Data Processing Agreement

Last updated: July 2026

1. Introduction and scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between API Direct ("we", "us") and the customer ("you") and applies to the extent that we process personal data on your behalf in providing the Service.

Where this DPA conflicts with the Terms of Service, this DPA prevails in relation to the processing of personal data. Terms not defined here have the meaning given in the UK GDPR.

2. Roles of the parties

Your account data (your name, email address, billing details, and your usage of the Service): we are the controller. How we handle it is described in our Privacy Policy.

The public content you retrieve through the API: here we and you act as independent controllers, each in respect of our own processing, rather than as processor and controller. We decide, on our own account, to make publicly available content accessible through the Service and how we do so; you decide independently what to request and how to use what you receive. Neither party acts on the other's instructions in these decisions, and each is responsible for its own compliance with data protection law, including having its own lawful basis. We handle requests from individuals about our own processing, as set out in our Privacy Notice for Individuals; you are responsible for requests relating to your use of the data once it is in your systems.

Processing on your behalf: to the extent we process any personal data solely on your documented instructions and on your behalf — for example details you supply with a request — we act as your processor for that processing, and the obligations in this DPA apply to it. This is the processing to which the rest of this agreement is directed.

3. Subject matter, duration, and purpose

  • Subject matter - Provision of the API Direct service
  • Duration - For as long as your account is active, and thereafter only as required by law
  • Nature and purpose - Retrieving publicly available content in response to your API requests, and operating your account, billing, and support
  • Types of personal data - Your account and billing data; and, where public content relates to an identifiable person, information such as names, public usernames, public profile links, and public posts
  • Categories of data subjects - Your personnel who use the Service, and individuals whose public content matches your requests

4. Your obligations

You agree that:

  • You have a lawful basis for requesting, receiving, and using the data you obtain through the Service
  • You will comply with applicable data protection law, including providing any notices and honouring any rights owed to individuals by you as controller
  • Your instructions to us will not require us to process personal data unlawfully
  • You will comply with the acceptable use restrictions in our Terms of Service, including not using data obtained through the Service to harass, abuse, or harm individuals
  • You will not use the Service to identify or target individuals on the basis of special categories of personal data

5. Our obligations

We will:

  • Process personal data on your behalf only to provide the Service and as otherwise instructed by you, unless required by law to do otherwise
  • Ensure that people authorised to process personal data are bound by an appropriate duty of confidentiality
  • Implement the technical and organisational measures described in section 6
  • Assist you, so far as we reasonably can and taking into account the nature of the processing, with your obligations regarding data subject rights, security, breach notification, and impact assessments
  • Make available the information reasonably necessary to demonstrate compliance with this DPA

6. Security

We maintain appropriate technical and organisational measures, including:

  • Encryption of data in transit using TLS
  • Hashing of passwords and API keys, which are never stored in plaintext
  • Access controls and authentication on our systems and those of our providers
  • Data minimisation: we do not retain the content returned through the API
  • Rate limiting and abuse controls

You are responsible for keeping your API keys confidential and for the security of the systems into which you receive data.

7. Sub-processors

You give general authorisation for us to engage sub-processors. Our current sub-processors are listed at apidirect.io/sub-processors, which forms part of this DPA.

We will give notice before adding or replacing a sub-processor, to customers who have asked to be notified of changes. If you reasonably object on data protection grounds within 30 days of that notice, we will work with you in good faith to find a solution, and if we cannot, you may terminate the affected part of the Service.

We remain responsible for our sub-processors' performance of their obligations, and impose data protection terms on them that are no less protective than those in this DPA.

8. Data subject rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, so far as reasonably possible, in responding to requests from individuals exercising their rights.

If we receive a request that relates to your use of the Service as controller, we will not respond to it on your behalf, except as legally required, and will inform you of it without undue delay.

Individuals can ask us directly to stop including them in the results we return, and to tell them what we hold about them, through our opt-out form and our data request form. Where we suppress an individual, we filter them out of results from that point on. We cannot retrieve data that has already been delivered to you, so you remain responsible for honouring rights in respect of the data held in your own systems.

9. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting personal data processed on your behalf, and will provide the information reasonably available to us to help you meet your own notification obligations. Our internal procedure is set out in our breach response plan.

10. International transfers

We and our sub-processors may process personal data outside the United Kingdom. Where we do, we rely on appropriate safeguards, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, or on UK adequacy where it applies. Those safeguards are incorporated into this DPA by reference where required.

11. Deletion and return of data

We do not retain the content returned to you through the API, so there is generally nothing for us to return or delete at the end of the Service beyond your account data. You can delete your account and its associated data at any time from your dashboard settings. On termination we will delete your account data, except where we are required by law to retain it, for example records needed for tax or accounting purposes.

12. Audit

We will make available information reasonably necessary to demonstrate compliance with this DPA and will contribute to audits, including inspections, conducted by you or an auditor you appoint. Audits must be on reasonable notice, during business hours, no more than once per year unless required by a supervisory authority or following a breach, and must not compromise the confidentiality or security of other customers' data.

13. Term and termination

This DPA takes effect when you begin using the Service and continues until the Terms of Service terminate, and thereafter for as long as we process any personal data on your behalf. Any provision which by its nature should survive termination does so.

14. Governing law

This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, unless the Terms of Service specify otherwise.

15. Contact

Email: support@apidirect.io