> Data Processing Agreement
Last updated: 3 April 2026 — Incorporates EU Standard Contractual Clauses (2021/914)
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Customer (“Data Controller”) and UtilsForAgents (“Data Processor”). It governs the processing of personal data submitted to the UtilsForAgents API.
1. Definitions
- “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.
- “Processing” means any operation performed on Personal Data, as defined in Art. 4(2) GDPR.
- “Sub-Processor” means any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.
- “SCCs” means the Standard Contractual Clauses approved by the European Commission under Implementing Decision (EU) 2021/914.
- “Services” means the UtilsForAgents API endpoints described in the Terms of Service.
2. Scope & Nature of Processing
The Processor processes Personal Data solely to provide the Services as instructed by the Controller. The nature of processing is:
Subject Matter: Stateless API processing of data submitted by the Controller via HTTP requests.
Duration: For the duration of each individual API request only (milliseconds to seconds). No data persists after the response is sent.
Nature: Computation, transformation, extraction, and scrubbing of submitted data.
Purpose: To provide JSON diffing, image metadata extraction/scrubbing, HTML-to-Markdown conversion, text extraction, and URL metadata extraction as requested by the Controller.
Types of Personal Data:
- Image EXIF metadata (GPS coordinates, timestamps, device identifiers, creator names)
- Text content that may contain personal information (names, addresses, etc. within HTML, JSON, or Markdown)
- URLs that may contain personal identifiers (query parameters, path segments)
Categories of Data Subjects: Any individuals whose personal data is embedded in content submitted by the Controller (e.g., photographed individuals, website visitors, content authors).
3. Controller Obligations
The Controller shall:
- Ensure there is a lawful basis under Art. 6 GDPR for submitting Personal Data to the Service
- Provide appropriate notice to data subjects regarding processing via third-party API services
- Conduct a Data Protection Impact Assessment (DPIA) where required by Art. 35 GDPR, particularly when processing image data containing biometric or location data at scale
- Not submit special categories of data (Art. 9 GDPR) unless the Controller has established a lawful basis and provided explicit consent of the data subjects
- Promptly notify the Processor of any data subject request that requires the Processor’s assistance
4. Processor Obligations
The Processor shall:
- Process only on documented instructions (Art. 28(3)(a)) — Process Personal Data only as necessary to perform the Services. The Processor’s documented instructions are the API specifications in the Terms of Service.
- Confidentiality (Art. 28(3)(b)) — Ensure all persons authorised to process Personal Data are bound by confidentiality obligations.
- Security (Art. 28(3)(c), Art. 32) — Implement appropriate technical and organisational measures, including:
- Encryption of all data in transit (TLS 1.2+)
- V8 isolate sandboxing per request (process-level isolation)
- No persistent storage of Personal Data (stateless architecture)
- SSRF protections preventing access to internal networks
- Request size limits preventing denial-of-service
- Access logging limited to 14 days for security purposes
- Sub-Processors (Art. 28(3)(d)) — Engage Sub-Processors only with prior general written authorisation of the Controller (see Section 6).
- Data subject assistance (Art. 28(3)(e)) — Assist the Controller in responding to data subject requests, taking into account the nature of processing (stateless, ephemeral).
- Breach notification (Art. 28(3)(f), Art. 33) — Notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a Personal Data breach.
- Deletion (Art. 28(3)(g)) — Delete all Personal Data after the end of processing. As the Service is stateless, this is satisfied by design: no Personal Data persists after the API response.
- Audit rights (Art. 28(3)(h)) — Make available all information necessary to demonstrate compliance. The Controller may request a summary of the Processor’s security measures once per year.
5. Data Breach Notification
In the event of a Personal Data breach (as defined in Art. 4(12) GDPR), the Processor shall:
- Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach
- Provide the following information (to the extent available):
- Nature of the breach, categories and approximate number of data subjects and records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact point for further information
- Cooperate with the Controller in investigating and remediating the breach
- Maintain a register of all Personal Data breaches
Given the stateless nature of the Service, the risk of data breach is limited to:
- Unauthorised access to server access logs (IP addresses, request paths) — retained for 14 days
- Interception of data in transit (mitigated by mandatory TLS)
6. Sub-Processors
The Controller provides general written authorisation for the Processor to engage Sub-Processors. The current list of Sub-Processors is:
| Sub-Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Cloudflare, Inc. | Edge compute (Workers runtime), CDN, DDoS protection, access logging | Global (nearest edge to caller; EU data centres available) | Cloudflare DPA, EU SCCs, ISO 27001, SOC 2 Type II, C5 |
The Processor shall inform the Controller of any intended addition or replacement of Sub-Processors at least 30 days before engagement, by updating this page and sending notice to the Controller’s registered email (if provided). The Controller may object to a new Sub-Processor by written notice within 14 days.
