Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between ProAPIs ("Processor", "we", "us") and you ("Controller", "Customer") for the provision of data processing services.

This DPA applies where and only to the extent that ProAPIs processes Personal Data on behalf of the Customer in the course of providing services, and such Personal Data is subject to applicable Data Protection Laws including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable privacy regulations.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or deletion.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by ProAPIs to process Personal Data.
• "Data Breach" means any unauthorized access, disclosure, alteration, or destruction of Personal Data.

3. Scope and Purpose of Processing

ProAPIs will process Personal Data only:

• On documented instructions from the Customer
• For the purposes of providing the agreed-upon services
• In accordance with this DPA and applicable Data Protection Laws

The types of Personal Data processed and the categories of Data Subjects will be as specified in the service agreement or as otherwise agreed between the parties.

4. Customer Obligations

The Customer warrants and represents that:

• It has all necessary rights and consents to provide Personal Data to ProAPIs
• Its instructions for Processing will comply with applicable Data Protection Laws
• It has provided all necessary notices and obtained all necessary consents from Data Subjects
• The data sources specified for scraping are publicly accessible and may be lawfully accessed

5. ProAPIs Obligations

ProAPIs agrees to:

• Process Personal Data only on documented instructions from the Customer
• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Customer in responding to Data Subject requests
• Notify the Customer without undue delay of any Data Breach
• Delete or return all Personal Data upon termination of services, as requested by the Customer
• Make available all information necessary to demonstrate compliance with this DPA

6. Security Measures

ProAPIs implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• Encryption: Data encryption at rest and in transit using industry-standard protocols
• Access Controls: Role-based access controls and authentication mechanisms
• Monitoring: Continuous monitoring and logging of data access and processing activities
• Infrastructure Security: Secure hosting environments with appropriate physical and logical security
• Incident Response: Documented incident response procedures
• Business Continuity: Regular backups and disaster recovery procedures

7. Sub-processors

The Customer provides general authorization for ProAPIs to engage Sub-processors. ProAPIs will:

• Maintain a list of current Sub-processors available upon request
• Notify the Customer of any intended changes to Sub-processors
• Give the Customer the opportunity to object to such changes
• Ensure Sub-processors are bound by data protection obligations no less protective than this DPA
• Remain fully liable for the acts and omissions of its Sub-processors

8. International Data Transfers

ProAPIs may transfer Personal Data to countries outside the European Economic Area (EEA) only when appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules
• Adequacy decisions by relevant authorities
• Other legally recognized transfer mechanisms

9. Data Subject Rights

ProAPIs will assist the Customer in fulfilling its obligations to respond to Data Subject requests, including requests to:

• Access their Personal Data
• Rectify inaccurate Personal Data
• Erase Personal Data
• Restrict processing
• Data portability
• Object to processing

If ProAPIs receives a request directly from a Data Subject, it will promptly forward the request to the Customer unless legally prohibited from doing so.

10. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed under this DPA, ProAPIs will:

• Notify the Customer without undue delay (and in any event within 72 hours) upon becoming aware of the breach
• Provide sufficient information to enable the Customer to meet its notification obligations
• Cooperate with the Customer to investigate and remediate the breach
• Take reasonable steps to mitigate the effects of the breach

11. Audits and Inspections

ProAPIs will:

• Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits, including inspections, conducted by the Customer or an authorized auditor
• Provide audit reports or certifications upon reasonable request

Audits shall be conducted with reasonable notice and during normal business hours, and shall not unreasonably disrupt ProAPIs' operations.

12. Data Retention and Deletion

Upon termination of services or upon the Customer's request, ProAPIs will:

• Return all Personal Data to the Customer in a commonly used format, or
• Delete all Personal Data and certify such deletion in writing

ProAPIs may retain Personal Data to the extent required by applicable law, subject to appropriate confidentiality and security measures.

13. Term and Termination

This DPA shall remain in effect for the duration of the service agreement between ProAPIs and the Customer. The obligations relating to data protection, confidentiality, and security shall survive termination of this DPA.

14. Governing Law

This DPA shall be governed by and construed in accordance with the same laws that govern the underlying service agreement, except where Data Protection Laws require otherwise.