Data processing agreement
GDPR & CCPA compliance

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the Terms of Use provided by Abstract API Inc. (“Abstract”) and entered into by and between Abstract and you (the “Customer”), to the extent set forth in the Terms of Use (this DPA and the Terms of Use, together, the “Agreement”). 

In the course of providing the Site and related services to the Customer pursuant to the Agreement, Abstract may Process Personal Data on behalf of the Customer, and the Parties hereby agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement have the following meaning:

1.1.1 “Customer Personal Data” means any Personal Data Processed by Abstract or a Subprocessor on behalf of the Customer pursuant to or in connection with the Agreement.

1.1.2 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

1.1.3 “Data Transfer” means:

1.1.3.1 a transfer of Customer Personal Data from the Customer to the Processor or a Subprocessor; or

1.1.3.2 an onward transfer of the Customer Personal Data from Abstract to a Subprocessor, or between two establishments of Subprocessors, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).

1.1.4 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

1.1.5 “GDPR” means EU General Data Protection Regulation 2016/679.

1.1.6 “Party” means each of Abstract and the Customer. 

1.1.7 “Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

1.1.8 “Services” means the services provided by Abstract in connection with the Site.

1.1.9 “Subprocessor” means any person or entity appointed by or on behalf of Abstract to process Customer Personal Data on behalf of the Customer in connection with the Agreement.

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” have the same meaning as in the GDPR, and their cognate terms will be construed accordingly.

2. Processing of Company Personal Data

2.1 Roles of the Parties; Details of Processing. The Parties hereby acknowledge and agree that, with regard to the Processing of Personal Data, the Customer is the Controller and Abstract is the Processor.

2.2 Customer’s Processing of Personal Data. The Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For clarity, the Customer’s instructions for the Processing of Personal Data shall comply with Data Protection. The Customer has sole responsibility for the accuracy, quality, and legality of the Personal Data and the means by which the Customer acquired the Personal Data.

2.3 Abstract’s Processing of Personal Data. Abstract shall treat Personal Data as Confidential Information and shall (subject to the potential requirement described in the following sentence) only Process Personal Data on behalf of the Customer and in accordance with the Customer’s documented instructions for the following purposes: (1) Processing in accordance with this DPA or the Agreement; (2) Processing initiated by users of the Customer’s account in their use of the Services; and (3) Processing to comply with other documented reasonable instructions provided by the Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

3. Processor Personnel

3.1 Abstract shall take reasonable steps to ensure the reliability of its employees, agents, or contractors, and the employees, agents, or contractors of any Subprocessors, who have access to the Customer’s Personal Data, taking reasonable steps to ensure, in each case, that access is limited to those individuals who have a reasonable need to know or access the relevant Customer Personal Data, as reasonably necessary for the purposes of the Agreement, and to comply with Data Protections Laws and Regulations.

4. Security

4.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context,. and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Abstract shall, in relation to Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, Abstract shall take account in particular of the risks that are presented by Processing, in particular, from a Personal Data Breach.

5. Subprocessing

5.1 Abstract shall not appoint (or disclose any Customer Personal Data to) any Subprocessor, unless required to provide the Services or authorized by the Company.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, Abstract shall reasonably assist the Customer by implementing appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfilment of the Customer’s obligations, as reasonably understood by the Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2 Abstract shall:

6.2.1 promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and

6.2.2 ensure that it does not respond to that request except on the documented instructions of the Customer or as required by applicable laws to which Abstract is subject, in which case Abstract shall, to the extent permitted by applicable laws, take reasonable steps inform the Customer of that legal requirement before it responds to the request.

7. Personal Data Breach

7.1 Abstract shall notify the Customer without undue delay upon it becoming aware of a Personal Data Breach affecting the Customer Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 Abstract shall cooperate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment


8.1 Abstract shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with any Supervising Authority (as defined in GDPR) or other competent data privacy authorities, that the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of the Customer Personal Data by, and taking into account the nature of the Processing and information available to, Abstract.

9. Deletion or return of Company Personal Data

9.1 Abstract shall promptly, and in any event within 10 business days of the date of cessation of any Services involving the Processing of the Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of Customer Personal Data.

10. LIMITATION OF LIABILITY

10.1 Each Party’s liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the “Limitation of Liability” section set forth in the Agreement, and any reference in such section to the liability of a Party means the liability of that Party under the Agreement and this DPA.

11. Audit Rights

11.1 Abstract shall make available to the Company on request all information necessary to demonstrate compliance with this DPA, and shall allow for audits, including inspections by the Customer or an auditor mandated by the Customer, solely for the purpose of confirming Abstract’s compliance with this DPA, in relation to the Processing of Customer Personal Data by Abstract; provided, however, that any such audit is conducted in a way so as not to interfere with Abstract’s business operations, any such audit is limited to once per calendar year, and all parties involved in the audit agree to confidentiality terms acceptable to Abstract.

12. Data Transfer

12.1 Abstract shall not transfer or authorize the transfer of Customer Personal Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If Customer Personal Data is processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data. The Customer hereby authorizes the transfer of Customer Personal Data to the United States under such terms.

13. General Terms

13.1 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

13.2 Governing Law and Jurisdiction.

13.2.1 This Agreement is governed by the laws of Nevada in the United States.

13.2.2 Any dispute arising in connection with this Agreement that the Parties are not able to resolve amicably must be submitted to the exclusive jurisdiction of the courts of Abstract’s locality.

13.3 EU Representative. For EU data protection matters, Abstract’s EU Representative is Redon Gjika. Mr. Gjika serves as the primary contact for both EU Supervisory Authorities and customers regarding data protection inquiries or complaints. Mr. Gjika can be reached directly at eu@abstractapi.com.

14. Attributions

Our Site incorporates data from the following data sets, each of which is licensed under the license set forth across from its name.

Data Set License
PeopleDataLabs Free Company Dataset Creative Commons Attribution 4.0 International (CC BY 4.0) License.
To comply with the terms of the license, please refer to the following:
Verizon Geofeed Community Data License Agreement - Permissive, Version 2.0 (CDLA-Permissive-2.0)
To comply with the terms of the license, please refer to the following:
T-Mobile Geofeed Apache-2.0 License
To comply with the terms of the license, please refer to the following:
MaxMind Database Creative Commons Attribution-ShareAlike 4.0 International License
To comply with the terms of the license, please refer to the following: