ClickCease Data Processing Agreement (DPA) - Morningscore

    Data Processing Agreement (DPA)

    Updated: Published:

    Data Processing Agreement (DPA)

    Between Morningscore ApS and the User

    1. Parties

    Data Controller (“User”):

    Any company or organization that creates an account with Morningscore ApS and uses the Services.

    Data Processor (Morningscore ApS):

    • Name: Morningscore ApS
    • Company ID: DK39311437
    • Address: Stærmosegårdsvej 8, st., 5230 Odense M, Denmark
    • Contact: info@morningscore.io
    • Managing Director: Karsten Madsen
    • Website: https://morningscore.io

    2. Purpose and Scope

    This Data Processing Agreement (“Agreement”) governs Morningscore ApS’s processing of personal data on behalf of the User in connection with the provision of Morningscore’s SEO tools and related services (“Services”).

    The Agreement is entered into in accordance with:

    • EU General Data Protection Regulation (GDPR) Article 28
    • Danish Data Protection Act

    In the event of any conflict between this DPA and Morningscore’s Terms of Service regarding the processing of personal data, this DPA prevails.

    2.1 Acceptance of Agreement

    This DPA automatically takes effect when the User:

    • Creates an account with Morningscore, and
    • Accepts Morningscore’s Terms of Service

    By using the Services, the User confirms having read and accepted this DPA.

    2.2 Availability

    This DPA is always available at:

    • Morningscore’s website: https://morningscore.io/dpa

    3. Nature and Purpose of Processing

    3.1 Nature of Processing

    Morningscore processes personal data as part of providing the following services:

    • SEO analysis tools
    • AI-assisted analysis and content tools (including Rank Writer, AI validators, automated fixes, competitor research, and LLM brand monitoring)
    • Link analysis tools
    • Keyword tracking and SERP data retrieval (including AI Overview tracking)
    • Competitor analysis
    • Reporting and data visualization
    • User administration and account management

    3.2 Purpose of Processing

    Personal data is processed exclusively for the purpose of:

    • Providing and maintaining the Services
    • Managing User accounts and user access
    • Generating SEO reports and analyses
    • Providing technical support
    • Fulfilling contractual obligations

    3.3 AI Features and Third-Party AI Services

    Certain Services use third-party AI services via API. Morningscore does not train or build AI models itself.

    • AI content and analysis features (Rank Writer, AI validators, automated fixes, competitor research) are processed via OpenRouter, Inc. (USA), which routes requests to one or more underlying model providers (currently OpenAI, Anthropic, Google, and Mistral). Morningscore uses Zero Data Retention (ZDR) endpoints where available, meaning neither OpenRouter nor the underlying provider retains prompts or outputs.
    • AI SERP tracking and LLM brand monitoring are processed via Cloro (EU – Malta), which retrieves SERP data (including Google AI Overview content) and routes monitoring prompts to public LLM services (currently ChatGPT, Perplexity, Gemini, Copilot, and Grok).

    No model training: Customer content, prompts, website data, and domain data are never used to train AI models, neither by Morningscore nor — under the contractual terms Morningscore has in place — by its AI providers.

    4. Categories of Personal Data

    Morningscore processes the following categories of personal data:

    4.1 User Information

    • Name
    • Email address
    • Phone number (if provided – not required)
    • Company name
    • Job title (if provided)
    • Login credentials (encrypted passwords)

    4.2 Technical Data

    • IP addresses
    • Browser type and version
    • Operating system
    • Visit data and usage statistics
    • Cookies and similar technologies (see Morningscore’s Privacy Policy for the current overview of cookies and tracking technologies)
    • Log files
    • Error and diagnostic data (which may incidentally include request data)

    4.3 SEO-Related Data

    • Search queries
    • Website data and page content submitted for analysis
    • Competitor data
    • Backlink information
    • Keyword data
    • Prompts and other inputs submitted to AI features

    SEO-related data consists predominantly of publicly available web and search data, but may incidentally contain personal data (e.g. names appearing on crawled pages).

