Initial commit: Full Crawl API implementation

legal/dpa.md

@@ -0,0 +1,48 @@
+# Data Processing Agreement (DPA)
+
+This Data Processing Agreement ("DPA") is entered into between Crawl API ("Processor") and the Customer ("Controller") as of the date of account creation.
+
+## 1. Definitions
+
+- **Personal Data**: Any information relating to an identified or identifiable natural person.
+- **Processing**: Any operation performed on Personal Data.
+- **Data Subject**: The natural person to whom Personal Data relates.
+
+## 2. Scope of Processing
+
+Processor will process Personal Data only as necessary to provide the Service and in accordance with Controller's documented instructions.
+
+## 3. Processor Obligations
+
+- Process Personal Data only on documented instructions from Controller
+- Ensure persons authorized to process Personal Data are bound by confidentiality
+- Implement appropriate technical and organizational measures
+- Assist Controller in responding to Data Subject requests
+- Notify Controller of any Personal Data breaches
+
+## 4. Subprocessors
+
+We use the following subprocessors:
+- Amazon Web Services (hosting)
+- Stripe (payment processing)
+- Google Cloud (optional AI features)
+
+## 5. Data Transfers
+
+Personal Data may be transferred to countries outside the EEA. We ensure adequate safeguards are in place.
+
+## 6. Security Measures
+
+We implement:
+- Encryption at rest and in transit
+- Access controls and authentication
+- Regular security assessments
+- Incident response procedures
+
+## 7. Audit Rights
+
+Controller may request an audit of our compliance with this DPA once per year.
+
+## 8. Termination
+
+Upon termination, Processor will delete or return all Personal Data unless required by law to retain it.