Data Processing Agreement
Last updated: December 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service between QR Code API ("Processor") and you ("Controller") for the processing of personal data.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data
- "Data Subject" means the individual whose Personal Data is processed
- "Sub-processor" means any third party engaged by the Processor to process Personal Data
2. Scope of Processing
The Processor will process Personal Data only:
- On behalf of and in accordance with the Controller's instructions
- As necessary to provide the Service
- In compliance with applicable data protection laws
3. Categories of Data Processed
- Account information (email address)
- Usage data (API requests, timestamps)
- Scan analytics (hashed IP, device type, country)
- Dynamic link destinations (URLs)
4. Security Measures
The Processor implements appropriate technical and organizational measures including:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication
- Regular security assessments
- Incident response procedures
- Employee confidentiality agreements
5. Sub-processors
The Controller authorizes the use of the following sub-processors:
- Vercel Inc. - Hosting and serverless functions (USA)
- Supabase Inc. - Database services (USA/EU)
- Stripe Inc. - Payment processing (USA)
The Processor will notify the Controller of any changes to sub-processors and allow objection.
6. Data Subject Rights
The Processor will assist the Controller in responding to requests from Data Subjects to exercise their rights under GDPR, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to data portability
- Right to object
7. Data Breach Notification
The Processor will notify the Controller without undue delay (within 72 hours) upon becoming aware of a Personal Data breach that affects the Controller's data.
8. Data Retention & Deletion
Upon termination of the Service:
- Personal Data will be deleted within 30 days
- The Controller may request data export before deletion
- Backups are retained for 90 days for disaster recovery
9. International Transfers
When Personal Data is transferred outside the EEA, appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) with sub-processors
- Sub-processors certified under recognized frameworks
10. Audit Rights
The Processor will make available information necessary to demonstrate compliance and allow for audits upon reasonable notice.
Request a Signed DPA
Enterprise customers can request a signed DPA at legal@qrcodeapi.io
11. Contact
For DPA-related inquiries:
- Email: legal@qrcodeapi.io
- Data Protection Officer: dpo@qrcodeapi.io