Data Processing Agreement
Last updated: 30/04/2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Infomance ("Processor") and the Customer ("Controller") for the Infomance API service.
1. Subject Matter and Duration
Infomance processes personal data on behalf of the Customer to provide the Infomance API service. This DPA is effective for the duration of the service agreement.
2. Nature and Purpose of Processing
Data is processed for:
- API request logging (authentication, billing, rate limiting)
- User account data (email, name, organization)
- Usage analytics (endpoint calls, error rates, performance)
3. Type of Personal Data
The following personal data may be processed:
- Email addresses
- IP addresses
- API usage metadata
4. Obligations of the Processor
Infomance shall:
- Process data only on documented instructions from the Controller
- Ensure confidentiality obligations on all authorized personnel
- Implement appropriate technical and organizational security measures
- Assist Controller with data subject requests within 30 days
- Delete or return all personal data upon termination
- Make available information necessary to demonstrate compliance
5. Sub-processors
Infomance uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA (SCCs) |
| Resend | Transactional email | USA (SCCs) |
| Cloudflare | CDN and DDoS protection | USA (SCCs) |
| Hetzner | Infrastructure | Germany (EU) |
6. International Transfers
Where personal data is transferred outside the EEA, Infomance relies on Standard Contractual Clauses (EU 2021/914) to ensure adequate protection.
7. Data Subject Rights
Infomance will assist the Controller in responding to requests from data subjects exercising their rights under GDPR Articles 15-22 within 30 days.
8. Security Measures
Technical and organizational measures include:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- Role-based access controls and audit logging
- Regular security assessments and penetration testing
9. Breach Notification
Infomance will notify the Controller without undue delay (within 72 hours) of becoming aware of a personal data breach affecting Controller data.
10. Governing Law
This DPA is governed by the laws of the Netherlands. GDPR compliance is ensured through Standard Contractual Clauses (EU 2021/914) for international data transfers.
Contact
To request a signed DPA or for questions:
Email: [email protected]
DPO: [email protected]