Data Processing Agreement

Scope

This Data Processing Agreement ("DPA") supplements the Terms of Serviceand governs the processing of personal data carried out by SECfinAPI ("Processor") on behalf of the customer ("Controller") under Article 28 of Regulation (EU) 2016/679 (GDPR).

The financial data exposed by the SECfinAPI service is sourced from public SEC EDGAR filings and relates to issuers (legal persons), not natural persons. In most use cases SECfinAPI therefore does not process personal data on behalf of the Controller and this DPA is not legally required. We publish it as a courtesy for Business-tier customers whose own compliance reviews require an Article 28 contract with every vendor.

By accepting the Terms of Service the Controller is deemed to have accepted this DPA. A countersigned version on letterhead is available on request at privacy@secfinapi.com.

1. Subject matter and duration

Subject matter: processing of personal data necessary to provide the SECfinAPI service to the Controller, namely authentication, billing, and operational support.

Duration:for the term of the Controller's subscription, plus the residual retention periods specified in the Privacy Policy.

2. Nature and purpose of processing

• Operation of the API service: authentication, rate-limit enforcement, usage metering.
• Account administration: registration, password reset, billing.
• Security and fraud prevention.
• Compliance with the Processor's own legal obligations (tax, anti-fraud).

3. Types of personal data

Only the following categories are processed:

• Identifiers: name, email, hashed password, hashed API key.
• Billing identifiers: Stripe customer ID, subscription ID, invoice metadata.
• Usage data: per-day request counts.
• Technical data: IP address, request method/path, timestamp, request ID, API key prefix.

No special categories of personal data within the meaning of Article 9 GDPR are intentionally processed. The Controller must not transmit special-category data through the API.

4. Categories of data subjects

• Employees and authorised users of the Controller who access the API on its behalf.
• The Controller itself, if a natural person operating as a sole trader.

5. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do so by EU or Member State law to which the Processor is subject (Art. 28(3)(a) GDPR).
• Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation (Art. 28(3)(b)).
• Implement the technical and organisational measures described in Section 7 (Art. 28(3)(c) and Art. 32).
• Engage another processor (sub-processor) only with the Controller's general prior authorisation given in Section 6, and inform the Controller of any intended changes (Art. 28(2) and (3)(d)).
• Assist the Controller, by appropriate technical and organisational measures, in responding to requests from data subjects exercising their rights under Articles 12–22 (Art. 28(3)(e)).
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 (security, breach notification, DPIA) (Art. 28(3)(f)).
• At the choice of the Controller, delete or return all the personal data to the Controller after the end of the provision of services and delete existing copies, unless EU or Member State law requires storage (Art. 28(3)(g)). The Controller can trigger deletion at any time from /account → Delete account.
• Make available to the Controller all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller (Art. 28(3)(h)).

6. Sub-processors

The Controller authorises the Processor to engage the following sub-processors, listed with the purpose and location of processing:

• Stripe Payments Europe, Ltd. — payment processing — Ireland (EU) with infrastructure in the US (SCCs / DPF).
• Resend, Inc. — transactional email — USA (DPF / SCCs).
• Vercel, Inc. — frontend hosting — USA (SCCs).
• Railway Corp. — backend hosting — USA (SCCs).
• Cloudflare, Inc. — encrypted backup storage (R2) — global infrastructure (SCCs).
• Functional Software, Inc. (Sentry) — error monitoring — USA (SCCs), if enabled.

The Processor will notify the Controller by email at least 30 days before adding or replacing a sub-processor. The Controller may object in writing within 14 days; the parties will negotiate in good faith, and if no agreement is reached, the Controller may terminate the affected service for a pro-rated refund.

7. Technical and organisational measures (Article 32 GDPR)

• Passwords hashed with bcrypt; API keys hashed with SHA-256.
• TLS 1.2+ for all data in transit; encryption at rest for database backups.
• Principle of least privilege for production access; 2FA on all operator accounts.
• Per-request unique request IDs surfaced in logs for incident correlation.
• Automated daily backups with 14-day retention; periodic restore tests.
• Rate limiting on authentication endpoints; IP-based abuse throttling.
• Documented incident-response process; breach notification commitment of 72 hours (Art. 33).
• Vendor security review before adding any new sub-processor.

8. International transfers

Where personal data is transferred to a third country outside the EEA, transfers rely on (a) the EU–US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795) where the recipient is self-certified, and/or (b) the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, supplemented by the technical safeguards in Section 7.

9. Personal-data breach

The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting the Controller's data. The notice will include — to the extent known — the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address it (Art. 33(3) GDPR).

10. Liability and termination

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service, except where mandatory law prohibits such limitation. This DPA terminates automatically when the underlying subscription ends.

11. Governing law

This DPA is governed by the laws of the Czech Republic. The competent courts of the Czech Republic have exclusive jurisdiction, subject to the consumer protections referenced in the Terms of Service.

12. Contact

For all matters relating to this DPA, contact privacy@secfinapi.com.