Data Processing Agreement
Our commitment to protecting and processing your data responsibly.
1. Definitions and Interpretation
This Data Processing Agreement ("DPA") forms part of the agreement between ZenAPI, Inc. ("Processor") and you ("Controller") for the provision of API services.
In this DPA:
- •"Personal Data" has the meaning set out in the GDPR
- •"Data Subject" means an identified or identifiable natural person
- •"Processing" has the meaning set out in the GDPR
- •"GDPR" means the General Data Protection Regulation (EU) 2016/679
- •"Services" means the API services provided by ZenAPI
2. Scope and Application
This DPA applies to all processing of Personal Data by the Processor on behalf of the Controller in connection with the Services.
The subject matter, duration, nature, and purpose of processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex A of this DPA.
3. Processor's Obligations
The Processor shall:
- •Process Personal Data only on documented instructions from the Controller, unless required to do so by law
- •Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
- •Implement appropriate technical and organizational measures to ensure security of Personal Data
- •Engage sub-processors only with prior written authorization from the Controller
- •Assist the Controller in responding to Data Subject requests
- •Assist the Controller in ensuring compliance with GDPR obligations
- •Delete or return all Personal Data after termination of Services
- •Make available to the Controller all information necessary to demonstrate compliance
4. Security Measures
The Processor implements the following technical and organizational measures:
4.1 Technical Measures
- •Encryption of data in transit using TLS 1.3 or higher
- •Encryption of data at rest using AES-256
- •Multi-factor authentication for administrative access
- •Secure key management and rotation procedures
- •Regular security patching and updates
- •Intrusion detection and prevention systems
4.2 Organizational Measures
- •Role-based access control and least privilege principle
- •Background checks for employees with access to Personal Data
- •Regular security awareness training for all personnel
- •Incident response and breach notification procedures
- •Business continuity and disaster recovery plans
- •Regular third-party security audits and penetration testing
5. Sub-processors
The Controller authorizes the Processor to engage the following sub-processors:
| Sub-processor | Location | Purpose |
|---|---|---|
| Amazon Web Services | USA, EU | Cloud infrastructure |
| Stripe, Inc. | USA | Payment processing |
| Datadog, Inc. | USA | Monitoring and analytics |
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object within 30 days.
6. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under GDPR, including:
- •Right of access
- •Right to rectification
- •Right to erasure
- •Right to restriction of processing
- •Right to data portability
- •Right to object
The Processor will respond to Controller requests within a reasonable timeframe, not to exceed 10 business days.
7. Personal Data Breach
The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data breach.
The notification shall include:
- •Description of the nature of the breach
- •Categories and approximate number of Data Subjects affected
- •Likely consequences of the breach
- •Measures taken or proposed to address the breach and mitigate adverse effects
8. Audits and Inspections
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.
The Controller shall provide at least 30 days' notice for any audit. Audits shall not occur more than once per year unless required by a supervisory authority or in response to a security incident.
9. Data Return and Deletion
Upon termination of the Services, the Processor shall, at the Controller's choice:
- •Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format
- •Securely delete all Personal Data and provide written certification of deletion
The Processor may retain Personal Data to the extent required by law, with appropriate safeguards.
10. Liability and Indemnification
Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the main Services Agreement.
The Processor shall indemnify the Controller against any claims, losses, or damages arising from the Processor's breach of this DPA.
Annex A: Details of Processing
Subject Matter
Provision of API services for social media data extraction and web scraping.
Duration
For the duration of the Services Agreement and as required for data retention.
Nature and Purpose
Processing necessary to provide API services, including:
- • Account management and authentication
- • API request processing and response delivery
- • Usage monitoring and analytics
- • Billing and payment processing
- • Customer support and communications
Types of Personal Data
- • Contact information (email, name)
- • Account credentials
- • Payment information
- • Usage data and API logs
- • IP addresses
- • Support communications
Categories of Data Subjects
- • Customer employees and authorized users
- • Customer contacts and billing representatives
- • Technical administrators
11. Contact Information
For questions regarding this DPA: