Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between APIVerve, a trade name of EvlarSoft LLC ("Processor," "we," "us," or "our"), and you ("Controller," "Customer," or "you") for the use of our API services.

This DPA applies when we process personal data on your behalf as a data processor. It reflects our commitment to data protection and compliance with applicable laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other data protection regulations.

By using our services, you agree to this DPA. If you are accepting on behalf of your employer or another entity, you represent that you have the authority to bind that entity to this agreement.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Controller" means the entity that determines the purposes and means of Processing Personal Data (you, the Customer).
• "Data Processor" means the entity that Processes Personal Data on behalf of the Controller (APIVerve).
• "Sub-processor" means any third party engaged by the Processor to Process Personal Data.
• "Data Subject" means the individual whose Personal Data is being Processed.
• "Supervisory Authority" means an independent public authority responsible for monitoring data protection compliance.

3. Scope and Roles

3.1 Scope of Processing

This DPA applies to Personal Data that you submit to our APIs for processing. The nature of processing depends on which APIs you use and may include:

• Email addresses (for validation APIs)
• IP addresses (for geolocation APIs)
• Names and text content (for various utility APIs)
• Other data you choose to submit to our API endpoints

3.2 Roles and Responsibilities

You (Controller): You determine what Personal Data to send to our APIs and for what purpose. You are responsible for ensuring you have a lawful basis to process the data and that Data Subjects are appropriately informed.

APIVerve (Processor): We process Personal Data only according to your documented instructions (i.e., the API calls you make). We implement appropriate security measures and assist you in meeting your compliance obligations.

4. Data Processing Details

4.1 Subject Matter and Duration

We process Personal Data for the duration of our service agreement with you. Processing begins when you submit data to our APIs and continues until our agreement terminates or you request deletion.

4.2 Nature and Purpose

The purpose of processing is to provide the API services you have subscribed to. This includes:

• Executing API requests and returning results
• Maintaining service logs for debugging and support
• Generating usage analytics and billing records
• Improving service quality and performance

4.3 Data Retention

We retain Personal Data submitted through APIs only as long as necessary to provide the service:

• API Request/Response Data: Not stored permanently; processed in real-time and discarded after the response is returned
• API Logs: Retained for up to 30 days for debugging and support purposes
• Usage Metrics: Aggregated and anonymized data retained for analytics

5. Your Obligations as Controller

As the Data Controller, you are responsible for:

• Ensuring you have a lawful basis for processing Personal Data through our APIs
• Providing appropriate privacy notices to Data Subjects
• Obtaining necessary consents where required
• Ensuring the accuracy of Personal Data you submit
• Responding to Data Subject requests (with our assistance as needed)
• Notifying us promptly of any data protection issues
• Complying with all applicable data protection laws

6. Our Obligations as Processor

As your Data Processor, we commit to:

• Process Personal Data only on your documented instructions
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Engage sub-processors only with your authorization and under written contracts
• Assist you in responding to Data Subject requests
• Assist you with data protection impact assessments when required
• Delete or return Personal Data upon termination of services
• Provide information necessary to demonstrate compliance

7. Security Measures

We implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

7.1 Technical Measures

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Secure API authentication using API keys
• Regular security assessments and penetration testing
• Automated vulnerability scanning and patching
• DDoS protection and rate limiting
• Secure development practices and code review

7.2 Organizational Measures

• Access controls based on least privilege principle
• Employee confidentiality agreements and training
• Incident response procedures
• Business continuity and disaster recovery plans
• Regular review and updating of security measures

For more details, see our Security Policy.

8. Sub-processors

8.1 Authorization

You authorize us to engage the sub-processors listed below to assist in providing our services. We ensure all sub-processors are bound by data protection obligations no less protective than those in this DPA.

8.2 Current Sub-processors

8.3 Changes to Sub-processors

We will notify you of any intended changes to sub-processors by updating this page and, for material changes, via email to your registered account address. You may object to a new sub-processor within 30 days of notification. If we cannot reasonably accommodate your objection, you may terminate the affected services.

9. Data Subject Rights

We will assist you in responding to Data Subject requests to exercise their rights under applicable law, including:

• Access: Right to obtain confirmation of processing and access to their data
• Rectification: Right to correct inaccurate Personal Data
• Erasure: Right to request deletion of Personal Data
• Restriction: Right to restrict processing in certain circumstances
• Portability: Right to receive data in a portable format
• Objection: Right to object to processing

If we receive a request directly from a Data Subject, we will promptly notify you unless prohibited by law.

10. Data Breach Notification

In the event of a Personal Data breach affecting your data, we will:

• Notify you without undue delay (and in any event within 72 hours) after becoming aware of the breach
• Provide information about the nature of the breach, categories of data affected, and approximate number of Data Subjects concerned
• Describe the likely consequences and measures taken or proposed to address the breach
• Cooperate with your investigation and regulatory notifications
• Document the breach and remediation measures

11. International Data Transfers

Our services are primarily hosted in the United States. When Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Additional safeguards as required by applicable law

By using our services, you authorize the transfer of Personal Data to the United States and other countries where our sub-processors operate, subject to appropriate safeguards.

12. Audit Rights

Upon reasonable request and subject to confidentiality obligations, we will:

• Provide information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits, including inspections, conducted by you or an independent auditor
• Share relevant third-party audit reports or certifications

Audits must be conducted with reasonable advance notice, during normal business hours, and in a manner that does not disrupt our operations. You are responsible for the costs of any audit you initiate.

13. Term and Termination

This DPA remains in effect for the duration of our service agreement. Upon termination:

• We will cease processing Personal Data on your behalf
• Upon your request, we will delete or return all Personal Data within 30 days
• We may retain data as required by law or for legitimate business purposes (e.g., billing records)
• Provisions that by their nature should survive termination will remain in effect

14. Liability

Our liability under this DPA is subject to the limitations set forth in our Terms of Service. Each party is liable for damages caused by its breach of applicable data protection laws.

15. Changes to This DPA

We may update this DPA to reflect changes in our practices, legal requirements, or sub-processors. Material changes will be communicated via email or dashboard notification. Continued use of our services after changes constitutes acceptance of the updated DPA.

16. Contact Us

For questions about this DPA or to exercise your rights, please contact us through our contact page.

EvlarSoft LLC
Lee's Summit, Missouri, United States