ClickCease Data Processing Agreement (DPA) - Morningscore

    Data Processing Agreement (DPA)

    Updated: Published:

    Data Processing Agreement (DPA)

    Between Morningscore ApS and the User

    1. Parties

    Data Controller (“User”):

    Any company or organization that creates an account with Morningscore ApS and uses the Services.

    Data Processor (Morningscore ApS):

    • Name: Morningscore ApS
    • Company ID: DK39311437
    • Address: Stærmosegårdsvej 8, st., 5230 Odense M, Denmark
    • Contact: info@morningscore.io
    • Managing Director: Karsten Madsen
    • Website: https://morningscore.io

    2. Purpose and Scope

    This Data Processing Agreement (“Agreement”) governs Morningscore ApS’s processing of personal data on behalf of the User in connection with the provision of Morningscore’s SEO tools and related services (“Services”).

    The Agreement is entered into in accordance with:

    • EU General Data Protection Regulation (GDPR) Article 28
    • Danish Data Protection Act

    2.1 Acceptance of Agreement

    This DPA automatically takes effect when the User:

    • Creates an account with Morningscore, and
    • Accepts Morningscore’s Terms of Service

    By using the Services, the User confirms having read and accepted this DPA.

    2.2 Availability

    This DPA is always available at:

    • Morningscore’s website: https://morningscore.io/dpa

    3. Nature and Purpose of Processing

    3.1 Nature of Processing

    Morningscore processes personal data as part of providing the following services:

    • SEO analysis tools
    • AI analysis tools
    • Link analysis tools
    • Keyword tracking
    • Competitor analysis
    • Reporting and data visualization
    • User administration and account management

    3.2 Purpose of Processing

    Personal data is processed exclusively for the purpose of:

    • Providing and maintaining the Services
    • Managing User accounts and user access
    • Generating SEO reports and analyses
    • Providing technical support
    • Fulfilling contractual obligations

    4. Categories of Personal Data

    Morningscore processes the following categories of personal data:

    4.1 User Information

    • Name
    • Email address
    • Phone number (if provided – not required)
    • Company name
    • Job title (if provided)
    • Login credentials (encrypted passwords)

    4.2 Technical Data

    • IP addresses
    • Browser type and version
    • Operating system
    • Visit data and usage statistics
    • Cookies and similar technologies
    • Log files

    4.3 SEO-Related Data

    • Search queries
    • Website data
    • Competitor data
    • Backlink information
    • Keyword data

    4.4 Communication Data

    • Email correspondence
    • Support inquiries
    • Chat messages (via Crisp)

    4.5 User-Generated Content

    • Text notes created by the user in the tool
    • Only accessed by support with the User’s explicit consent

    5. Categories of Data Subjects

    Data subjects include:

    • User’s employees and authorized users
    • User’s contact persons
    • Visitors to User’s websites (indirectly via tracking – anonymized where possible)

    6. Data Processor’s Obligations

    6.1 Processing Instructions

    Morningscore may only process personal data according to documented instructions from the User, unless processing is required by EU law or member state legislation.

    6.2 Confidentiality

    Morningscore ensures that persons with access to personal data:

    • Are subject to confidentiality obligations
    • Only process data according to instructions from the User
    • Are properly instructed in data protection

    6.3 Technical and Organizational Security Measures

    Morningscore has implemented the following security measures:

    Technical Measures:

    • SSL/TLS encryption of data transmission
    • Encrypted passwords (all passwords encrypted)
    • Secure servers behind firewalls
    • SSH access with secure private/public keys (key employees only)
    • Regular security updates
    • Backup procedures
    • Access control and authentication
    • Logging of employee access in all IT systems
    • No personally identifiable data stored or processed locally at the office

    Organizational Measures:

    • Access control based on “need-to-know” principle
    • Only support has access to user database with personally identifiable data
    • Employee training in data security
    • Confidentiality agreements with employees
    • All passwords stored in heylogin with 2-factor authentication
    • Office locked securely
    • Incident response procedures
    • Regular review of security measures

    Secure Coding Practices:

    • Careful use of jQuery.html()
    • CSRF protection (Cross-Site Request Forgery)
    • SQL Injection protection
    • Remote File Inclusion protection
    • PHP files start with <?php tag that is never closed
    • .php extension for all PHP scripts
    • Avoidance of dangerous functions (eval, exec, passthru, system, popen, preg_replace with “e” modifier)
    • Ongoing code review to identify bad practices

    Section 7: Sub-processors 

    7.1 Use of Sub-processors

    Morningscore engages third-party sub-processors to assist in providing the Services. By accepting this DPA, the User provides general authorization for Morningscore to engage the sub-processors listed in Appendix B.

