Data Processing Agreement (DPA) - OrbitScraper

1. Introduction

This Data Processing Agreement (DPA) forms part of the Terms of Service between OrbitScraper and the customer and applies to the processing of Personal Data where Regulation (EU) 2016/679 (GDPR) applies.

For the purpose of this DPA: (a) the customer is the Controller and (b) OrbitScraper is the Processor.

Processor details: OrbitScraper, Bangalore, Karnataka, India, contact: support@orbitscraper.com.

This DPA applies when OrbitScraper provides a Search Engine Results Data API and related search analytics infrastructure services to business customers.

2. Definitions

Capitalized terms used in this DPA have the meanings set out below or, where not defined, under the GDPR.

• Personal Data has the meaning given in Article 4(1) GDPR.
• Controller has the meaning given in Article 4(7) GDPR.
• Processor has the meaning given in Article 4(8) GDPR.
• Processing has the meaning given in Article 4(2) GDPR.
• Data Subject has the meaning given in Article 4(1) GDPR.
• Subprocessor means any processor engaged by OrbitScraper to process Personal Data on behalf of the Controller.
• Supervisory Authority has the meaning given in Article 4(21) GDPR.
• Personal Data Breach has the meaning given in Article 4(12) GDPR.

3. Subject Matter, Nature, and Purpose of Processing

Subject matter: provision of OrbitScraper API services and related platform functionality.

Duration: for the term of the customer agreement, unless otherwise required by applicable law.

Nature of Processing: collection, recording, organization, structuring, storage, retrieval, consultation, transmission, restriction, deletion, and other processing operations required to deliver the services.

Purpose: service delivery, account management, billing, analytics, logging, customer support, security operations, and compliance.

4. Categories of Data and Data Subjects

Types of Personal Data may include:

• Name
• Email address
• Billing information
• IP addresses
• API keys
• Usage logs
• Device and browser data
• Support communications
• Customer-uploaded or processed data via API

Categories of Data Subjects may include:

• Customer account users
• Customer administrators
• Customer end-users
• Individuals whose data may appear in API responses or logs

5. Processor Obligations

OrbitScraper shall:

• Process Personal Data only on documented instructions from the Controller, unless otherwise required by law.
• Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures in accordance with Article 32 GDPR.
• Not process Personal Data for its own marketing or unrelated independent purposes.
• Assist the Controller in meeting GDPR obligations under Articles 28 to 36, as applicable.
• Comply with Article 28 GDPR.

6. Security Measures

OrbitScraper maintains appropriate technical and organizational security measures, including:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest where applicable
• Access control policies and least-privilege controls
• Role-based access management
• API key security controls and secret management
• Secure cloud hosting and infrastructure hardening
• Backup and disaster recovery procedures
• Security incident response process

Additional security information may be provided upon reasonable written request, subject to confidentiality.

7. Subprocessors

OrbitScraper may engage Subprocessors, including cloud hosting, infrastructure, email delivery, and analytics providers, to support service delivery.

All Subprocessors are bound by written agreements imposing data protection obligations no less protective than those in this DPA.

OrbitScraper will provide notice of material Subprocessor changes.

Public Subprocessor List: available upon request at support@orbitscraper.com

8. International Data Transfers

Personal Data may be transferred outside the EEA where required for service delivery. OrbitScraper will implement lawful transfer mechanisms, including Standard Contractual Clauses (SCCs), and any supplementary measures required under applicable law.

9. Assistance with Data Subject Rights

Taking into account the nature of processing, OrbitScraper will provide reasonable assistance to the Controller in responding to Data Subject requests, including access, rectification, erasure, portability, restriction, and objection requests.

10. Personal Data Breach Notification

OrbitScraper will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller data.

Where available, the notice will include:

• Nature and scope of the breach
• Categories and approximate volume of affected data
• Likely consequences and risk assessment
• Mitigation and remediation measures taken or proposed

OrbitScraper will cooperate with the Controller in investigating and mitigating the breach.

11. Data Retention, Return, and Deletion

Personal Data will be retained only for as long as necessary to provide the services and satisfy legal, security, and contractual obligations.

Upon termination or expiry of the customer agreement, OrbitScraper will, at the Controller's choice, delete or return Personal Data, unless retention is required by applicable law.

Unless otherwise agreed in writing, deletion will occur within 30 to 60 days after termination.

12. Audit Rights

OrbitScraper will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.

The Controller may conduct audits or inspections with reasonable prior notice, during normal business hours, and subject to confidentiality, security, and operational safeguards.

Audit frequency shall be reasonable and limited to avoid disruption or abuse.

13. Liability and Governing Law

Liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

This DPA is governed by the jurisdiction set out in the Terms of Service, without prejudice to mandatory rights under applicable data protection laws.

14. Acceptance

By accepting the Terms of Service, the Controller accepts this DPA. For enterprise customers, a separately executed version may be signed by authorized representatives.

For signed enterprise DPA requests, contact support@orbitscraper.com.