Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council.
• "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries.

2. Scope and Purpose

The Processor processes Personal Data on behalf of the Controller solely for the following purposes:

• Providing the INCI API service, including ingredient analysis, product lookup, safety scoring, allergen detection, and skin compatibility analysis
• Account management, authentication, and authorization
• Usage tracking, rate limiting, and billing
• Service improvement, performance monitoring, and analytics
• Customer support and communication

The Processor shall not process Personal Data for any purpose other than as specified in this DPA or as documented in writing by the Controller.

3. Types of Personal Data Processed

• Account data: name, email address, hashed password
• API usage data: request logs, timestamps, IP addresses, endpoints accessed, response codes, API key identifiers
• Billing data: subscription tier, payment method metadata (full payment data is processed exclusively by Stripe and never stored on our servers)
• Technical data: browser type, device information, operating system, referral URLs (collected through analytics for service improvement)

The Processor does not process special categories of Personal Data (Article 9 GDPR) or Personal Data relating to criminal convictions (Article 10 GDPR).

4. Data Subject Categories

The Personal Data processed under this DPA relates to the following categories of Data Subjects:

• Customer's employees and contractors who access and use the INCI API
• End users of Customer's applications that integrate with the INCI API (to the extent their data is transmitted through API requests)

5. Processor Obligations

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which the Processor is subject
2. Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
3. Implement appropriate technical and organizational security measures as required by Article 32 of the GDPR to ensure a level of security appropriate to the risk
4. Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object
5. Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights
6. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor
7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the Personal Data
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller

6. Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data in accordance with Article 32 of the GDPR:

• Encryption in transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher (HTTPS)
• Encryption at rest: Database storage uses MongoDB encryption at rest for all stored Personal Data
• Access controls: Authentication via JWT tokens and API keys; role-based access controls; principle of least privilege
• Password security: User passwords are stored using bcrypt hashing with appropriate cost factors; API keys are stored as secure hashes
• Infrastructure security: Firewalled infrastructure (UFW with restricted ports), regular security updates and patching
• Server location: DigitalOcean infrastructure (currently US-based; migration to EU/EEA data center planned)
• Payment data: No storage of payment card data on our servers. All payment processing is handled by Stripe, which maintains PCI DSS Level 1 compliance
• Monitoring: Automated monitoring, logging, and alerting for security events and anomalies

7. Sub-processors

The Controller grants the Processor general authorization to engage the following sub-processors. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors with at least 30 days' prior written notice, thereby giving the Controller the opportunity to object to such changes.

If the Controller objects to a new sub-processor on reasonable grounds related to data protection, the parties shall discuss the matter in good faith. If no resolution is reached within 30 days, the Controller may terminate the affected services without penalty.

8. Data Transfers

Personal Data may be transferred to and processed in countries outside the European Union and European Economic Area. Where such transfers occur, the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
• Adequacy decisions by the European Commission where applicable
• Additional technical and organizational measures to supplement transfer mechanisms where necessary, in accordance with the Schrems II ruling (Case C-311/18)

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach as defined in Article 4(12) of the GDPR. The notification shall include:

• A description of the nature of the Personal Data breach, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the data protection contact from whom more information can be obtained
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such breach.

10. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under Chapter III of the GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure / right to be forgotten (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

If the Processor receives a request directly from a Data Subject, it shall promptly notify the Controller and shall not respond to the request without the Controller's prior written authorization, unless legally required to do so.

11. Audit Rights

The Controller may audit the Processor's compliance with this DPA. Audits shall be subject to the following conditions:

• The Controller shall provide at least 30 days' prior written notice
• Audits shall be conducted no more than once per calendar year, unless required by a supervisory authority or following a Personal Data breach
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations
• The Controller shall bear the costs of the audit, except where the audit reveals material non-compliance by the Processor
• The Controller may engage a qualified, independent third-party auditor, subject to reasonable confidentiality obligations

12. Term and Termination

This DPA shall remain in effect for the duration of the service agreement between the parties. Upon termination of the service agreement:

• The Processor shall, at the Controller's choice, delete or return all Personal Data within 30 days of the termination date
• The Processor shall delete existing copies of Personal Data, unless Union or Member State law requires storage (e.g., tax and financial records as required by Spanish law)
• The Processor shall provide written certification of deletion upon the Controller's request

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Kingdom of Spain, without regard to its conflict of laws provisions. The GDPR shall apply to all matters relating to Personal Data processing. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of the Canary Islands, Spain (Santa Cruz de Tenerife).

14. Contact

For questions, concerns, or requests related to this Data Processing Agreement, please contact us: