Data Processing Agreement

Standard contractual terms pursuant to Art. 28 GDPR

Template notice: This is a standard DPA template. For execution, both parties must complete the details below and sign. Contact enterprise@feedoracle.io to initiate.
Document Version
1.0
Effective Date
[To be completed on execution]
DPA Reference
FO-DPA-[YEAR]-[NUMBER]

This Data Processing Agreement ("DPA") is entered into between:

Data Controller ("Controller"): [Customer name and address]

Data Processor ("Processor"): FeedOracle, Germany

This DPA supplements the main services agreement ("Agreement") between the parties and governs the processing of personal data by the Processor on behalf of the Controller.

Subject Matter and Duration

The Processor provides evidence-grade data infrastructure services as described in the Agreement. This DPA applies for the duration of the Agreement and until all personal data has been deleted or returned.

Nature and Purpose of Processing

Processing is limited to the provision of API services as described in the Agreement. The Processor processes personal data solely on documented instructions from the Controller, including:

Categories of Data Subjects

Data subjects may include:

Types of Personal Data

Data TypePurposeRetention
Email addressesAPI key delivery, account managementUntil account deletion + 30 days
API keysAuthenticationUntil revocation
IP addressesRate limiting, security30 days
API request logsService delivery, troubleshooting90 days
Controller-submitted dataAs instructed by ControllerAs instructed by Controller

Obligations of the Processor

The Processor shall:

  1. Process personal data only on documented instructions from the Controller, unless required by EU or Member State law
  2. Ensure that persons authorized to process personal data have committed to confidentiality
  3. Take all measures required pursuant to Article 32 GDPR (security of processing)
  4. Respect the conditions for engaging sub-processors as set out in Section 7
  5. Assist the Controller in responding to data subject requests
  6. Assist the Controller in ensuring compliance with Articles 32-36 GDPR
  7. Delete or return all personal data after the end of the provision of services, at the Controller's choice
  8. Make available all information necessary to demonstrate compliance and allow for audits

Security Measures

The Processor implements the following technical and organizational measures pursuant to Art. 32 GDPR:

CategoryMeasure
Encryption in transitTLS 1.2+ on all API endpoints
Encryption at restEncrypted storage volumes
Access controlSSH key-only access, role-based permissions
Network securityFirewall (UFW), DDoS protection (Cloudflare), fail2ban
Logging & monitoringAPI access logs (90 days), security event logging, real-time alerts
Backup & recoveryDaily encrypted backups, off-site sync to EU server, 7-day retention
Data residencyAll primary storage in Germany (EU)
Incident responseDocumented incident response process with severity-based timelines

Full security documentation: Trust Center | Security Controls

Sub-Processors

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object within 30 days.

Current sub-processors:

Sub-ProcessorPurposeLocation
netcup GmbHInfrastructure hostingGermany (EU)
Cloudflare, Inc.CDN, DDoS protection, TLS terminationGlobal (EU primary, SCCs in place)

Blockchain networks (Polygon, XRP Ledger) used for on-chain anchoring receive only SHA-256 hashes and are not considered sub-processors as no personal data is transmitted.

Data Transfers

The Processor stores all personal data within the EU (Germany). Where sub-processors may process data outside the EU/EEA (Cloudflare edge routing), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914.

Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject requests under Articles 15-22 GDPR. The Processor shall promptly notify the Controller if it receives a request directly from a data subject and shall not respond without the Controller's instructions, unless legally required.

Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach. The notification shall include:

  1. Description of the nature of the breach
  2. Categories and approximate number of data subjects concerned
  3. Description of likely consequences
  4. Description of measures taken or proposed to address the breach

Audit Rights

The Controller has the right to conduct audits, including inspections, to verify compliance with this DPA. The Processor shall contribute to such audits by providing relevant information and access to facilities. Audits shall be conducted with reasonable prior notice (at least 30 days) and during normal business hours.

The Processor may satisfy audit requirements by providing existing certifications, audit reports, or third-party attestations where available.

Term and Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination:

  1. The Processor shall, at the Controller's choice, delete or return all personal data within 30 days
  2. The Processor shall delete existing copies unless EU or Member State law requires storage
  3. The Processor shall certify deletion in writing upon request

Governing Law

This DPA is governed by the laws of the Federal Republic of Germany. The courts of [jurisdiction to be agreed] shall have exclusive jurisdiction.

Signatures

Data Controller

Authorized Signature

Name: _______________________

Title: _______________________

Date: _______________________

Data Processor (FeedOracle)

Authorized Signature

Name: _______________________

Title: _______________________

Date: _______________________