Data Processing Agreement

1. Definitions

"Controller" means the Customer who determines the purposes and means of processing. "Processor" means Iteration Layer. All other terms (Personal Data, Processing, Data Subject, Supervisory Authority, Sub-processor) carry the meanings defined in Article 4 of the GDPR.

2. Subject-Matter of Processing

The Processor processes personal data to provide the Iteration Layer platform and API services: account management, API request processing, document parsing, image transformation, usage logging, payment processing, and customer support. Data subjects include the Controller's employees, end users, and customers.

3. Duration of Processing

This DPA is effective for the duration of the service agreement. Upon termination, the Processor deletes all personal data within 90 days unless retention is required by law. The Controller may request data return in a structured, machine-readable format before deletion.

4. Controller's Instructions

The Processor processes personal data only on documented instructions from the Controller, unless required by EU or Member State law. If an instruction infringes the GDPR, the Processor shall immediately inform the Controller.

5. Assistance to the Controller

The Processor assists the Controller with data subject requests, breach notifications, and data protection impact assessments. Breach notification is provided within 48 hours. Assistance beyond proportionate effort may be charged at reasonable cost.

6. Information Obligations

The Processor makes available all information necessary to demonstrate compliance with Article 28 GDPR, maintains records of processing activities, and provides documentation of security measures upon reasonable request.

7. Processor's Obligations

All personnel authorized to process personal data are bound by confidentiality obligations. The Processor implements appropriate technical and organizational security measures and limits access to personnel who require it on a need-to-know basis.

8. Controller's Obligations

The Controller warrants that its processing instructions are lawful and compliant with applicable data protection law, and shall promptly inform the Processor of any changes affecting compliance.

9. Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors. The Processor informs the Controller of any changes, giving 30 days to object. Each sub-processor is bound by obligations no less protective than this DPA, and the Processor remains fully liable for their acts.

The current list of authorized sub-processors is maintained at the privacy policy .

10. Data Subject Rights

The Processor assists the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection). The Processor shall not respond to requests directly without the Controller's prior authorization, unless required by law.

11. Security Measures

Per Article 32 GDPR, the Processor implements encryption in transit and at rest, access controls, measures ensuring confidentiality, integrity, availability, and resilience, and regular effectiveness testing. Details are in Schedule I.

12. Audit

The Processor undergoes an independent security audit at least every two years, results available on request. The Controller may conduct audits with reasonable notice during business hours, at the Controller's expense.

13. Transfer to Third Parties

The Processor transfers personal data only to authorized sub-processors (Section 9) or where required by law. Where legally required, the Processor informs the Controller before processing unless prohibited on public interest grounds.

14. International Data Transfer

Primary infrastructure is within the EEA. Transfers outside the EEA use adequacy decisions or EU Standard Contractual Clauses (SCCs). Specific mechanisms per sub-processor are detailed in Schedule II.

15. Governmental Authorities

The Processor notifies the Controller of any governmental data access request unless prohibited by law, and challenges any request it reasonably believes to be unlawful.

16. Intellectual Property

This DPA does not transfer any intellectual property rights. Each party retains its own IP. Processing under this DPA grants no rights to use the Controller's data beyond service delivery.

17. Confidentiality

All personal data is treated as confidential. Personnel are bound by contractual or statutory confidentiality obligations. These obligations survive termination.

18. Liability

Each party is liable for GDPR infringements in proportion to its responsibility. Liability is limited to direct damages and shall not exceed the total fees paid in the 12 months preceding the claim. This does not limit liability for willful misconduct or gross negligence.

19. Mediation and Jurisdiction

Governed by Spanish and EU law. Disputes are subject to the courts in Las Palmas de Gran Canaria, Spain. The parties agree to attempt good-faith mediation before litigation.

20. Termination

Upon termination, the Processor deletes or returns all personal data within 90 days and provides written certification on request. Confidentiality, liability, and jurisdiction provisions survive termination.

21. General Provisions

This DPA and its schedules constitute the entire data processing agreement. Amendments require 30 days' notice. If any provision is held invalid, the remaining provisions continue in full force.

Schedule I: Technical and Organizational Security Measures

The Processor implements: TLS 1.2+ and AES-256 encryption, secure password hashing, least-privilege access controls, regular vulnerability scanning and penetration testing, automated backups and disaster recovery, incident response and breach notification procedures, employee security training and confidentiality agreements, physical data center security, and access logging and monitoring.

Schedule II: Standard Contractual Clauses

For transfers outside the EEA, the parties adopt the SCCs per Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor). The parties complete and execute the necessary SCC annexes.

Annex I: Parties and Transfer Description

Data exporter (Controller): the Customer. Data importer (Processor): Fabian Schucht, trading as Iteration Layer, Calle General Vives 1, 6E, 35006 Las Palmas de Gran Canaria, Spain. Data transferred: account data (names, emails), usage data (API logs, sessions), technical data (IPs, device info), and content data (documents, images). Purpose: provision of the Iteration Layer platform and API services per Section 2.