Data Processing Agreement (DPA)
This is a template Data Processing Agreement for Optropic API customers. Contact legal@optropic.com for execution.
DATA PROCESSING AGREEMENT
Between:
OptropicGlobal GmbH ("Processor") Musterstraße 1, 10115 Berlin, Germany
And:
[Customer Name] ("Controller") [Customer Address]
1. Definitions
Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data, including collection, storage, use, and deletion.
Sub-processor: Any third party engaged by the Processor to process personal data.
Data Subject: The natural person to whom personal data relates.
2. Subject Matter and Duration
2.1 Subject Matter
The Processor will process personal data on behalf of the Controller for the purpose of providing the Optropic verification API services.
2.2 Duration
This DPA is effective from the date of the main service agreement and continues until termination of that agreement.
3. Nature and Purpose of Processing
| Purpose | Description |
|---|---|
| Authentication | Validating API requests using hashed API keys |
| Fraud Detection | Analyzing scan patterns to detect counterfeiting |
| Service Operation | Maintaining logs for debugging and support |
| Billing | Recording API usage for invoicing |
4. Types of Personal Data
| Data Category | Examples |
|---|---|
| Technical identifiers | Hashed IP addresses, hashed device fingerprints |
| Usage data | API request timestamps, endpoints accessed |
| Account data | Contact email, company name |
5. Categories of Data Subjects
- API customer employees
- End users of customer applications (limited technical data only)
6. Obligations of the Processor
The Processor shall:
6.1 Lawful Processing
Process personal data only on documented instructions from the Controller, unless required by law.
6.2 Confidentiality
Ensure that persons authorized to process personal data have committed to confidentiality.
6.3 Security Measures
Implement appropriate technical and organizational measures, including:
- Encryption of personal data (AES-256 at rest, TLS 1.3 in transit)
- Ensuring confidentiality, integrity, availability of processing systems
- Ability to restore access to personal data in case of incident
- Regular testing and evaluation of security measures
6.4 Sub-processors
- Maintain a list of approved sub-processors
- Inform the Controller of any intended changes
- Ensure sub-processors are bound by equivalent obligations
- Remain liable for sub-processor compliance
6.5 Data Subject Rights
Assist the Controller in responding to data subject requests for:
- Access
- Rectification
- Erasure
- Data portability
- Objection
- Restriction of processing
6.6 Security Incidents
Notify the Controller without undue delay after becoming aware of a personal data breach, including:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken to address the breach
6.7 Data Protection Impact Assessment
Assist the Controller with DPIAs and prior consultations with supervisory authorities.
6.8 Deletion/Return
Upon termination, delete or return all personal data at the Controller's choice, unless retention is required by law.
6.9 Audit Rights
Make available all information necessary to demonstrate compliance and allow for audits.
7. Obligations of the Controller
The Controller shall:
- Ensure lawful basis for processing
- Provide documented instructions to the Processor
- Ensure accuracy of personal data
- Fulfill data subject rights obligations
- Notify the Processor of any changes to processing requirements
8. Sub-processors
8.1 Approved Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Web hosting | EU (Frankfurt) |
| Supabase Inc. | Database hosting | EU (Frankfurt) |
| Stripe Inc. | Payment processing | EU |
8.2 Changes to Sub-processors
The Controller may object to new sub-processors within 14 days of notification. If objection cannot be resolved, Controller may terminate the agreement.
9. International Transfers
Personal data will be processed within the European Economic Area (EEA).
If transfer outside the EEA is necessary, the Processor will ensure:
- EU Standard Contractual Clauses are in place
- Supplementary measures as required by the CJEU Schrems II decision
10. Liability
Each party's liability under this DPA is subject to the limitations set forth in the main service agreement.
11. Governing Law
This DPA is governed by the laws of Germany.
Signatures
OptropicGlobal GmbH
Name: _______________________ Title: _______________________ Date: _______________________ Signature: _______________________
[Customer Name]
Name: _______________________ Title: _______________________ Date: _______________________ Signature: _______________________
Annex A: Technical and Organizational Measures
A.1 Access Control
- Role-based access control (RBAC)
- Multi-factor authentication for employees
- Regular access reviews
A.2 Encryption
- Data encrypted at rest using AES-256-GCM
- Data encrypted in transit using TLS 1.3
- Key management with regular rotation
A.3 Monitoring
- Centralized logging and SIEM
- Real-time alerting
- Regular security assessments
A.4 Incident Response
- Documented incident response plan
- 72-hour breach notification commitment
- Post-incident review process
A.5 Business Continuity
- Daily encrypted backups
- Geographic redundancy
- Regular recovery testing
To execute this DPA, contact legal@optropic.com