Data Processing Addendum

Effective: April 10, 2026

This Data Processing Addendum ("DPA") forms part of the CrimeLayer Terms of Service for enterprise customers who require a GDPR-compliant data processing relationship. To execute a signed copy, email [email protected] with your company details.

1. Definitions

  • Controller — the entity that determines the purposes and means of processing personal data
  • Processor — the entity that processes personal data on behalf of the Controller
  • Personal Data — any information relating to an identified or identifiable natural person, as defined in applicable data protection law

2. Parties and Role

For the purpose of this DPA, the CrimeLayer customer ("Customer") is the Controller, and CrimeLayer, Inc. ("CrimeLayer") is the Processor.

3. Processing Details

  • Subject matter: Provision of the CrimeLayer API and associated services
  • Duration: For the term of the subscription plus the retention periods set forth in the Privacy Policy
  • Nature and purpose: Authentication, billing, rate limiting, usage analytics
  • Types of personal data: Customer account information (email, name), API usage logs (hashed key IDs), billing records
  • Categories of data subjects: Customer's authorized users and administrators

4. Customer Obligations

The Customer warrants that:

  • It has a lawful basis to provide personal data to CrimeLayer
  • It has obtained necessary consents and notices from its users
  • Its instructions to CrimeLayer comply with applicable law

5. CrimeLayer Obligations

CrimeLayer shall:

  • Process personal data only on documented instructions from the Customer
  • Ensure personnel with access to personal data are bound by confidentiality
  • Implement appropriate technical and organizational measures (see /security)
  • Assist the Customer with data subject requests within 30 days
  • Notify the Customer of any personal data breach without undue delay

6. Sub-Processors

CrimeLayer uses the sub-processors listed in the Privacy Policy. CrimeLayer will notify Customers of changes to its sub-processor list with at least 30 days' notice. Customers may object in writing to new sub-processors.

7. International Data Transfers

Where CrimeLayer transfers personal data outside the EEA or UK, CrimeLayer relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other lawful transfer mechanisms.

8. Data Subject Rights

CrimeLayer will assist the Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within 30 days of receiving the request from the Customer.

9. Audit Rights

Customers may request an audit of CrimeLayer's processing activities once per year, subject to reasonable notice and confidentiality terms. CrimeLayer may fulfill audit obligations by providing SOC 2 or similar third-party audit reports when available.

10. Term and Termination

This DPA is effective from the date of signature and remains in effect for the duration of the underlying subscription, plus the retention periods required by law.

11. Contact

To execute a DPA, contact: [email protected]

An executed, signed DPA will take precedence over this published version for customers who have completed the signature process.