Legal Document

Data Processing Agreement

Last updated: December 20, 2025

Download PDF

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ScrapeBadger ("Processor", "we", "us") and the customer ("Controller", "you") using our web scraping API services. This DPA applies when we process personal data on your behalf.

1. Definitions

  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR (EU), UK GDPR, CCPA (California), and other similar regulations
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, transmission, and deletion
  • "Data Subject" means the individual to whom Personal Data relates
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf
  • "Controller" means the entity that determines the purposes and means of Processing Personal Data (you)
  • "Processor" means the entity that processes Personal Data on behalf of the Controller (ScrapeBadger)

2. Scope and Roles

2.1 Role of the Parties

Important: For data you retrieve using our scraping APIs, you are the Data Controller and ScrapeBadger acts as a Data Processor. You determine what data to collect and how to use it.

2.2 Scope of Processing

This DPA applies to the processing of Personal Data that:

  • You retrieve through our API services
  • We process in the course of providing our services (e.g., account data, usage logs)
  • Is transmitted through our infrastructure during API requests

3. Data Processing Details

Subject MatterProvision of web scraping API services
DurationDuration of your use of our Services
Nature and PurposeRetrieval and transmission of data from third-party sources via API requests
Type of Personal DataMay include: names, usernames, profile information, public posts, contact details (as determined by your API requests)
Categories of Data SubjectsUsers of third-party platforms whose public data you request through our APIs

4. Processor Obligations

As your Data Processor, ScrapeBadger agrees to:

4.1 Processing Instructions

  • Process Personal Data only on your documented instructions
  • Immediately inform you if we believe an instruction infringes Data Protection Laws
  • Not process Personal Data for any purpose other than providing our Services

4.2 Confidentiality

  • Ensure all personnel processing Personal Data are bound by confidentiality obligations
  • Limit access to Personal Data to personnel who need access to perform their duties

4.3 Security Measures

Implement appropriate technical and organizational measures including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms
  • Incident detection and response procedures
  • Regular backups and disaster recovery capabilities
  • Employee security training

4.4 Data Retention

Note: ScrapeBadger does not retain scraped Personal Data. Data retrieved through our APIs is transmitted directly to you and is not stored on our systems beyond the immediate request lifecycle (typically seconds).

4.5 Assistance

We will assist you, at your cost, with:

  • Responding to Data Subject requests (access, rectification, erasure, portability)
  • Data protection impact assessments
  • Prior consultation with supervisory authorities
  • Demonstrating compliance with Data Protection Laws

5. Controller Obligations

As Data Controller, you agree to:

  • Ensure you have a lawful basis for collecting Personal Data through our Services
  • Provide clear instructions regarding the processing of Personal Data
  • Comply with all applicable Data Protection Laws
  • Respond to Data Subject requests in accordance with legal requirements
  • Ensure that your use of scraped data respects the rights of Data Subjects
  • Implement appropriate security measures for Personal Data you receive
  • Not instruct us to process Personal Data in a way that violates Data Protection Laws

6. Sub-processors

6.1 Authorization

You authorize us to engage Sub-processors to assist in providing our Services. We maintain a list of current Sub-processors below.

6.2 Current Sub-processors

Sub-processorPurposeLocation
Amazon Web Services (AWS)Cloud infrastructure and hostingUSA (with EU regions available)
Google Cloud PlatformCloud infrastructureUSA (with EU regions available)
StripePayment processingUSA
CloudflareCDN and DDoS protectionGlobal

6.3 Sub-processor Changes

We will notify you of any intended changes to Sub-processors at least 30 days in advance. You may object to a new Sub-processor by notifying us within 14 days. If we cannot address your objection, you may terminate the affected Services.

7. International Data Transfers

7.1 Transfer Mechanisms

When Personal Data is transferred outside the EEA/UK, we ensure appropriate safeguards through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) where applicable
  • Adequacy decisions where available
  • Binding Corporate Rules where applicable

7.2 Additional Safeguards

We implement supplementary measures including encryption, access controls, and contractual commitments to protect transferred data.

8. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests, including:

  • Right of Access: Providing copies of Personal Data we process
  • Right to Rectification: Correcting inaccurate Personal Data
  • Right to Erasure: Deleting Personal Data upon valid request
  • Right to Restriction: Limiting processing as required
  • Right to Portability: Providing data in machine-readable format
  • Right to Object: Ceasing processing upon valid objection

9. Security Incidents

9.1 Notification

We will notify you without undue delay (and within 48 hours where feasible) after becoming aware of a Personal Data breach affecting data we process on your behalf.

9.2 Breach Notification Contents

Our notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of records concerned
  • Name and contact details of our data protection contact
  • Description of likely consequences
  • Description of measures taken or proposed to address the breach

10. Audits

We will make available to you all information necessary to demonstrate compliance with this DPA and allow for audits by you or an independent auditor.

  • Audits must be conducted with reasonable notice (minimum 30 days)
  • Audits shall not unreasonably disrupt our business operations
  • You shall bear the costs of any audit you request
  • Audit findings shall be treated as confidential information

11. Data Deletion and Return

Upon termination of our Services or upon your request, we will:

  • Delete all Personal Data processed on your behalf within 30 days
  • Provide certification of deletion upon request
  • Return Personal Data in a structured, machine-readable format if requested

We may retain Personal Data as required by applicable laws, in which case we will continue to protect it in accordance with this DPA.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of Data Protection Laws to the extent such limitation is not permitted by law.

13. Term and Termination

This DPA shall remain in effect for as long as we process Personal Data on your behalf. The obligations in this DPA shall survive termination to the extent necessary to protect Personal Data.

14. Contact Information

For questions about this DPA or data processing matters:

ScrapeBadger Data Protection Officer

Email: dpo@scrapebadger.com

For urgent data breach reports, use subject line "URGENT: Data Breach"

Appendix A: Technical and Organizational Measures

ScrapeBadger implements the following security measures:

A.1 Access Control

  • Role-based access control (RBAC) for all systems
  • Multi-factor authentication for administrative access
  • Regular access reviews and revocation procedures
  • Unique user credentials for all personnel

A.2 Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 encryption for data at rest
  • Secure key management practices

A.3 Network Security

  • Firewalls and intrusion detection systems
  • DDoS protection
  • Network segmentation
  • Regular vulnerability scanning

A.4 Physical Security

  • Data center certifications (SOC 2, ISO 27001)
  • Physical access controls
  • Environmental controls

A.5 Incident Response

  • Documented incident response procedures
  • 24/7 security monitoring
  • Regular incident response testing
  • Post-incident review and improvement processes