This page is a template Data Processing Addendum ("DPA") for enterprise customers who need to establish a GDPR-compliant data processing relationship with CrimeLayer. To execute a signed DPA, email legal@crimelayer.com with your company details.
1. Definitions
- Controller — the entity that determines the purposes and means of processing personal data
- Processor — the entity that processes personal data on behalf of the Controller
- Personal Data — any information relating to an identified or identifiable natural person, as defined in applicable data protection law
2. Parties and Role
For the purpose of this DPA, the CrimeLayer customer ("Customer") is the Controller, and CrimeLayer, Inc. ("CrimeLayer") is the Processor.
3. Processing Details
- Subject matter: Provision of the CrimeLayer API and associated services
- Duration: For the term of the subscription plus the retention periods set forth in the Privacy Policy
- Nature and purpose: Authentication, billing, rate limiting, usage analytics
- Types of personal data: Customer account information (email, name), API usage logs (hashed key IDs), billing records
- Categories of data subjects: Customer's authorized users and administrators
4. Customer Obligations
The Customer warrants that:
- It has a lawful basis to provide personal data to CrimeLayer
- It has obtained necessary consents and notices from its users
- Its instructions to CrimeLayer comply with applicable law
5. CrimeLayer Obligations
CrimeLayer shall:
- Process personal data only on documented instructions from the Customer
- Ensure personnel with access to personal data are bound by confidentiality
- Implement appropriate technical and organizational measures (see /security)
- Assist the Customer with data subject requests within 30 days
- Notify the Customer of any personal data breach without undue delay
6. Sub-Processors
CrimeLayer uses the sub-processors listed in the Privacy Policy. CrimeLayer will notify Customers of changes to its sub-processor list with at least 30 days' notice. Customers may object in writing to new sub-processors.
7. International Data Transfers
Where CrimeLayer transfers personal data outside the EEA or UK, CrimeLayer relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other lawful transfer mechanisms.
8. Data Subject Rights
CrimeLayer will assist the Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within 30 days of receiving the request from the Customer.
9. Audit Rights
Customers may request an audit of CrimeLayer's processing activities once per year, subject to reasonable notice and confidentiality terms. CrimeLayer may fulfill audit obligations by providing SOC 2 or similar third-party audit reports when available.
10. Term and Termination
This DPA is effective from the date of signature and remains in effect for the duration of the underlying subscription, plus the retention periods required by law.
11. Contact
To execute a DPA, contact: legal@crimelayer.com
This page is a public template. An executed, signed DPA will take precedence over this template for customers who have completed the signature process.