Last updated: July 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between API Direct ("we", "us") and the customer ("you") and applies to the extent that we process personal data on your behalf in providing the Service.
Where this DPA conflicts with the Terms of Service, this DPA prevails in relation to the processing of personal data. Terms not defined here have the meaning given in the UK GDPR.
Your account data (your name, email address, billing details, and your usage of the Service): we are the controller. How we handle it is described in our Privacy Policy.
The public content you retrieve through the API: here we and you act as independent controllers, each in respect of our own processing, rather than as processor and controller. We decide, on our own account, to make publicly available content accessible through the Service and how we do so; you decide independently what to request and how to use what you receive. Neither party acts on the other's instructions in these decisions, and each is responsible for its own compliance with data protection law, including having its own lawful basis. We handle requests from individuals about our own processing, as set out in our Privacy Notice for Individuals; you are responsible for requests relating to your use of the data once it is in your systems.
Processing on your behalf: to the extent we process any personal data solely on your documented instructions and on your behalf — for example details you supply with a request — we act as your processor for that processing, and the obligations in this DPA apply to it. This is the processing to which the rest of this agreement is directed.
You agree that:
We will:
We maintain appropriate technical and organisational measures, including:
You are responsible for keeping your API keys confidential and for the security of the systems into which you receive data.
You give general authorisation for us to engage sub-processors. Our current sub-processors are listed at apidirect.io/sub-processors, which forms part of this DPA.
We will give notice before adding or replacing a sub-processor, to customers who have asked to be notified of changes. If you reasonably object on data protection grounds within 30 days of that notice, we will work with you in good faith to find a solution, and if we cannot, you may terminate the affected part of the Service.
We remain responsible for our sub-processors' performance of their obligations, and impose data protection terms on them that are no less protective than those in this DPA.
Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, so far as reasonably possible, in responding to requests from individuals exercising their rights.
If we receive a request that relates to your use of the Service as controller, we will not respond to it on your behalf, except as legally required, and will inform you of it without undue delay.
Individuals can ask us directly to stop including them in the results we return, and to tell them what we hold about them, through our opt-out form and our data request form. Where we suppress an individual, we filter them out of results from that point on. We cannot retrieve data that has already been delivered to you, so you remain responsible for honouring rights in respect of the data held in your own systems.
We will notify you without undue delay after becoming aware of a personal data breach affecting personal data processed on your behalf, and will provide the information reasonably available to us to help you meet your own notification obligations. Our internal procedure is set out in our breach response plan.
We and our sub-processors may process personal data outside the United Kingdom. Where we do, we rely on appropriate safeguards, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, or on UK adequacy where it applies. Those safeguards are incorporated into this DPA by reference where required.
We do not retain the content returned to you through the API, so there is generally nothing for us to return or delete at the end of the Service beyond your account data. You can delete your account and its associated data at any time from your dashboard settings. On termination we will delete your account data, except where we are required by law to retain it, for example records needed for tax or accounting purposes.
We will make available information reasonably necessary to demonstrate compliance with this DPA and will contribute to audits, including inspections, conducted by you or an auditor you appoint. Audits must be on reasonable notice, during business hours, no more than once per year unless required by a supervisory authority or following a breach, and must not compromise the confidentiality or security of other customers' data.
This DPA takes effect when you begin using the Service and continues until the Terms of Service terminate, and thereafter for as long as we process any personal data on your behalf. Any provision which by its nature should survive termination does so.
This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, unless the Terms of Service specify otherwise.
Email: support@apidirect.io