    4.4 Communication Data

    • Email correspondence
    • Support inquiries
    • Chat messages (via Crisp)

    4.5 User-Generated Content

    • Text notes created by the user in the tool
    • Only accessed by support with the User’s explicit consent

    5. Categories of Data Subjects

    Data subjects include:

    • User’s employees and authorized users
    • User’s contact persons
    • Visitors to User’s websites (indirectly via tracking – anonymized where possible)
    • Individuals whose personal data incidentally appears in publicly available web or search data processed by the Services

    6. Data Processor’s Obligations

    6.1 Processing Instructions

    Morningscore may only process personal data according to documented instructions from the User, unless processing is required by EU law or member state legislation.

    6.2 Confidentiality

    Morningscore ensures that persons with access to personal data:

    • Are subject to confidentiality obligations
    • Only process data according to instructions from the User
    • Are properly instructed in data protection

    6.3 Technical and Organizational Security Measures

    Morningscore has implemented appropriate technical and organizational measures, described in detail in Appendix A. Key measures include:

    Technical Measures:

    • SSL/TLS encryption of all data transmission
    • Password hashing with salt; auth tokens and MFA secrets encrypted with AES-256 at application level
    • Server-side encryption of file storage
    • Secrets managed via environment variables, never stored in the codebase
    • Secure servers behind firewalls; internal infrastructure protected by Cloudflare Access (identity verification required)
    • SSH access with secure private/public keys (key employees only)
    • Regular security updates
    • Automated backup procedures
    • Access control and authentication, including MFA (TOTP) for all privileged accounts
    • Logging of employee access in all IT systems
    • No personally identifiable data stored or processed locally at the office

    Organizational Measures:

    • Access control based on “need-to-know” principle
    • Only support has access to user database with personally identifiable data
    • Employee training in data security
    • Confidentiality agreements with employees
    • All passwords stored in heylogin with 2-factor authentication
    • Office locked securely
    • Incident response procedures
    • Regular review of security measures

    Secure Development Practices:

    • Protection against common web vulnerabilities (XSS, CSRF, SQL Injection, Remote File Inclusion)
    • Avoidance of dangerous language functions
    • Ongoing code review and security testing before deployment

    Section 7: Sub-processors

    7.1 Use of Sub-processors

    Morningscore engages third-party sub-processors to assist in providing the Services. By accepting this DPA, the User provides general written authorization for Morningscore to engage the sub-processors listed in Appendix B.

    Morningscore remains fully liable to the User for the performance of any sub-processor’s obligations under this DPA.

    7.2 Sub-processor Requirements

    Morningscore ensures that all sub-processors:

    • Are bound by written agreements that impose data protection obligations equivalent to those in this DPA
    • Implement appropriate technical and organizational security measures
    • Process personal data only in accordance with Morningscore’s instructions
    • Are subject to the same GDPR obligations as Morningscore

    7.3 Changes to Sub-processors

    Morningscore will inform the User of any intended addition or replacement of sub-processors at least 14 days before the change takes effect, by:

    • Updating the sub-processor list at https://morningscore.io/dpa, and
    • Notification within the Morningscore platform or by email (for changes affecting Service Data sub-processors)

    The User may object to a new sub-processor on reasonable, documented data protection grounds within 14 days of notification. The Parties will then discuss the objection in good faith. If no solution can be found (e.g. a configuration that avoids the sub-processor), the User may terminate the Services by deleting their account via the self-service function before the change takes effect. No further remedies apply.

    7.4 Current Sub-processors

    The current list of sub-processors is maintained in Appendix B of this DPA. Appendix B distinguishes between sub-processors that process Service Data (customer SEO, website, and AI-feature data) and sub-processors that process only account, billing, or support data.

    Section 8: International Data Transfers

    8.1 Transfer Outside EU/EEA

    Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including:

    • United States
    • United Kingdom
    • Israel

    These transfers are necessary for Morningscore to provide the Services. Primary data storage remains in the EU (databases in Germany; file storage in Ireland, AWS eu-west-1).

