Who needs a DPA? If you are using DataCloud.sh APIs to extract or process data that may include personal information about individuals within the European Economic Area, UK, or Switzerland, you are required under GDPR to have a DPA in place with us. By accepting our Terms of Service, you also accept this DPA. If your organization requires a signed copy, contact legal@datacloud.sh.

1. Definitions

In this DPA, the following terms have the following meanings:

"Controller" means the Customer who determines the purposes and means of processing personal data.
"Processor" means DataCloud.sh Inc., which processes personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
"Processing" means any operation or set of operations performed on personal data, including collection, recording, storage, retrieval, use, disclosure, or erasure.
"Data Subject" means the natural person to whom the personal data relates.
"Sub-Processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
"GDPR" means the EU General Data Protection Regulation 2016/679 and, where applicable, the UK GDPR and the Swiss Federal Act on Data Protection.
"Security Incident" means any confirmed unauthorized access to, disclosure of, or destruction of personal data processed under this DPA.

2. Subject Matter and Duration

This DPA governs the processing of personal data by DataCloud.sh as Processor on behalf of the Customer as Controller, in connection with the Services described in the Terms of Service. The DPA begins when the Customer accepts the Terms of Service and continues until the termination of the Services or deletion of all personal data processed under it, whichever is later.

3. Nature and Purpose of Processing

DataCloud.sh processes personal data solely to deliver the API Services ordered by the Customer. The nature, purpose, subject matter, and duration of processing are:

Nature: Automated scraping and structured data extraction from publicly available web sources; transmission of extracted data in JSON format via API response; temporary caching and logging of requests and responses.
Purpose: Fulfillment of the Customer's API requests as directed by the Customer's software and workflows.
Subject matter: Publicly accessible web content as specified by the Customer in each API request (e.g., e-commerce product listings, hotel information, search engine results pages).
Categories of personal data potentially processed: Names, profile photos, and reviews attributed to identifiable individuals on public e-commerce or review platforms, where the Customer's request targets such content.
Categories of data subjects: End users or members of the public who have posted reviews or other public content on websites targeted by the Customer.
Duration: For the term of the Customer's subscription plus any retention period required by applicable law.

DataCloud.sh does not process personal data for any purpose other than providing the Services, complying with applicable law, or as otherwise permitted in writing by the Controller.

4. Controller Obligations

The Controller (Customer) represents and warrants that:

It has a lawful legal basis to process any personal data submitted to or extracted via the Services, including obtaining any required consents from data subjects.
It will provide data subjects with appropriate privacy notices explaining how their data is used, including its use of third-party API services like DataCloud.sh.
Its instructions to DataCloud.sh regarding processing activities comply with applicable law.
It will not instruct DataCloud.sh to process special categories of personal data (Article 9 GDPR) — including health data, biometric data, political opinions, or racial/ethnic origin — without prior written agreement and appropriate safeguards.

5. Processor Obligations

DataCloud.sh, as Processor, agrees to:

Process personal data only on documented instructions from the Controller, unless required to do so by applicable law.
Ensure that persons authorized to process personal data have committed to confidentiality obligations.
Implement the technical and organizational security measures described in Section 7.
Assist the Controller in fulfilling its obligations to respond to data subject rights requests (Article 12–23 GDPR) to the extent technically feasible and within the scope of the Services.
Assist the Controller with its obligations under Articles 32–36 GDPR (security, breach notification, DPIA, and prior consultation) where DataCloud.sh has the relevant information.
Upon termination of the Services, delete or return all personal data to the Controller, and delete existing copies, unless retention is required by applicable law.
Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 9.
Immediately inform the Controller if, in DataCloud.sh's opinion, an instruction infringes applicable data protection law.

6. Sub-Processors

The Controller grants DataCloud.sh general authorization to engage Sub-Processors to assist in delivering the Services. DataCloud.sh currently uses the following categories of Sub-Processors:

Sub-Processor	Role	Location
Amazon Web Services (AWS)	Cloud hosting, compute, and encrypted storage	United States / EU
Stripe, Inc.	Payment processing	United States
Email service provider	Transactional and notification emails	United States

DataCloud.sh will impose data protection obligations on all Sub-Processors that are no less restrictive than those in this DPA. DataCloud.sh remains liable to the Controller for the acts and omissions of its Sub-Processors to the same extent DataCloud.sh would be liable if it performed the processing directly.

