Data Processing Agreement

§Article 1 — Parties and Definitions

1.1 Controller

Legal name: [ ]
Address: [ ]
Contact: [ ]
(hereinafter "Controller" or "you")

1.2 Processor

Legal name: HumanKey (ChainGuard project)
Service: AI crawler analytics and bot detection platform
Website: humankey.io
Data residency: EU (Germany + Netherlands)
(hereinafter "Processor" or "HumanKey")

1.3 Definitions

Terms used in this DPA have the meanings set out in the GDPR (EU) 2016/679: "personal data", "processing", "data subject", "supervisory authority", "controller", "processor", "sub-processor". "Services" means the HumanKey bot detection and AI crawler analytics services provided under the Terms of Service.

§Article 2 — Subject Matter and Duration

2.1 Subject Matter

The Processor processes personal data on behalf of the Controller for the purpose of providing AI crawler detection, bot classification, and web traffic analytics services as described in the HumanKey Terms of Service.

2.2 Duration

This DPA is effective from [ ] and remains in force for the duration of the Controller's active subscription to HumanKey Services, until termination of the Terms of Service, or until the data processing relationship ends, whichever is earliest.

§Article 3 — Nature and Purpose of Processing

§Article 4 — Types of Personal Data and Categories of Data Subjects

4.1 Types of Personal Data Processed

Retention periods by plan: Free = 7 days, Pro = 30 days, Business = 90 days, Enterprise = 365 days. Automated deletion runs daily at 03:00 UTC.

4.2 Categories of Data Subjects

Visitors (human or automated) to the Controller's website(s) registered with HumanKey. The data subjects are not identified by name or contact details; they are represented only by the pseudonymized data fields listed above.

§Article 5 — Processor Obligations (Art. 28(3) GDPR)

The Processor agrees to all of the following obligations:

5.1 Process only on documented instructions

The Processor shall process personal data only on documented instructions from the Controller. If the Processor is required by EU or Member State law to process data beyond Controller's instructions, it shall inform the Controller before processing, unless prohibited by law.

5.2 Confidentiality

The Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR). Current measures include:

• Encryption in transit: TLS 1.3 on all endpoints
• Encryption at rest: AES-256 (Neon DB managed encryption)
• IP pseudonymization: SHA-256 hash with daily rotating salt (irreversible per-day)
• API key security: bcrypt-hashed secret keys, never stored in plaintext
• Access control: JWT tokens with 15-minute expiry; 7-day rotating refresh tokens
• Rate limiting: Redis-backed, mandatory in production
• Automated retention enforcement: daily cron at 03:00 UTC
• Error monitoring: Sentry with PII stripping configured

5.4 Sub-processors

The Processor shall not engage sub-processors without the Controller's general written authorization. The following sub-processors are currently authorized:

All primary data storage is within the EU. No personal data is transferred outside the EEA. The Processor will inform the Controller of any intended changes to sub-processors with at least 14 days notice, giving the Controller the opportunity to object.

5.5 Assist the Controller with data subject rights

The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) to the extent technically possible. HumanKey provides automated data export and deletion endpoints accessible via the dashboard and API.

5.6 Assist with security obligations

The Processor shall assist the Controller in ensuring compliance with Arts. 32–36 GDPR (security, breach notification, DPIA, prior consultation) insofar as such assistance relates to the Processor's Services. A public DPIA is available at /legal/dpia.

5.7 Deletion or return upon termination

Upon termination of the Services, the Processor shall, at the Controller's choice, delete or return all personal data and delete existing copies, unless EU or Member State law requires storage. The Controller may export their data via the dashboard at any time before termination. After account deletion, all personal data is purged within 24 hours.

5.8 Provide information and enable audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and shall allow for and contribute to audits conducted by the Controller or a mandated auditor, with reasonable notice (minimum 30 days) and during normal business hours. Audit costs are borne by the Controller.

§Article 6 — Controller Obligations

The Controller agrees to:

• Provide lawful instructions for processing and update them as needed
• Ensure a valid legal basis exists for the processing (Art. 6 GDPR)
• Fulfill obligations toward data subjects (privacy notice, DSR handling)
• Notify HumanKey promptly of any changes to instructions
• Maintain the confidentiality of API keys and access credentials

§Article 7 — Liability and Indemnification

Each party shall be liable for damages caused by its own breach of this DPA and the GDPR. The Processor shall not be liable for processing performed in accordance with documented Controller instructions. Liability is subject to the limitations set forth in the HumanKey Terms of Service.

§Article 8 — Governing Law and Jurisdiction

This DPA is governed by the law of [ ] (Controller's jurisdiction, provided it is an EU Member State or EEA jurisdiction). Disputes shall be resolved by the competent courts of [ ]. Where the GDPR applies, supervisory authority jurisdiction is determined by the Controller's establishment.

§Article 9 — Signatures