    8.2 Transfer Safeguards

    For all transfers of personal data outside the EU/EEA, Morningscore implements appropriate safeguards as required by GDPR Chapter V:

    United States:

    • Transfers to US sub-processors are based on the EU–US Data Privacy Framework (where the sub-processor is certified) and/or EU Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR, supplemented by transfer impact assessments where required

    United Kingdom:

    • Transfers to the United Kingdom are based on the European Commission’s adequacy decision for the UK, or — should it lapse — the UK International Data Transfer Agreement (IDTA) / SCCs with the UK Addendum

    Israel:

    • Transfers to Israel are based on the European Commission’s adequacy decision for Israel

    8.3 User Acknowledgment

    By accepting this DPA and using the Services, the User acknowledges and agrees that:

    • Personal data will be transferred outside the EU/EEA as described in this Section 8 and Appendix B
    • Morningscore has implemented appropriate safeguards for such transfers
    • The User has informed their own data subjects (if applicable) about these international transfers

    8.4 Changes to Transfer Mechanisms

    If legal requirements for international data transfers change (e.g., new adequacy decisions, invalidation of SCCs or the Data Privacy Framework), Morningscore will:

    • Implement alternative lawful transfer mechanisms within a reasonable timeframe
    • Notify Users of material changes to transfer safeguards
    • Update this DPA accordingly

    9. Self-Service Functions and User Control

    9.1 Self-Service Functions

    Morningscore provides the following self-service functions so the User can fulfill data subjects’ rights:

    Right to Erasure:

    • User can delete their account at any time via Settings → Account → “Delete Account”
    • Upon deletion, ALL data is removed immediately

    Right to Rectification:

    • User can change their own information at any time via account settings

    Right to Access:

    • User has full access to all their data via the platform
    • User can export reports and data as needed

    Right to Data Portability:

    • User can export their data in common formats via the platform’s export functions

    9.2 Limited Assistance

    Morningscore provides assistance ONLY in the following cases:

    • Technical problems preventing self-service functions
    • Data protection questions answered by reference to this DPA
    • Formal GDPR requests requiring special documentation

    Morningscore is NOT obligated to:

    • Manually delete data when self-service function works
    • Manually export data when export functions are available
    • Perform tasks that User can do themselves via the platform

    9.3 Response Time for Formal Requests

    For formal GDPR requests that CANNOT be handled via self-service, Morningscore responds within 5 business days.

    10. Data Breach Notification

    10.1 Notification Obligation

    Morningscore shall, without undue delay and no later than 24 hours after becoming aware, notify the User of any personal data breach.

    10.2 Content of Notification

    The notification shall include:

    • Description of the breach
    • Categories and number of affected data subjects
    • Categories and number of affected personal data records
    • Likely consequences of the breach
    • Measures taken or proposed to remedy the breach
    • Contact information for further information

    10.3 Documentation

    Morningscore shall document all personal data breaches, including circumstances, consequences, and remedial measures.

    11. Data Deletion

    11.1 Self-Service Deletion (Primary Method)

    User deletes their own account and all data by:

    • Logging into Morningscore
    • Going to Settings → Account
    • Clicking “Delete Account”

    This action deletes ALL data immediately. No further action from Morningscore is necessary.

    11.2 Automatic Deletion for Non-Payment

    If User does not renew their subscription, the account and all data are automatically deleted after 90 days.

    11.3 Backup Copies

    Backup copies are automatically deleted according to Morningscore’s backup retention policy (maximum 90 days).

    11.4 No Manual Return

    Morningscore does NOT offer manual return of data. User must export desired data via the platform’s export functions BEFORE deleting the account.

    11.5 Confirmation

    User automatically receives confirmation via email when the account is deleted.

    12. Documentation and Transparency

    12.1 Available Documentation

    Morningscore makes the following documentation available:

    • This Data Processing Agreement
    • Privacy Policy (including an overview of cookies and tracking technologies)
    • Terms of Service
    • Security measures (described in this DPA)

    12.2 No Physical Audit

    Morningscore does NOT offer physical access to premises or servers for security reasons. Morningscore will instead make available the information reasonably necessary to demonstrate compliance with Article 28 GDPR, including written responses to security questionnaires and, at its discretion, third-party certifications or audit reports covering Morningscore or its hosting providers.

    12.3 Data Security Questions

    Questions about data security are answered by:

    • Reference to this DPA (which contains all relevant information)
    • Written response via info@morningscore.io (if DPA does not cover the question)

    12.4 Response Time

    Written inquiries about data security are answered within 5 business days.

