Data Processing Addendum

Last updated: May 26, 2026

This Data Processing Addendum (“DPA”) applies when SiteEngine Web Services LLC, a Florida limited liability company, doing business as SiteEngine, North Georgia Web, and North Florida Web (“SiteEngine,” “we,” “us,” or “our”), processes personal data on behalf of a customer in connection with SiteEngine services.

This DPA supplements the SiteEngine Terms of Service, User Agreement, Privacy Notice, Privacy Notice Addendum, Cookie Notice, Managed WordPress Hosting and SiteCare Terms, Professional Services Agreement, and any applicable quote, invoice, proposal, statement of work, or signed agreement.

This DPA is incorporated into the agreement between SiteEngine and the customer unless the parties have signed a separate data processing agreement. If a separately signed data processing agreement conflicts with this DPA, the signed agreement controls for that customer relationship.

1. Definitions

For purposes of this DPA, “personal data” means information relating to an identified or identifiable person, or similar information protected under applicable privacy or data protection law.

“Customer personal data” means personal data that SiteEngine processes on behalf of a customer to provide services under an applicable agreement.

“Customer” means the business, organization, or person that purchases or uses SiteEngine services and determines the purposes and means of processing customer personal data.

“Controller,” “processor,” “business,” “service provider,” “contractor,” “personal information,” “process,” “sale,” and “sharing” have the meanings given to those terms under applicable privacy laws where those laws apply.

2. Roles of the Parties

For customer website data, hosting data, form data, CRM data, analytics data, consent data, advertising data, support data, or other personal data processed by SiteEngine solely on behalf of a customer, the customer is generally the controller, business, or equivalent party, and SiteEngine is generally the processor, service provider, contractor, or equivalent party.

For SiteEngine account data, billing data, security records, legal records, fraud-prevention records, support records, marketing records, administrative records, and business-operations data, SiteEngine may act as an independent controller or business.

The parties acknowledge that the exact role may depend on the applicable law, service context, agreement, and data processing activity.

3. Scope of Processing

SiteEngine processes customer personal data as reasonably necessary to provide services, operate websites, host websites, maintain WordPress sites, process support requests, perform migrations, configure domains and DNS, provide professional services, support email and messaging services, implement consent-management tools, maintain security, troubleshoot issues, prevent abuse, and perform applicable agreements.

The subject matter, duration, nature, and purpose of processing are determined by the services purchased by the customer and the applicable agreement.

The categories of personal data processed may include contact information, account information, form submissions, website user data, technical logs, IP addresses, device information, consent records, analytics data, advertising-related data, domain registration data, support communications, billing-related information, and other data submitted to or processed through customer websites and services.

The categories of data subjects may include customer personnel, customer clients, website visitors, prospects, leads, form submitters, account users, vendors, contractors, and other individuals whose data is submitted to or processed through the customer’s website or services.

4. Customer Instructions

SiteEngine will process customer personal data according to the customer’s documented instructions, except where required otherwise by law, security needs, abuse prevention, or the applicable agreement.

Documented instructions may include the applicable agreement, statement of work, support tickets, configuration requests, written approvals, account settings, project instructions, and other written directions accepted by SiteEngine.

SiteEngine may decline instructions that are unlawful, unsafe, unsupported, technically impractical, inconsistent with SiteEngine policies, outside the scope of services, or likely to harm SiteEngine, the customer, another customer, a data subject, or a third party.

5. Customer Responsibilities

The customer is responsible for determining whether SiteEngine services are appropriate for the customer’s data, business, website, industry, jurisdiction, and legal obligations.

The customer is responsible for having a valid legal basis, notices, consents, disclosures, contracts, and rights necessary for SiteEngine to process customer personal data.

The customer is responsible for privacy notices, cookie notices, consent language, SMS opt-in language, email marketing compliance, form disclosures, accessibility notices, data retention, data-subject request handling, advertising compliance, and regulated-industry compliance applicable to the customer’s business.

Unless expressly agreed in writing, SiteEngine services are not designed for HIPAA-regulated protected health information, full payment card data storage, government classified information, or other highly regulated data.

6. Confidentiality

SiteEngine will require personnel and contractors with access to customer personal data to protect it appropriately and use it only for authorized purposes.

SiteEngine personnel and contractors may access customer personal data only as reasonably necessary to provide services, maintain systems, troubleshoot issues, respond to support requests, prevent abuse, maintain security, or comply with legal obligations.

7. Security Measures

SiteEngine will maintain commercially reasonable technical and organizational measures designed to protect customer personal data against unauthorized access, loss, misuse, alteration, or disclosure.

Security measures may include access controls, authentication, least-privilege access, logging, monitoring, backups, malware scanning, vulnerability response, secure configuration, rate limiting, encryption where appropriate, and administrative safeguards, depending on the service.

Security measures may vary by service, customer configuration, hosting environment, vendor, and technical scope.

No system can be guaranteed secure. The customer remains responsible for securing customer users, passwords, devices, third-party accounts, WordPress users, plugins, themes, forms, integrations, and business processes.