DataCloud.sh will notify the Controller of any intended changes to Sub-Processors (additions or replacements) by email or dashboard notification at least 14 days before the change takes effect, giving the Controller the opportunity to object. If the Controller objects and the parties cannot resolve the disagreement, the Controller may terminate the Services without penalty by providing written notice within 14 days of DataCloud.sh's notification.

7. Security Measures

DataCloud.sh implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and accidental loss, destruction, or damage. These measures include, but are not limited to:

Encryption in transit: All API communications are encrypted using TLS 1.2 or higher.
Encryption at rest: Stored data is encrypted using AES-256.
Access controls: Role-based access control limits internal access to personal data on a need-to-know basis; privileged access requires multi-factor authentication.
Network security: Infrastructure is protected by firewalls, DDoS mitigation, and intrusion detection systems.
Audit logging: Access to production systems containing personal data is logged and regularly reviewed.
Vulnerability management: We perform regular security assessments, dependency audits, and penetration testing.
Incident response: We maintain a documented incident response plan and train relevant staff on security procedures.

8. Security Incidents and Breach Notification

DataCloud.sh will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a confirmed Security Incident affecting personal data processed under this DPA. Notification will be provided via email to the Controller's registered account email address and will include, to the extent then known:

A description of the nature of the Security Incident, including the categories and approximate number of data subjects and records affected.
The likely consequences of the Security Incident.
Measures taken or proposed to address the Security Incident and mitigate its effects.

DataCloud.sh will cooperate with the Controller's reasonable requests for additional information to enable the Controller to meet its own breach notification obligations under applicable law.

9. Audits

DataCloud.sh will make available to the Controller, upon reasonable written request and no more than once per calendar year (unless required by applicable law), documentation and evidence sufficient to demonstrate compliance with this DPA. Where the Controller requires an on-site audit or inspection, this must be conducted at the Controller's expense, during normal business hours, with at least 30 days' advance written notice, and in a manner that does not unreasonably disrupt DataCloud.sh's operations. DataCloud.sh may require the Controller to sign a confidentiality agreement before accessing any audit materials.

10. International Transfers

Where DataCloud.sh transfers personal data from the EEA, UK, or Switzerland to a third country (including the United States), it does so on the basis of: (a) the EU Standard Contractual Clauses (Module 2: Controller to Processor, and/or Module 3: Processor to Sub-Processor) as adopted by the European Commission; or (b) the UK International Data Transfer Agreement as adopted by the UK Information Commissioner's Office; or (c) any other transfer mechanism recognized as providing an adequate level of protection under applicable law. Upon request, DataCloud.sh will provide the Controller with a copy of the applicable transfer mechanism documentation.

11. Data Subject Rights

DataCloud.sh will, to the extent technically feasible and within the scope of the Services, assist the Controller in responding to data subject requests for access, rectification, erasure, portability, restriction, or objection. Because the personal data within the scope of this DPA primarily originates from publicly available web sources (not directly from data subjects), DataCloud.sh's ability to identify specific data subjects in its logs may be limited. The Controller remains the primary party responsible for responding to data subjects and must implement its own mechanisms for handling such requests.

12. Deletion and Return of Data

Upon expiry or termination of the Services, DataCloud.sh will, at the Controller's written election, securely delete or return all personal data processed under this DPA within 30 days. Where legal obligations require DataCloud.sh to retain certain records, DataCloud.sh will isolate and protect that data from further processing and delete it as soon as the retention obligation expires. DataCloud.sh will provide written confirmation of deletion upon request.

13. Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. If DataCloud.sh is held liable for a data protection breach that was caused by the Controller's instructions or actions, the Controller shall indemnify DataCloud.sh to the extent of the Controller's responsibility for the breach.

14. Governing Law

This DPA is governed by the same governing law as the Terms of Service (State of Delaware, United States), except that where GDPR or the UK GDPR applies, the relevant provisions of EU or UK law shall prevail to the extent required.

15. Order of Precedence

In the event of any conflict between this DPA and the Terms of Service with respect to the subject matter of this DPA (processing of personal data), this DPA shall prevail. In all other respects, the Terms of Service shall prevail.

16. Contact

For DPA-related inquiries, signed DPA requests, or to report a potential security incident, contact our Data Protection team at legal@datacloud.sh.