    12.5 Third-Party Certifications

    Morningscore may, at its discretion, make third-party certifications or audit reports available (e.g. hosting provider ISO certifications, sub-processor SOC 2 reports).

    13. Liability and Indemnification

    13.1 Liability

    Morningscore is liable for damages caused by processing personal data in violation of:

    • This Agreement
    • GDPR
    • Documented instructions from the User

    13.2 Limitation of Liability

    Morningscore’s liability is limited in accordance with the general terms for the Services.

    Morningscore is NOT liable for:

    • User’s failure to use available self-service functions
    • Data loss if User has not exported data before account deletion
    • Delays caused by User’s failure to use self-service tools

    13.3 User’s Responsibility

    User is responsible for:

    • Using the available self-service functions
    • Exporting data before account deletion
    • Informing their own users about data processing

    14. Duration and Termination

    14.1 Duration

    This Agreement is valid as long as the User has an active account with Morningscore.

    14.2 Automatic Termination

    The Agreement terminates automatically when:

    • User deletes their account via self-service function
    • Account is automatically deleted due to non-payment (after 90 days)
    • Morningscore ceases to provide the Services

    14.3 No Notice Period

    There is no notice period. User can delete their account immediately at any time via the self-service function.

    15. Changes to the Agreement

    15.1 Right to Changes

    Morningscore may change this Agreement to:

    • Reflect changes in legislation
    • Implement new security measures
    • Improve self-service functions
    • Clarify existing terms

    15.2 Notice of Changes

    Material changes are notified at least 30 days in advance via:

    • Email to User’s registered email address
    • Notification in the Morningscore platform
    • Update on website with change date

    15.3 Acceptance of Changes

    By continuing to use the Services after the changes take effect, User accepts the new terms.

    If User does not accept the changes, User must delete their account via the self-service function before the changes take effect.

    16. Contact and Communication

    16.1 Contact Information

    Questions regarding this DPA should be sent in writing to:

    Morningscore ApS:

    • Email: info@morningscore.io
    • Address: Stærmosegårdsvej 8, st., 5230 Odense M, Denmark
    • Company ID: DK39311437

    16.2 Preferred Communication Method

    • General questions: Use support chat or email
    • GDPR requests: Send to info@morningscore.io with subject “GDPR”
    • Technical issues: Use support function in the platform

    16.3 Response Times

    • Support inquiries: 1-3 business days
    • GDPR requests: Within 5 business days
    • Data breach notifications: Within 24 hours

    17. Governing Law and Jurisdiction

    17.1 Governing Law

    This Agreement is governed by Danish law.

    17.2 Jurisdiction

    Any disputes shall be resolved by Danish courts with Odense City Court as venue.

    18. Acceptance and Effective Date

    This Data Processing Agreement takes effect upon User’s acceptance of Morningscore’s Terms of Service and constitutes an integral part of the agreement between the Parties.

    By using Morningscore’s Services, User confirms having read, understood, and accepted the terms of this Data Processing Agreement.

    Appendix A: Technical and Organizational Security Measures

    A.1 Access Control

    • Internal infrastructure protected by Cloudflare Access (Zero Trust); identity verification required before reaching any internal system
    • Multi-factor authentication (TOTP) required for all privileged accounts
    • 2FA via heylogin for all employee credentials
    • Role-based access control; sessions invalidated on role changes
    • Internal APIs protected by per-key Bearer tokens with rate limiting
    • Only support has access to user database with personally identifiable data
    • SSH access with private/public keys (key employees only)
    • Regular review of user rights
    • Automatic log-off on inactivity
    • Strong password requirements
    • Logging of employee access in all IT systems

    A.2 Encryption

    • SSL/TLS (HTTPS) encryption of all data transmission
    • All User passwords are hashed with salt
    • Auth tokens and MFA secrets encrypted with AES-256 at the application level
    • Server-side encryption of file storage (S3)
    • Secrets injected via environment variables, never stored in the codebase
    • Secure storage of all employee passwords in heylogin