8. Consent-Management Processing

Where SiteEngine implements or supports consent-management tools, SiteEngine may process consent-related data on behalf of the customer.

Consent-related data may include consent state, consent method, receipt ID, policy version, banner version, Google Consent Mode state, timestamp, page URL, referrer URL, hashed IP address, hashed user agent, localStorage values, cookie values, and consent fields stamped onto form submissions.

Consent-management tools may store visitor choices in first-party cookies and localStorage, create consent receipts, populate hidden form fields, override client-supplied consent values with server-side values where technically supported, and export consent records for audit or compliance purposes.

The customer remains responsible for determining the appropriate banner language, consent categories, cookie notice, privacy notice, legal basis, consent requirements, retention period, and jurisdictional compliance for the customer’s website.

9. Google Consent Mode and Advertising Processing

Where SiteEngine configures Google Consent Mode, Google Tag Manager, Google Ads, Google Analytics, Customer Match, enhanced conversions, offline conversions, or similar tools on behalf of a customer, SiteEngine may process advertising-related and analytics-related data according to the customer’s instructions and applicable platform requirements.

Consent signals may include ad storage, analytics storage, ad user data, ad personalization, personalization storage, functionality storage, and security storage.

Where configured, consent-gating logic may determine whether identifiers such as email addresses or phone numbers are hashed, uploaded, matched, or otherwise used for advertising-related processing.

SiteEngine does not guarantee platform approval, match rates, reporting accuracy, conversion attribution, ad performance, regulatory compliance, or continued availability of any advertising or analytics feature.

10. Subprocessors

The customer authorizes SiteEngine to use subprocessors and service providers to provide services.

Subprocessors and service providers may include hosting providers, cloud infrastructure providers, backup providers, DNS providers, CDN providers, domain registrars, registry providers, privacy or proxy providers, security vendors, monitoring tools, payment processors, billing platforms, client portal providers, support tools, analytics providers, advertising platforms, email delivery providers, SMS providers, messaging platforms, CRM tools, form tools, consent-management tools, development tools, and professional service vendors.

SiteEngine will require subprocessors and service providers to protect customer personal data under terms appropriate to the services they provide where required by applicable law or contract.

SiteEngine may add, replace, or remove subprocessors as needed to provide services, maintain security, improve performance, control costs, or respond to vendor availability or legal requirements.

11. Objection to Subprocessors

If applicable law or a signed agreement gives the customer a right to object to a new subprocessor, the customer must submit the objection in writing to privacy@siteengine.io within the applicable notice period.

The objection must describe the specific reasonable basis for objection.

If the parties cannot resolve the objection, SiteEngine may modify the affected service, recommend an alternative, or allow the customer to terminate the affected service according to the applicable agreement.

12. International Transfers

SiteEngine is based in the United States, and customer personal data may be processed in the United States or other countries where SiteEngine, SiteEngine vendors, customer-selected vendors, or subprocessors operate.

Where required by applicable law, the parties will use appropriate transfer mechanisms for international transfers of personal data.

The customer is responsible for determining whether the services are appropriate for international data transfers involving the customer’s website, users, business, or jurisdiction.

13. Data Subject Requests

Taking into account the nature of the services, SiteEngine will provide reasonable assistance with data subject requests where required by applicable law and where the customer cannot reasonably fulfill the request without SiteEngine assistance.

Data subject requests may include access, deletion, correction, portability, restriction, objection, opt-out, or withdrawal of consent requests.

If SiteEngine receives a request relating to customer personal data, SiteEngine may refer the request to the customer or process the request according to the customer’s documented instructions.

Assistance that requires substantial time, custom development, data export, database review, backup restoration, log review, forensic review, or historical reconstruction may be billable unless prohibited by applicable law or covered by a signed agreement.

14. Assistance With Compliance

Taking into account the nature of the services and information available to SiteEngine, SiteEngine will provide reasonable assistance with customer compliance obligations where required by applicable law.

This may include reasonable assistance with security inquiries, consent-record exports, data exports, audit information, incident investigation, and deletion or return of customer personal data.

SiteEngine does not provide legal advice. The customer remains responsible for determining legal obligations and compliance requirements.

15. Security Incidents

If SiteEngine becomes aware of a security incident involving customer personal data processed by SiteEngine as a processor, service provider, contractor, or subprocessor, SiteEngine will notify the customer without undue delay after confirming the incident, consistent with legal, security, operational, and law-enforcement considerations.

Notice may include available information about the nature of the incident, affected systems, affected data, mitigation steps, and recommended customer actions, to the extent known and appropriate.

Customer is responsible for determining whether notice to individuals, regulators, customers, business partners, or others is required.

Unsuccessful security attempts, routine scans, blocked attacks, spam, phishing attempts, firewall events, malware attempts, failed login attempts, and similar events that do not result in unauthorized access to customer personal data may not constitute a reportable security incident.

16. Audits and Information Requests

SiteEngine may provide reasonable information about its privacy and security practices where required by applicable law or a signed agreement.