    Morningscore remains fully liable to the User for the performance of any sub-processor’s obligations under this DPA.

    7.2 Sub-processor Requirements

    Morningscore ensures that all sub-processors:

    • Are bound by written agreements that impose data protection obligations equivalent to those in this DPA
    • Implement appropriate technical and organizational security measures
    • Process personal data only in accordance with Morningscore’s instructions
    • Are subject to the same GDPR obligations as Morningscore

    7.3 Changes to Sub-processors

    Notification of Changes:

    Morningscore will notify the User of any intended changes concerning the addition or replacement of sub-processors by:

    • Update to the sub-processor list 
    • Notification within the Morningscore platform (if applicable)

    Important: Under this DPA, Users do not have the right to object to new sub-processors. However, if a User cannot accept a new sub-processor for legitimate data protection reasons, the User may terminate the Services by deleting their account via the self-service function.

    7.4 Current Sub-processors

    The current list of sub-processors is maintained in Appendix B of this DPA 

    Section 8: International Data Transfers 

    8.1 Transfer Outside EU/EEA

    Important: Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including:

    • United States 
    • United Kingdom 

    These transfers are necessary for Morningscore to provide the Services.

    8.2 Transfer Safeguards

    For all transfers of personal data outside the EU/EEA, Morningscore implements appropriate safeguards as required by GDPR Chapter V, including:

    Standard Contractual Clauses (SCCs):

    • Morningscore has executed EU Standard Contractual Clauses with sub-processors that transfer data outside the EU/EEA
    • These are the standard contractual clauses approved by the European Commission under Article 46(2)(c) GDPR

    UK Transfers:

    • Transfers to the United Kingdom are based on the UK’s data adequacy decision (where applicable) or International Data Transfer Agreement (IDTA) / SCCs

    8.3 User Acknowledgment

    By accepting this DPA and using the Services, the User acknowledges and agrees that:

    • Personal data will be transferred outside the EU/EEA as described in this Section 8
    • Morningscore has implemented appropriate safeguards for such transfers
    • The User has informed their own data subjects (if applicable) about these international transfers

    8.4 Changes to Transfer Mechanisms

    If legal requirements for international data transfers change (e.g., new adequacy decisions, invalidation of SCCs), Morningscore will:

    • Implement alternative lawful transfer mechanisms within a reasonable timeframe
    • Notify Users of material changes to transfer safeguards
    • Update this DPA accordingly

    9. Self-Service Functions and User Control

    9.1 Self-Service Functions

    Morningscore provides the following self-service functions so the User can fulfill data subjects’ rights:

    Right to Erasure:

    • User can delete their account at any time via Settings → Account → “Delete Account”
    • Upon deletion, ALL data is removed immediately

    Right to Rectification:

    • User can change their own information at any time via account settings

    Right to Access:

    • User has full access to all their data via the platform
    • User can export reports and data as needed

    Right to Data Portability:

    • User can export their data in common formats via the platform’s export functions

    9.2 Limited Assistance

    Morningscore provides assistance ONLY in the following cases:

    • Technical problems preventing self-service functions
    • Data protection questions answered by reference to this DPA
    • Formal GDPR requests requiring special documentation

    Morningscore is NOT obligated to:

    • Manually delete data when self-service function works
    • Manually export data when export functions are available
    • Perform tasks that User can do themselves via the platform

    9.3 Response Time for Formal Requests

    For formal GDPR requests that CANNOT be handled via self-service, Morningscore responds within 5 business days.

    10. Data Breach Notification

    10.1 Notification Obligation

    Morningscore shall, without undue delay and no later than 24 hours after becoming aware, notify the User of any personal data breach.

    10.2 Content of Notification

    The notification shall include:

    • Description of the breach
    • Categories and number of affected data subjects
    • Categories and number of affected personal data records
    • Likely consequences of the breach
    • Measures taken or proposed to remedy the breach
    • Contact information for further information

    10.3 Documentation

    Morningscore shall document all personal data breaches, including circumstances, consequences, and remedial measures.

    11. Data Deletion

    11.1 Self-Service Deletion (Primary Method)

    User deletes their own account and all data by:

    1. Logging into Morningscore
    2. Going to Settings → Account
    3. Clicking “Delete Account”

    This action deletes ALL data immediately. No further action from Morningscore is necessary.

    11.2 Automatic Deletion for Non-Payment

    If User does not renew their subscription, the account and all data are automatically deleted after 90 days.