    A.3 Network Security

    • Firewalls on servers
    • SSH connection required for database access
    • DDoS protection (Cloudflare)
    • Regular security updates
    • Network segmentation
    • No sharing of database access with 2nd or 3rd parties

    A.4 Physical Security at Office

    • Office locked securely
    • No personally identifiable data stored or processed locally
    • Clear desk policy
    • Secure data disposal

    A.5 Physical Security at Hosting Providers

    • Hosting at Hetzner Online GmbH (Germany) and AWS (eu-west-1, Ireland)
    • Secure data centers with access control, video surveillance, redundant power supplies, and climate control
    • Hosting providers hold ISO 27001 and equivalent certifications

    A.6 Backup and Disaster Recovery

    • Daily automated backups
    • Account data backed up via Laravel Forge on an automated schedule
    • Application and SERP data backed up with Percona Backup (MongoDB/MySQL)
    • Backup retention: maximum 90 days
    • Recovery handled at the infrastructure level
    • Formal RTO/RPO targets and a documented recovery testing schedule are being established; until then, recovery capability is verified as part of ongoing infrastructure management

    A.7 Logging and Monitoring

    • Error monitoring via Bugsnag (SmartBear; ISO 27001, SOC 2 Type II)
    • Traces and metrics via SigNoz, self-hosted in the EU
    • Security alerts routed to a dedicated internal alert channel
    • Product usage analytics via PostHog EU Cloud (Frankfurt)
    • Logging of system and employee access in all IT systems
    • Monitoring of abnormal activity and regular review of logs

    A.8 Employee Security

    • Confidentiality agreements with all employees
    • Regular security training
    • Data protection instruction
    • Confidentiality obligations
    • All passwords in heylogin with 2FA

    A.9 Development Security and Secure Coding Practices

    Morningscore follows these security principles in code development:

    • Secure coding practices aligned with recognized guidance for common web vulnerabilities
    • Protection against XSS (including careful use of DOM-injection functions), CSRF, SQL Injection (in all database queries), and Remote File Inclusion
    • Avoidance of dangerous language functions (e.g. eval(), exec(), passthru(), system(), popen())
    • Code reviews, including ongoing review for bad practices
    • Security testing before deployment
    • Regular dependency and framework updates

    A.10 Data Protection by Design

    • Data protection by design principle applied
    • Data protection by default principle applied
    • Data collection minimization – only necessary data collected
    • AI requests routed to Zero Data Retention endpoints where available
    • User-generated content accessed only with User’s explicit consent

    Appendix B: List of Sub-processors

    B.1 Sub-processors Processing Service Data

    These sub-processors receive customer SEO, website, or AI-feature data:

    Name of sub-processor Description of processing
    OpenRouter, Inc.

    Location: USA

    Transfer mechanism: SCCs

    		 AI processing for Rank Writer, AI validators, automated fixes, and competitor research. Receives page content, prompts, and domain data. Routes to underlying model providers (see B.3). Zero Data Retention endpoints used where available.
    Cloro

    Location: EU (Malta)

    Transfer mechanism: n/a (EU); Cloro applies SCCs for its own onward transfers

    		 SERP data retrieval (incl. Google AI Overview) and LLM brand monitoring. Receives SERP lookups and user prompt text.
    DataForSEO

    Location: EU (Estonia)

    		 SERP lookups per customer domain; SERP parsing.
    Oxylabs

    Location: EU (Lithuania)

    		 SERP lookups per customer domain; SERP parsing.
    Bright Data Ltd.

    Location: Israel

    Transfer mechanism: EU adequacy decision

    		 Crawler proxy routing for customer URLs.
    Amazon Web Services, Inc.

    Location: EU (eu-west-1, Ireland / Germany)

    		 Cloud storage (crawl content, exports, uploaded files).
    Hetzner Online GmbH

    Location: Germany

    		 Hosting & infrastructure services (primary databases).
    Cloudflare, Inc.

    Location: Customer traffic is processed globally in the data center closest to the end user.

    Transfer mechanism: SCCs / Data Privacy Framework

    		 Security, DDoS protection, WAF, DNS, Zero Trust access.
    PostHog, Inc.

