Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Controller") and DataBlue ("DataBlue", "Processor", "we") for the use of the Services, and reflects the parties' agreement on the processing of Personal Data in connection with the Terms of Service. It supplements our Privacy Policy and applies where DataBlue processes Personal Data on the Customer's behalf.

1. Overview & Scope

This DPA applies to the extent DataBlue processes Personal Data that is subject to Data Protection Laws — including the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable privacy laws — on behalf of the Customer. Where you require a signed copy or have specific compliance requirements, contact us using the details at the end.

2. Definitions

• "Personal Data", "Controller", "Processor", "Data Subject", and "Processing" have the meanings given in the GDPR.
• "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the agreement.
• "Customer Data"means data submitted to or obtained through the Services that contains Personal Data processed by DataBlue on the Customer's behalf.
• "Subprocessor" means any third party engaged by DataBlue to process Personal Data.

3. Roles of the Parties

For Personal Data contained in Customer Data, the Customer is the Controller (or a processor acting on behalf of a third-party controller) and DataBlue is the Processor. DataBlue will process such Personal Data only on the Customer's documented instructions, including those set out in the Terms of Service, this DPA, and the Customer's configuration of the Services. DataBlue acts as an independent Controller for account, billing, and website data, which is governed by our Privacy Policy.

4. Details of Processing

• Subject matter: provision of the Services (search, web scraping, crawling, mapping, and extraction).
• Duration: for the term of the agreement, plus any limited retention period described in our Privacy Policy.
• Nature & purpose: fetching, parsing, returning, and metering web and search data as instructed by the Customer.
• Types of Personal Data: any Personal Data the Customer chooses to submit in queries or that appears in the public web content it instructs us to retrieve.
• Categories of Data Subjects: determined and controlled by the Customer through its use of the Services.

5. DataBlue's Obligations

As Processor, DataBlue will:

• Process Personal Data only on the Customer's documented instructions;
• Ensure persons authorized to process Personal Data are bound by appropriate confidentiality obligations;
• Implement and maintain appropriate technical and organizational security measures;
• Respect the conditions for engaging Subprocessors set out in this DPA;
• Assist the Customer, taking into account the nature of processing, with data subject requests and with its security, breach-notification, and impact-assessment obligations; and
• Inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

6. Customer Obligations

The Customer is responsible for the lawfulness of the Personal Data it submits and the instructions it gives. The Customer represents that it has a valid legal basis to process and to instruct DataBlue to process the relevant Personal Data, that it has provided any required notices and obtained any required consents, and that its use of the Services complies with Data Protection Laws and the laws and terms applicable to the sources it targets.

7. Subprocessors

The Customer provides general authorization for DataBlue to engage Subprocessors to support the Services — including cloud hosting and infrastructure, payment processing, email delivery, error monitoring, and analytics providers. DataBlue imposes data-protection obligations on each Subprocessor that are no less protective than those in this DPA, and remains responsible for their performance. We will make available an up-to-date list of Subprocessors on request and give reasonable notice of intended changes so the Customer may object on reasonable data-protection grounds.

8. Security Measures

DataBlue maintains technical and organizational measures appropriate to the risk, including encryption of data in transit and of sensitive data at rest, access controls and least-privilege practices, scoped and revocable API keys, network protections, logging and monitoring, and regular review of its security program. Further details of our security posture are described on our Security page.

9. Personal Data Breaches

DataBlue will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer's Personal Data, and will provide information reasonably available to it to help the Customer meet its own notification obligations. Notification of a breach is not an acknowledgment of fault or liability.

10. Data Subject Requests & Assistance

Taking into account the nature of the processing, DataBlue will assist the Customer with appropriate technical and organizational measures, insofar as possible, in responding to requests from Data Subjects to exercise their rights, and in meeting the Customer's obligations relating to security, breach notification, and data-protection impact assessments. If DataBlue receives a request directly from a Data Subject relating to Customer Data, it will, where permitted, direct that person to the Customer.

11. International Transfers

DataBlue and its Subprocessors may process Personal Data in locations outside the Customer's country, including India and the regions where our cloud providers operate. Where such transfers are subject to Data Protection Laws, the parties rely on an appropriate transfer mechanism — such as the European Commission's Standard Contractual Clauses and the UK Addendum — which are incorporated into this DPA by reference and apply where required.

12. Return & Deletion of Data

Upon termination of the Services, and at the Customer's choice, DataBlue will delete or return Customer Data containing Personal Data and delete existing copies, unless retention is required by applicable law. Operational request and response data is retained only for a short period as described in our Privacy Policy and is then deleted or anonymized in the ordinary course.

13. Audits

DataBlue will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. Audits will be conducted on reasonable prior notice, during business hours, no more than once per year (absent a regulator request or breach), and in a manner that does not disrupt the Services or compromise the confidentiality of other customers. Where available, DataBlue's third-party certifications and reports will be provided to help satisfy audit requests.

14. Liability & Order of Precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA prevails to the extent of the conflict.

15. Contact

For questions about this DPA or to request a signed copy, contact us at:

This DPA is provided for transparency and does not constitute legal advice.