✅ IPASIS — Data Processing Agreement (DPA)

1. Definitions

"Personal Data" – Any information relating to an identifiable natural person, including IP addresses.

"Processing" – Any operation performed on Personal Data.

"Sub-processor" – A third party engaged by IPASIS to process data.

"Services" – The IP Reputation & Intelligence API offered by IPASIS.

2. Subject Matter & Purpose of Processing

Customer sends IP addresses and request metadata to IPASIS for the purposes of:

• Fraud detection
• Abuse prevention
• VPN/Proxy/TOR/Hosting detection
• Geolocation & ASN lookup
• Platform security analysis

IPASIS processes Personal Data only for these purposes and only as instructed by the Customer.

3. Duration

This DPA remains valid as long as the Customer uses IPASIS services.

4. Categories of Data Processed

• IP addresses
• Request headers (optional)
• Network metadata
• API usage logs
• Minimal analytics data (non-identifiable)

IPASIS does not process names, emails, passwords, or sensitive personal data.

5. Roles & Responsibilities

Customer (Data Controller) Responsibilities

• Determines the lawful basis for collecting IP data.
• Provides instructions to IPASIS.
• Ensures data subjects are informed.

IPASIS (Data Processor) Responsibilities

• Processes data strictly per Customer instructions.
• Ensures confidentiality.
• Implements required security measures.
• Notifies Customer of incidents.

6. Security Measures

IPASIS implements industry-standard security controls, including:

• Encrypted transit (TLS 1.2+)
• Encryption at rest (GCP-managed keys)
• Strict IAM permissions
• Firewall & rate-limit at ingress
• API key authentication
• Periodic vulnerability scanning
• Isolated production environment
• Least-privilege access controls

7. Sub-Processors

Customer authorizes IPASIS to use the following sub-processors:

A. Google Cloud Platform (Primary Infrastructure)

• Hosting, storage, networking, compute.
• Region: India / US / EU (depending on service).
• Processes API logs, metadata, IP lookup data.

B. LemonSqueezy (Billing & Subscription Management)

• Processes: email, name, billing info.
• Purpose: subscriptions, invoicing, payments.
• Data flows only for paying customers.

C. Plausible Analytics (Privacy-first Analytics)

• Collects no cookies, no PII.
• Collects: browser type, geolocation (approx), page views.
• Used only on ipasis.com website, not the API.
• Fully GDPR-compliant.

IPASIS will notify the Customer before adding new sub-processors.

8. Confidentiality

All personnel involved in processing are legally bound by confidentiality obligations.

9. Data Transfers

Where data is transferred outside the EU/UK, IPASIS relies on:

• Standard Contractual Clauses (SCCs).
• GDPR-compliant international transfer mechanisms.
• Privacy-first sub-processors.

10. Data Subject Requests (DSRs)

If Customer receives a request (access, deletion, objection):

• IPASIS will assist within 72 hours.
• IPASIS will not respond directly unless authorized.

11. Data Retention & Deletion

• API logs retained: 30 days (configurable per customer).
• Abuse feed and threat intelligence data retained longer, but not tied to specific customers.
• Customer data deleted within 30 days of account termination.
• Backup data purged automatically per GCP lifecycle rules.

12. Breach Notification

IPASIS will notify the Customer:

• Within 48 hours of discovering a Personal Data Breach.
• With details of scope, impact, and mitigation steps.

13. Customer Audit Rights

Customer may request:

• Security overview documentation.
• Sub-processor list.
• Infrastructure diagrams.
• Compliance statements.

Reasonable audits may be performed with advance notice.

14. Liability

Liability is limited as outlined in the Main Agreement.

15. Governing Law

This DPA is governed by:

• If the customer is in EU/UK → EU/UK law.
• Otherwise → Indian law.

16. Termination

Upon termination:

• IPASIS will stop processing.
• Delete all personal data within 30 days (unless legally required to retain logs).