Data Processing Agreement (DPA)

Last Update: 13th September 2024

Controller: ipapi.is
Processor: Any entity engaged by the Controller to process personal data on its behalf.

1. Purpose

This Data Processing Agreement ("DPA") sets forth the terms under which any Processor may process personal data on behalf of the Controller in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Definitions

"Personal Data": Any information related to an identified or identifiable individual, processed by the Processor on behalf of the Controller.

"Processing": Any operation or set of operations performed on Personal Data.

"Controller": ipapi.is, the entity determining the purposes and means of the processing.

"Processor": Any entity processing Personal Data on behalf of the Controller.

3. Processing Details

Nature of Processing: Processing of IP address data in response to customer queries and returning the associated IP address data.

Duration: The processing occurs in real-time as required to provide the services and does not involve the storage of specific IP addresses queried by the customer.

Type of Personal Data: IP address data queried by the customer. Usage data is logged for billing purposes but does not include specific IP addresses queried. When creating an account, the following data is stored:

  • Email address or Google/GitHub OAuth information.
  • Client IP address and associated metadata obtained via ipapi.is.
  • Company name, if provided by the user (optional).

Categories of Data Subjects: Data subjects are not identifiable as specific IP addresses queried are not logged or retained by ipapi.is. Account holders' data includes their email address, client IP, and optional company information.

4. Processor Obligations

Data Security: Processor will implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction.

Confidentiality: Processor ensures that personnel authorized to process the data are bound by confidentiality obligations.

Sub-processors: Processor engages the following sub-processors:

  • Hetzner and OVHcloud: Hosting provider for infrastructure.
  • Microsoft Azure: DNS services.
  • Google Analytics: Used solely for website traffic analysis, not for IP address queries.
  • Google/GitHub OAuth: Used for user authentication when creating an account.

Data Breach Notification: Processor will notify the Controller without undue delay after becoming aware of a data breach affecting Personal Data.

Assistance: Processor will assist the Controller in responding to data subject requests and ensuring compliance with obligations under applicable data protection laws.

5. Controller Obligations

Lawful Basis: The Controller warrants that it has a lawful basis for collecting and processing the Personal Data in accordance with data protection laws.

Instructions: The Processor will process Personal Data only in accordance with documented instructions from the Controller.

6. Data Transfers

Processor shall not transfer Personal Data outside of the European Economic Area (EEA) unless authorized by the Controller and such transfer complies with applicable data protection laws.

7. Data Subject Rights

As ipapi.is does not log or retain specific IP address query data, it is not possible to identify data subjects or provide access, rectification, or erasure rights regarding these queries. For account-related data (email, client IP, and company name), data subjects have the right to access, rectify, or request erasure of their personal data in accordance with applicable data protection laws.

8. Data Retention and Deletion

ipapi.is does not store specific IP address query data. Usage data is retained solely for billing purposes and is deleted in accordance with accounting regulations and legal obligations. Account-related data is retained as long as the account is active and is deleted upon account termination or at the user's request, unless retention is required by law.

9. Audit and Compliance

Processor will provide reasonable assistance to the Controller in demonstrating compliance with this DPA and allow for audits or inspections by the Controller or a mandated auditor, subject to reasonable notice.

10. Governing Law

This DPA is governed by and shall be construed in accordance with the laws of Germany.

Controller (ipapi.is)