Any audit, questionnaire, assessment, or information request must be reasonable in scope, respect SiteEngine security and confidentiality, avoid disruption to SiteEngine operations, and be limited to information relevant to the customer’s services.

SiteEngine may decline requests that are excessive, duplicative, confidential, security-sensitive, unrelated to the customer’s services, or likely to create risk.

Audit assistance, lengthy questionnaire responses, custom reports, security reviews, or compliance support may be billable unless prohibited by applicable law or covered by a signed agreement.

17. Deletion or Return of Customer Personal Data

Upon termination of services, SiteEngine will delete or return customer personal data as required by the applicable agreement and applicable law.

Deletion or return may be subject to backup retention, legal retention, security retention, billing records, tax records, dispute records, fraud-prevention records, domain records, consent records, technical feasibility, and ongoing legitimate business needs.

Data exports, custom reports, consent-receipt exports, backup restoration, log retrieval, database searches, or historical reconstruction may be billable unless prohibited by applicable law or covered by a signed agreement.

18. Retention

Customer personal data may be retained for as long as reasonably necessary to provide services, maintain accounts, process billing, maintain backups, secure systems, prevent fraud, resolve disputes, comply with law, and support legitimate business purposes.

Retention periods may vary by data type, service, customer configuration, backup schedule, legal obligation, and operational need.

Consent receipts and audit records may be retained for the period configured for the applicable site or service. SiteEngine’s consent system may use a default retention period for consent receipts, and site-specific configurations may change that period.

19. CCPA/CPRA Service Provider Terms

Where the California Consumer Privacy Act, as amended, applies and SiteEngine processes personal information as a service provider or contractor, SiteEngine will process that personal information for the business purposes described in the applicable agreement and this DPA.

SiteEngine will not sell or share customer personal information processed as a service provider or contractor, retain, use, or disclose it outside the direct business relationship with the customer, or combine it with personal information from other sources except as permitted by applicable law.

SiteEngine may use customer personal information to provide services, detect security incidents, protect against fraudulent or illegal activity, maintain or improve service quality, comply with law, and perform other permitted service-provider or contractor purposes.

20. GDPR-Style Processor Terms

Where GDPR, UK GDPR, or similar processor obligations apply, SiteEngine will process customer personal data only on documented instructions, require appropriate confidentiality, implement appropriate technical and organizational measures, use subprocessors under appropriate terms, assist with data subject requests where required, assist with security and compliance obligations where required, notify the customer of confirmed security incidents involving customer personal data, and delete or return customer personal data as required by the applicable agreement.

The customer is responsible for determining the lawful basis for processing, providing notices, obtaining consent where required, honoring rights requests, and ensuring that SiteEngine’s services are appropriate for the customer’s processing activities.

21. Restricted and Sensitive Data

Unless expressly agreed in a signed written agreement, the customer may not use SiteEngine services to process HIPAA-regulated protected health information, full payment card data storage, government classified information, or other highly regulated data requiring specialized compliance controls.

The customer must notify SiteEngine before submitting or processing sensitive or regulated data through SiteEngine services if the customer believes special contractual, legal, or technical obligations apply.

SiteEngine may refuse, restrict, or require additional terms for services involving sensitive or regulated data.

22. Customer Indemnification

The customer agrees to defend, indemnify, and hold harmless SiteEngine, its owners, officers, employees, contractors, agents, affiliates, vendors, and representatives from claims, damages, losses, liabilities, penalties, fines, costs, and expenses, including reasonable attorneys’ fees, arising from or related to:

• Customer instructions.
• Customer privacy notices, cookie notices, consent language, or data practices.
• Customer website data.
• Customer use of analytics, advertising, SMS, email, forms, CRM, or Customer Match tools.
• Customer failure to obtain required consents or provide required notices.
• Customer violation of privacy, data protection, advertising, email, SMS, consumer-protection, or regulated-industry laws.
• Customer submission of restricted or sensitive data without required written agreement.

23. No Legal Advice

SiteEngine may provide technical implementation services related to privacy notices, cookie notices, consent banners, analytics settings, advertising tools, opt-in language, and data workflows.

SiteEngine does not provide legal advice regarding privacy laws, cookie laws, consent requirements, data protection laws, advertising rules, SMS rules, email marketing rules, accessibility requirements, or regulated-industry obligations.

The customer is responsible for obtaining legal advice regarding the customer’s privacy and compliance obligations.

24. Changes to This DPA

SiteEngine may update this DPA from time to time. Updated versions will be posted on our website with a revised “Last updated” date.

Your continued use of SiteEngine services after an updated DPA is posted means you accept the updated DPA to the extent permitted by law.

25. Contact

SiteEngine Web Services LLC
931 Claeven Circle
Ft. Walton Bch., FL 32541
Okaloosa County
United States

Phone: (850) 368-9833
Support: support@siteengine.io
Privacy: privacy@siteengine.io
Abuse/Security: abuse@siteengine.io
Legal: legal@siteengine.io