    Location: EU (Frankfurt, Germany)

    		 Product analytics and usage data (EU Cloud).
    Bugsnag (SmartBear Software Inc.)

    Location: USA

    Transfer mechanism: SCCs (ISO 27001, SOC 2 Type II)

    		 Error monitoring; error context may include request data.
    Pusher Ltd.

    Location: UK / USA

    Transfer mechanism: UK adequacy decision / SCCs

    		 Real-time event broadcasting and application notifications (WebSocket session data only).

    B.2 Sub-processors Processing Account, Billing, or Support Data Only

    These sub-processors do not receive customer SEO or website data:

     

    Name of sub-processor Description of processing
    Stripe, Inc.

    Location: Ireland/USA

    Transfer mechanism: SCCs

    		 Payment and subscription processing.
    Google LLC

    Location: USA

    Transfer mechanism: SCCs / Data Privacy Framework

    		 Productivity and operations management.
    HubSpot, Inc.

    Location: USA

    Transfer mechanism: SCCs / Data Privacy Framework

    		 Customer relationship management (signup and contact data).
    Intuit Mailchimp

    Location: USA

    Transfer mechanism: SCCs / Data Privacy Framework

    		 Marketing email (email lists – Tinyranker.com customers only)
    Brevo

    Location: EU

    		 Marketing automation.
    Make.com – Celonis, Inc.

    Location: EU

    		 Automations.
    Paddle / ProfitWell

    Location: USA

    Transfer mechanism: SCCs

    		 Subscription revenue metrics.
    GrowPanel ApS

    Location: Denmark (EU)

    		 Revenue analytics based on financial data from Stripe (MRR, churn).
    Igil Webs SRL (FirstPromoter)

    Location: EU (Romania)

    		 Affiliate program management, tracking, and referral attribution.
    Crisp IM SAS

    Location: EU (France)

    		 Customer messaging and support platform (chat transcripts).
    Slack Technologies LLC (Salesforce)

    Location: USA

    Transfer mechanism: SCCs / Data Privacy Framework

    		 Internal business communication.
    Visma e-conomic a/s

    Location: EU (Denmark)

    		 Invoicing and accounting.
    WebinarGeek

    Location: Germany / The Netherlands

    		 Webinar tool.
    Plausible Insights OÜ

    Location: EU (Estonia)

    		 Cookieless web analytics (IP processed server-side, not stored).

    B.3 Downstream AI Model Providers (via OpenRouter and Cloro)

    AI requests made through OpenRouter may be routed to: OpenAI, Anthropic, Google (Gemini), and Mistral. Morningscore routes to Zero Data Retention endpoints where available; OpenRouter does not store prompts by default and tracks per-endpoint data policies.

    LLM brand monitoring via Cloro routes monitoring prompts to: ChatGPT (OpenAI), Perplexity, Gemini (Google), Copilot (Microsoft), and Grok (xAI).

    None of these providers use customer data submitted via the Services for model training.

    Appendix C: Data Breach Procedure

    C.1 Discovery

    • Continuous monitoring of systems
    • Employees instructed to report suspicious incidents
    • Automatic alerts on abnormal activity

    C.2 Assessment

    • Immediate assessment of breach scope
    • Identification of affected data and data subjects
    • Assessment of potential consequences

    C.3 Containment

    • Immediate measures to stop the breach
    • Isolation of affected systems
    • Securing evidence

    C.4 Notification

    • Notification of User within 24 hours
    • Notification to Data Protection Authority (if relevant)
    • Notification of data subjects (if required)

    C.5 Remediation

    • Implementation of corrective measures
    • Restoration of normal operations
    • Documentation of incident

    C.6 Follow-up

    • Analysis of causes
    • Implementation of preventive measures
    • Update of security procedures

    Last updated: June 11, 2026.

    Version: 1.3

    Signature and Approval

    This Data Processing Agreement is approved by:

    For Morningscore ApS:

    • Name: Karsten Madsen
    • Title: Managing Director
    • Date: June 11, 2026

    This Data Processing Agreement is prepared in accordance with GDPR Article 28 and should be read in conjunction with Morningscore’s Terms of Service and Privacy Policy.

    By using Morningscore’s services, User accepts the terms of this Data Processing Agreement.