    11.3 Backup Copies

    Backup copies are automatically deleted according to Morningscore’s backup retention policy (maximum 90 days).

    11.4 No Manual Return

    Morningscore does NOT offer manual return of data. User must export desired data via the platform’s export functions BEFORE deleting the account.

    11.5 Confirmation

    User automatically receives confirmation via email when the account is deleted.

    12. Documentation and Transparency

    12.1 Available Documentation

    Morningscore makes the following documentation available:

    • This Data Processing Agreement
    • Privacy Policy
    • Terms of Service
    • Security measures (described in this DPA)

    12.2 No Physical Audit

    Morningscore does NOT offer physical access to premises or servers for security reasons.

    12.3 Data Security Questions

    Questions about data security are answered by:

    1. Reference to this DPA (which contains all relevant information)
    2. Written response via info@morningscore.io (if DPA does not cover the question)

    12.4 Response Time

    Written inquiries about data security are answered within 5 business days.

    12.5 Third-Party Certifications

    Morningscore may, at its discretion, make third-party certifications or audit reports available.

    13. Liability and Indemnification

    13.1 Liability

    Morningscore is liable for damages caused by processing personal data in violation of:

    • This Agreement
    • GDPR
    • Documented instructions from the User

    13.2 Limitation of Liability

    Morningscore’s liability is limited in accordance with the general terms for the Services.

    Morningscore is NOT liable for:

    • User’s failure to use available self-service functions
    • Data loss if User has not exported data before account deletion
    • Delays caused by User’s failure to use self-service tools

    13.3 User’s Responsibility

    User is responsible for:

    • Using the available self-service functions
    • Exporting data before account deletion
    • Informing their own users about data processing

    14. Duration and Termination

    14.1 Duration

    This Agreement is valid as long as the User has an active account with Morningscore.

    14.2 Automatic Termination

    The Agreement terminates automatically when:

    • User deletes their account via self-service function
    • Account is automatically deleted due to non-payment (after 90 days)
    • Morningscore ceases to provide the Services

    14.3 No Notice Period

    There is no notice period. User can delete their account immediately at any time via the self-service function.

    15. Changes to the Agreement

    15.1 Right to Changes

    Morningscore may change this Agreement to:

    • Reflect changes in legislation
    • Implement new security measures
    • Improve self-service functions
    • Clarify existing terms

    15.2 Notice of Changes

    Material changes are notified at least 30 days in advance via:

    • Email to User’s registered email address
    • Notification in the Morningscore platform
    • Update on website with change date

    15.3 Acceptance of Changes

    By continuing to use the Services after the changes take effect, User accepts the new terms.

    If User does not accept the changes, User must delete their account via the self-service function before the changes take effect.

    16. Contact and Communication

    16.1 Contact Information

    Questions regarding this DPA should be sent in writing to:

    Morningscore ApS:

    • Email: info@morningscore.io
    • Address: Stærmosegårdsvej 8, st., 5230 Odense M, Denmark
    • Company ID: DK39311437

    16.2 Preferred Communication Method

    • General questions: Use support chat or email
    • GDPR requests: Send to info@morningscore.io with subject “GDPR”
    • Technical issues: Use support function in the platform

    16.3 Response Times

    • Support inquiries: 1-3 business days
    • GDPR requests: Within 5 business days
    • Data breach notifications: Within 24 hours

    17. Governing Law and Jurisdiction

    17.1 Governing Law

    This Agreement is governed by Danish law.

    17.2 Jurisdiction

    Any disputes shall be resolved by Danish courts with Odense City Court as venue.

    18. Acceptance and Effective Date

    This Data Processing Agreement takes effect upon User’s acceptance of Morningscore’s Terms of Service and constitutes an integral part of the agreement between the Parties.

    By using Morningscore’s Services, User confirms having read, understood, and accepted the terms of this Data Processing Agreement.

    Appendix A: Technical and Organizational Security Measures

    A.1 Access Control

    • Multi-factor authentication (2FA) via heylogin for all employees
    • Role-based access control
    • Only support has access to user database with personally identifiable data
    • SSH access with private/public keys (key employees only)
    • Regular review of user rights
    • Automatic log-off on inactivity
    • Strong password requirements
    • Logging of employee access in all IT systems

    A.2 Encryption

    • SSL/TLS encryption of all data transmission
    • All User passwords are encrypted (hashing with salt)
    • Encryption of sensitive data at rest
    • Secure storage of all passwords in heylogin

    A.3 Network Security

    • Firewalls on servers
    • SSH connection required for database access
    • DDoS protection
    • Regular security updates
    • Network segmentation
    • No sharing of database access with 2nd or 3rd parties

