.

3. Scope and Role of the Parties

Sight acts as a Data Processor when processing personal data that the Customer provides to Sight or that is generated through the Customer's use of the Service — for example, team member email addresses, user account data, and domain analysis records associated with the Customer's account ("Customer Personal Data").

For purposes of operating and improving the Service, managing billing, and conducting its own analytics and security monitoring, Sight acts as a Data Controller of the personal data it processes for its own purposes. This processing is governed by Sight's Privacy Policy.

The subject matter, duration, nature, purpose, and type of Personal Data processed under this DPA are as described in Annex 1 below and in the Privacy Policy.

4. Customer Obligations as Controller

As the Data Controller, the Customer agrees to:

Ensure there is a lawful basis under applicable data protection law for providing personal data to Sight for processing
Provide all necessary privacy notices to data subjects whose data is processed through the Service
Ensure that any instructions given to Sight for processing personal data are lawful
Promptly notify Sight if the Customer becomes aware that any processing instructions violate applicable law
Maintain appropriate security measures for access credentials used to access the Service

5. Sight's Obligations as Processor

As a Data Processor, Sight agrees to:

Process Customer Personal Data only on the documented instructions of the Customer, except where required by law
Ensure that all personnel with access to Customer Personal Data are subject to binding confidentiality obligations
Implement appropriate technical and organisational security measures to protect Customer Personal Data (see Section 8)
Not engage sub-processors without the Customer's prior authorisation (general authorisation is given for the sub-processors listed in Section 6)
Assist the Customer in fulfilling its obligation to respond to data subject rights requests (see Section 9)
Notify the Customer of a confirmed personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach
Provide the Customer with all information reasonably necessary to demonstrate compliance with this DPA
Delete or return all Customer Personal Data upon termination of the Service, in accordance with Section 11

6. Sub-processors

By accepting this DPA, the Customer provides general authorisation for Sight to engage the following sub-processors to assist in providing the Service. Sight remains liable for the acts and omissions of its sub-processors to the same extent it would be liable if it performed those services directly.

Sub-processor	Purpose	Location
Perplexity AI, Inc.	AI query processing — domain name queries are transmitted to the Perplexity AI API to generate AI model responses	United States
Anthropic, PBC	AI query processing — domain name queries are transmitted to the Anthropic Claude API to generate AI model responses	United States
StableServer	Infrastructure hosting — Customer account data and analysis results are stored on servers hosted with StableServer	New Zealand
Stripe, Inc.	Payment processing — Customer billing data and subscription management	United States

Sight will notify Customers of any intended changes to sub-processors (additions or replacements) by updating this DPA and providing at least 30 days' notice by email. Customers who object to a new sub-processor on reasonable data protection grounds may terminate their subscription and receive a pro-rata refund for any unused prepaid period.

7. International Data Transfers

Some of Sight's sub-processors are located in the United States. When Customer Personal Data is transferred to the United States for AI query processing (via the Perplexity AI and Anthropic APIs), such transfers are subject to appropriate safeguards including Standard Contractual Clauses (SCCs) as published by the European Commission, where applicable under GDPR.

Sight takes steps to ensure that transfers of personal data outside New Zealand and the EEA are conducted in accordance with applicable data protection law and are subject to appropriate contractual protections.

For Enterprise customers requiring specific transfer mechanism documentation, please contact dpa@onsight.nicobarragan.co.nz.

8. Security Measures

Sight implements the following technical and organisational measures to protect Customer Personal Data:

Encryption in transit: All data transmitted between your browser/device and Sight's servers is encrypted using TLS 1.2 or higher
Encryption at rest: Sensitive data fields are encrypted at rest using industry-standard encryption algorithms
Access controls: Strict role-based access controls limit employee access to Customer Personal Data to those with a legitimate need
Password security: User passwords are stored using bcrypt with an appropriate cost factor — plaintext passwords are never stored or transmitted
Regular security reviews: We conduct periodic security reviews including dependency scanning and vulnerability assessments
Incident response: A documented incident response plan is maintained and tested. In the event of a confirmed personal data breach, we follow the notification obligations set out in Section 5
Employee training: Personnel with access to personal data receive training on data protection obligations and security practices

9. Data Subject Rights

Sight will assist the Customer in responding to data subject rights requests received from individuals whose personal data is processed through the Service. These rights include the right to access, rectify, erase, restrict processing, obtain portability of, and object to processing of their personal data.

If Sight receives a data subject rights request directly from a data subject relating to Customer Personal Data, Sight will promptly forward the request to the Customer and not respond directly unless instructed to do so. Sight will provide the Customer with the cooperation and information reasonably necessary to respond to such requests within the legally required timeframes (typically 30 days under GDPR and the NZ Privacy Act).

10. Audit Rights

Upon the Customer's written request, Sight will provide the Customer with information reasonably necessary to demonstrate compliance with this DPA, including Sight's most recent security assessment summary.

The Customer may conduct a data processing audit of Sight's relevant facilities and procedures with a minimum of 30 days' written notice, no more than once per calendar year, and subject to reasonable confidentiality obligations. The costs of any such audit shall be borne by the Customer, unless the audit reveals a material breach of this DPA by Sight.

11. Term and Termination

This DPA remains in force for the duration of the Customer's active subscription to the Service. It terminates automatically upon expiry or termination of the Customer's subscription.

Upon termination of the subscription for any reason, Sight will, at the Customer's election, either delete or return all Customer Personal Data within 90 days of the termination date, except to the extent that Sight is required to retain the data by applicable law or regulation. Sight will confirm deletion in writing upon request.

Provisions of this DPA that by their nature should survive termination (including audit rights and breach notification obligations) shall survive termination of this agreement.

12. Contact

For questions about this DPA, data processing practices, or to exercise rights under this agreement, please contact our data protection contact:

Email: dpa@onsight.nicobarragan.co.nz
Postal address: Sight Limited, Auckland, New Zealand

We aim to respond to all DPA-related inquiries within 5 business days.

Annex 1 — Subject Matter and Nature of Processing: The subject matter of processing is the operation of the Sight AI visibility platform. Processing includes storage of account data (names, email addresses), analysis of domain names provided by the Customer, and generation of AI visibility reports. The duration of processing is the term of the Customer's subscription. The type of personal data includes name, email address, IP address, browser information, and usage data. The categories of data subjects include the Customer's team members and users.