Data Processing Agreement

1. Definitions

In this DPA, the following terms shall have the meanings set out below:

• "Applicable Laws" means all applicable data protection laws including the Singapore Personal Data Protection Act 2012 (PDPA), the EU General Data Protection Regulation 2016/679 (GDPR), and any other relevant data protection regulations.
• "Personal Data" means any data relating to an identified or identifiable natural person that is processed by the Data Processor on behalf of the Data Controller.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or destruction.
• "Sub-processor" means any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Services" means the web scraping and data extraction API services provided by Eddie.surf.

2. Scope and Application

2.1. This DPA applies to all Processing of Personal Data by the Data Processor on behalf of the Data Controller in connection with the provision of the Services.

2.2. The parties acknowledge and agree that:

• The Data Controller is the controller of Personal Data
• The Data Processor is the processor of Personal Data
• The Data Controller retains control over and remains responsible for its Personal Data
• The Data Processor acts only on the instructions of the Data Controller

3. Data Processing Instructions

3.1. The Data Processor shall process Personal Data only:

• In accordance with the documented instructions from the Data Controller
• As necessary to provide the Services
• To comply with Applicable Laws

3.2. The Data Controller's instructions for Processing are:

• Processing data submitted through API requests
• Extracting and structuring data as specified in API calls
• Temporarily storing data for processing purposes
• Returning processed data via API responses

3.3. If the Data Processor believes any instruction violates Applicable Laws, it shall immediately notify the Data Controller.

4. Categories of Data and Data Subjects

4.1. Categories of Personal Data processed may include:

• Names and contact information
• Professional information (job titles, company names)
• Publicly available social media data
• Website user behavior data
• Any other data submitted by the Data Controller for processing

4.2. Categories of Data Subjects may include:

• Data Controller's customers and prospects
• Website visitors
• Social media users
• Business contacts
• Any individuals whose data is submitted for processing

5. Data Processor Obligations

5.1. The Data Processor shall:

• Process Personal Data only as instructed by the Data Controller
• Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organizational security measures
• Not transfer Personal Data outside agreed jurisdictions without prior consent
• Assist the Data Controller in responding to data subject requests
• Make available all information necessary to demonstrate compliance
• Delete or return all Personal Data at the end of service provision
• Maintain records of all Processing activities

6. Technical and Organizational Security Measures

6.1. The Data Processor implements comprehensive security measures including:

Technical Measures:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• VPC network isolation with private subnets
• IAM access controls with principle of least privilege
• Secure API authentication (API keys, encrypted tokens)
• Automated backup systems with encryption
• Rate limiting and concurrency controls
• Regular security updates and patches
• Network segmentation and access controls

Organizational Measures:

• Information security policies and procedures
• Regular security training for staff
• Access control on need-to-know basis
• Confidentiality agreements with all staff
• Incident response procedures
• Regular security audits and reviews
• Business continuity and disaster recovery plans

7. Sub-processors

7.1. The Data Controller provides general authorization for the Data Processor to engage Sub-processors listed in Appendix A.

7.2. The Data Processor shall:

• Notify the Data Controller of any intended changes to Sub-processors with 30 days notice
• Ensure Sub-processors are bound by data protection obligations no less protective than this DPA
• Remain fully liable for Sub-processor performance

7.3. The Data Controller may object to new Sub-processors within 14 days of notification. If objection cannot be resolved, either party may terminate the affected Services.

8. International Data Transfers

8.1. The Data Processor may transfer Personal Data internationally only:

• To countries deemed adequate by relevant authorities
• Using appropriate safeguards (Standard Contractual Clauses, binding corporate rules)
• With explicit consent from the Data Controller

8.2. Current data processing locations include:

• Primary: Singapore (Asia-Pacific)
• Secondary: United States (AWS US-East-1)
• Backup: European Union (for EU customers)

9. Data Subject Rights

9.1. The Data Processor shall assist the Data Controller in fulfilling obligations to respond to data subject requests for:

• Access to Personal Data
• Rectification or erasure of Personal Data
• Restriction of Processing
• Data portability
• Objection to Processing

9.2. The Data Processor shall promptly notify the Data Controller of any data subject requests received directly and shall not respond except as instructed.

10. Data Breach Notification

10.1. The Data Processor shall notify the Data Controller without undue delay and within 72 hours of becoming aware of a Data Breach.

10.2. The notification shall include:

• Nature of the breach and categories of data affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact details for more information

10.3. The Data Processor shall cooperate fully in investigating and remediating the breach.

11. Audit and Compliance

11.1. The Data Processor shall:

• Make available all information necessary to demonstrate compliance
• Allow for and contribute to audits conducted by the Data Controller or appointed auditor
• Provide compliance certifications and attestations as available

11.2. Audits shall be conducted:

• With reasonable notice (minimum 30 days)
• During regular business hours
• No more than once per year unless required by authorities or after a breach
• At the Data Controller's expense

12. Data Retention and Deletion

12.1. The Data Processor shall retain Personal Data only for the duration necessary to provide the Services.

12.2. Default retention periods:

Data Type	Retention Period
API Request Data	24 hours (unless otherwise specified)
Processed Results	7 days (for retry/recovery)
Error Logs	30 days
Access Logs	90 days
Database Backups	7-90 days (hourly/daily/weekly schedule)
Queue Messages	4-14 days (standard/dead letter queues)

12.3. Upon termination, the Data Processor shall promptly delete or return all Personal Data unless retention is required by law.

13. Liability and Indemnification

13.1. Each party's liability under this DPA shall be subject to the limitations set forth in the Master Services Agreement.

13.2. Each party shall indemnify the other against losses arising from its breach of this DPA or Applicable Laws.

14. Term and Termination

14.1. This DPA shall remain in effect for the duration of the Master Services Agreement.

14.2. Obligations regarding confidentiality, security, and data protection shall survive termination.

15. Miscellaneous

15.1. This DPA may only be modified in writing signed by both parties.

15.2. If any provision is held invalid, the remainder shall continue in effect.

15.3. This DPA shall be governed by Singapore law.

15.4. Any disputes shall be resolved through arbitration in Singapore.

Appendix A: Authorized Sub-processors

Sub-processor	Service Provided	Location
Amazon Web Services, Inc.	Cloud Infrastructure	Singapore, USA
Stripe, Inc.	Payment Processing	USA
Google LLC	Analytics (optional)	USA

Appendix B: Standard Contractual Clauses

For transfers of Personal Data from the EEA to countries not recognized as providing adequate protection, the parties agree to incorporate the EU Standard Contractual Clauses for controller-to-processor transfers, which are hereby incorporated by reference.