7. International Transfers
Where Personal Data is transferred outside the EU/EEA, the parties agree that the transfer shall be subject to the EU Standard Contractual Clauses (SCCs) as set out in Annex I below.
Supplementary measures for international transfers:
- All data encrypted in transit using TLS 1.2 or higher
- Ephemeral processing — no data persists after request completion
- No access by sub-processor personnel to request payloads (automated processing only)
- Cloudflare Workers data localisation: EU-origin requests are typically processed at EU edge nodes
8. Standard Contractual Clauses (Reference)
SCC Module Selection
This DPA incorporates by reference the Standard Contractual Clauses (SCCs) adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
Applicable Module: Module Two — Controller to Processor
The full text of the SCCs is available at: Commission Implementing Decision (EU) 2021/914
Annex I — List of Parties
Data Exporter (Controller): The Customer as identified in the Terms of Service.
Data Importer (Processor):
[Your Legal Entity Name]
[Address]
Contact: privacy@utilsforagents.com
Role: Processor
Annex I.B — Description of Transfer
| Element | Description |
|---|---|
| Categories of data subjects | Individuals whose personal data is embedded in content submitted by the Controller (photographed individuals, content authors, website visitors) |
| Categories of personal data | Image EXIF metadata (GPS, device IDs, timestamps, creator names); text content with personal information; URLs with personal identifiers |
| Sensitive data | None intended. Controller should not submit Art. 9 special category data without explicit basis. |
| Frequency of transfer | Continuous, per API call |
| Nature of processing | Stateless computation: diffing, transformation, extraction, scrubbing |
| Purpose of processing | Provision of UtilsForAgents API Services as described in the Terms |
| Retention period | 0 (ephemeral; no payload data persists). Access logs: 14 days. |
Annex I.C — Competent Supervisory Authority
The supervisory authority of [Member State of the Data Exporter / Controller’s establishment], or where the Controller is not established in the EU, the supervisory authority of the Member State of the Data Exporter’s EU representative.
Annex II — Technical & Organisational Measures
The Processor implements the following measures pursuant to Clause 8.6(a) of the SCCs:
- Encryption in transit: All API traffic over TLS 1.2+ (HTTPS enforced at edge)
- Encryption at rest: N/A — no Personal Data stored at rest
- Process isolation: Each request executes in a dedicated V8 isolate (Cloudflare Workers), with no shared memory between requests
- No persistent storage: Stateless architecture; no databases, file systems, or caches store Personal Data
- Network security: SSRF protection blocks requests to private networks, localhost, and cloud metadata endpoints
- Input validation: Request size limits (5 MB upload, 2 MB remote fetch), content-type validation, schema validation
- Access control: No human access to request payloads; processing is fully automated
- Logging: Access logs (IP, path, status code, user-agent) retained 14 days; no payload content logged
- Incident management: Breach notification within 48 hours; incident register maintained
- Edge deployment: Cloudflare’s global network with DDoS protection, rate limiting, and WAF
Annex III — List of Sub-Processors
| Name | Address | Processing Description | Location |
|---|---|---|---|
| Cloudflare, Inc. | 101 Townsend St, San Francisco, CA 94107, USA | Edge compute runtime, CDN, DDoS protection, access logging | Global (200+ cities; EU edge nodes available) |
9. Liability & Indemnification
Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party’s liability for breaches of GDPR obligations that cannot be limited under applicable law.
10. Term & Termination
This DPA takes effect when the Controller first uses the Service and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller.
Upon termination, the Processor shall delete all Personal Data. Given the stateless nature of the Service, this obligation is satisfied by design — no Personal Data persists beyond individual API requests. Access logs containing IP addresses will be deleted per the standard 14-day retention schedule.
11. Precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters. In the event of a conflict between this DPA and the SCCs, the SCCs shall prevail.
12. Contact
For DPA-related enquiries:
privacy@utilsforagents.com
To request a signed copy of this DPA or the SCCs, email the above address with subject line “DPA Request”.