    A.4 Physical Security at Office

    • Office locked securely
    • No personally identifiable data stored or processed locally
    • Clear desk policy
    • Secure data disposal

    A.5 Physical Security at Hosting Provider (Hetzner)

    • Secure data centers in Germany with access control
    • Video surveillance
    • Redundant power supplies
    • Climate control
    • ISO certifications

    A.6 Backup and Disaster Recovery

    • Daily automatic backups
    • Geographic redundancy
    • Regular testing of recovery procedures
    • Documented disaster recovery plans

    A.7 Logging and Monitoring

    • Logging of system access
    • Logging of employee access in all IT systems
    • Monitoring of abnormal activity
    • Regular review of logs
    • Alerting on security incidents

    A.8 Employee Security

    • Confidentiality agreements with all employees
    • Regular security training
    • Data protection instruction
    • Confidentiality obligations
    • All passwords in heylogin with 2FA

    A.9 Development Security and Secure Coding Practices

    Morningscore follows these security principles in code development:

    General Principles:

    • Secure coding practices
    • Code reviews
    • Ongoing code review for bad practices
    • Security testing before deployment

    Specific Security Measures:

    • Careful use of jQuery.html() to avoid XSS
    • CSRF protection (Cross-Site Request Forgery prevention)
    • SQL Injection protection in all database queries
    • Remote File Inclusion protection
    • PHP files start with <?php tag that is never closed
    • Use of .php extension for all PHP scripts
    • Avoidance of dangerous functions: eval(), exec(), passthru(), system(), popen(), preg_replace() with “e” modifier

    A.10 Data Protection by Design

    • Data protection by design principle applied
    • Data protection by default principle applied
    • Data collection minimization
    • Only necessary data collected
    • User-generated content accessed only with User’s explicit consent

    Appendix B: List of Subprocessors

    Name of sub-processor  Description of processing
    Amazon Web Services Inc.

    Location: Ireland/Germany

    		 Cloud storage
    Google LLC

    Location: US

    		 Productivity and operations management
    Stripe, LLC

    Location: Ireland/US

    		 Payment processing
    Make.com – Celonis, Inc.

    Location: EU

    		 Automations
    HubSpot, Inc.

    Location: US

    		 Customer relationship management
    ActiveCampaign, LLC

    Location: US

    		 Marketing automation
    Brevo

    Location: EU

    		 Marketing automation
    Hetzner Online GmbH

    Location: Germany

    		 Hosting & Infrastructure services.
    Cloudflare, Inc

    Location: Customer traffic is processed globally in the data center closest to the end user.

    		 Security, DDoS protection, WAF, DNS.
    Igil Webs SRL

    Location: Romania

    		 Affiliate program management and tracking. 
    Slack Technologies LLC (Salesforce)

    Location: US

    		 Business communication platform
    Visma e-conomic a/s

    Location: EU

    		 Invoicing and accounting
    WebinarGeek

    Location: Germany, The Netherlands

    		 Webinar tool
    PostHog, Inc.

    Location: US

    		 Product analytics tool
    Crisp IM SAS

    Location: France

    		 Customer messaging and support platform
    Pusher Ltd.

    Location: UK

    		 Real-time event broadcasting and application notifications.

     

    Appendix C: Data Breach Procedure

    C.1 Discovery

    • Continuous monitoring of systems
    • Employees instructed to report suspicious incidents
    • Automatic alerts on abnormal activity

    C.2 Assessment

    • Immediate assessment of breach scope
    • Identification of affected data and data subjects
    • Assessment of potential consequences

    C.3 Containment

    • Immediate measures to stop the breach
    • Isolation of affected systems
    • Securing evidence

    C.4 Notification

    • Notification of User within 24 hours
    • Notification to Data Protection Authority (if relevant)
    • Notification of data subjects (if required)

    C.5 Remediation

    • Implementation of corrective measures
    • Restoration of normal operations
    • Documentation of incident

    C.6 Follow-up

    • Analysis of causes
    • Implementation of preventive measures
    • Update of security procedures

    Last updated: February 6, 2026.

    Version: 1.2

    Signature and Approval

    This Data Processing Agreement is approved by:

    For Morningscore ApS:

    • Name: Karsten Madsen
    • Title: Managing Director
    • Date: February 6, 2026

    This Data Processing Agreement is prepared in accordance with GDPR Article 28 and should be read in conjunction with Morningscore’s Terms of Service (https://morningscore.io/terms/) and Privacy Policy (https://morningscore.io/privacy-policy/).

    By using Morningscore’s services, User accepts the terms of this Data Processing Agreement.