Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Advocate Terms of Service between Advocate ("Processor") and the subscribing business ("Controller"). It governs the processing of personal data by Advocate on behalf of the Controller in connection with the Advocate platform. To request a countersigned copy of this DPA, email privacy@advocatemcp.com.
1. Definitions
- Controller — the Advocate client (subscribing business) who determines the purposes and means of personal data processing.
- Processor — Advocate, which processes personal data on behalf of the Controller.
- Personal Data — any information relating to an identified or identifiable natural person, as defined under GDPR Article 4.
- Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- Sub-processor — a third party engaged by Advocate to process Personal Data on behalf of the Controller.
2. Roles and Responsibilities
The Controller is responsible for: determining the lawful basis for collecting and submitting business profile data to Advocate; ensuring data subjects have been informed of data processing where required; and compliance with applicable data protection laws in the Controller's jurisdiction.
The Processor (Advocate) is responsible for: processing Personal Data only on the Controller's documented instructions; implementing appropriate technical and organizational security measures; notifying the Controller of any personal data breach within 72 hours of becoming aware of it; and assisting the Controller in responding to data subject rights requests.
3. Data Processed
The following categories of data are processed by Advocate on behalf of the Controller:
| Category | Data Elements | Purpose |
|---|---|---|
| Business Profile | Business name, category, city/state, services, pricing range, availability, differentiators, referral URL | AI agent response generation |
| Contact Data | Email address, phone number (if provided) | Account management, billing communications |
| Query Logs | Incoming AI queries, generated responses, crawler type, intent classification | Analytics, response quality improvement |
| Technical Data | Hashed IP addresses, User-Agent strings, request timestamps | Fraud prevention, analytics |
Data subjects affected: employees, contractors, or agents of the Controller whose contact information is submitted; end-users whose queries are logged (IP-hashed only).
4. Purpose of Processing
Advocate processes Personal Data solely for the purpose of providing the Advocate platform services, which include:
- Generating structured AI agent responses using the Controller's business profile
- Serving AI agent profiles via the Controller's custom domain
- Tracking AI crawler requests and referral clicks for dashboard analytics
- Managing subscription billing and account communications
Advocate will not process Personal Data for any purpose other than the above without the Controller's prior written consent, except as required by law.
5. Security Measures
Advocate implements the following technical and organizational measures to protect Personal Data:
- All data in transit encrypted via TLS 1.2 or higher (enforced by Cloudflare)
- Database access restricted to authenticated application processes only
- IP addresses are SHA-256 hashed before storage — original IPs are not retained
- API keys and secrets stored as encrypted environment variables, never in source code
- Access to production systems limited to authorized personnel on a need-to-know basis
- Railway infrastructure is SOC 2 Type II compliant
6. Sub-processors
Advocate uses the following sub-processors to deliver the platform. The Controller hereby grants general authorization for the use of these sub-processors. Advocate will notify the Controller of any material changes to this list with at least 30 days' notice.
| Sub-processor | Location | Purpose | Privacy Policy |
|---|---|---|---|
| Anthropic, PBC | USA | AI response generation (Claude API) | anthropic.com/privacy |
| Cloudflare, Inc. | USA (global edge) | DNS routing, edge caching, SSL, analytics | cloudflare.com/privacypolicy |
| Stripe, Inc. | USA | Subscription billing and payment processing | stripe.com/privacy |
| Railway Corp. | USA | Application hosting and database infrastructure | railway.app/legal/privacy |
7. Data Retention and Deletion
- Business profile data is retained while the Controller's account is active plus 90 days following account termination, then permanently deleted.
- Query logs are retained for 12 months from the date of collection, then deleted.
- Hashed IP addresses are retained for 90 days from collection, then deleted.
- Payment records are retained per Stripe's data retention policy to satisfy tax and legal obligations.
Upon account termination or written request, Advocate will confirm deletion of all business profile data within 30 days of the retention period expiry.
8. Data Subject Rights Assistance
Advocate will assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, restriction, portability, and objection) where the data is held by Advocate. The Controller remains responsible for communicating with data subjects and determining the appropriate response.
To submit a data subject rights request on behalf of your users, contact privacy@advocatemcp.com.
9. International Data Transfers
Advocate's infrastructure is primarily located in the United States. Where Personal Data originating from the EU/EEA or UK is transferred to Advocate's US-based infrastructure, such transfers are governed by:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller to Processor), incorporated herein by reference
- The UK International Data Transfer Addendum where applicable
A copy of the applicable SCCs is available upon request at privacy@advocatemcp.com.
10. Breach Notification
In the event of a personal data breach affecting Controller data, Advocate will notify the Controller without undue delay and within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach; categories and approximate number of individuals affected; likely consequences; and measures taken or proposed to address the breach.
Request a signed DPA: To receive a countersigned copy of this Data Processing Agreement for your records, email privacy@advocatemcp.com with subject line "DPA Request" and your company name. We will respond within 5 business days.
Data Controller (Client)
Authorized signature
Name & title
Date
Data Processor (Advocate)
Authorized signature
Name & title
Date