# Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into between Crawl API ("Processor") and the Customer ("Controller") as of the date of account creation.

## 1. Definitions

- **Personal Data**: Any information relating to an identified or identifiable natural person.
- **Processing**: Any operation performed on Personal Data.
- **Data Subject**: The natural person to whom Personal Data relates.

## 2. Scope of Processing

Processor will process Personal Data only as necessary to provide the Service and in accordance with Controller's documented instructions.

## 3. Processor Obligations

- Process Personal Data only on documented instructions from Controller
- Ensure persons authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational measures
- Assist Controller in responding to Data Subject requests
- Notify Controller of any Personal Data breaches

## 4. Subprocessors

We use the following subprocessors:
- Amazon Web Services (hosting)
- Stripe (payment processing)
- Google Cloud (optional AI features)

## 5. Data Transfers

Personal Data may be transferred to countries outside the EEA. We ensure adequate safeguards are in place.

## 6. Security Measures

We implement:
- Encryption at rest and in transit
- Access controls and authentication
- Regular security assessments
- Incident response procedures

## 7. Audit Rights

Controller may request an audit of our compliance with this DPA once per year.

## 8. Termination

Upon termination, Processor will delete or return all Personal Data unless required by law to retain it.