Data Processing Agreement

• Controller: The customer who determines the purposes and means of processing personal data.
• Processor: Basanta SEO API, which processes data on behalf of the Controller.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data, including collection, storage, use, and deletion.

Basanta SEO API processes the following categories of data on behalf of customers:

• API request logs (domains/URLs queried, timestamps, response data)
• Account identifiers (email address, API key)
• IP addresses for rate limiting and security purposes

The purpose of processing is to provide the API service, enforce rate limits, ensure security, and improve service quality.

As Processor, Basanta SEO API shall:

• Process personal data only on documented instructions from the Controller
• Ensure that personnel authorized to process data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Not engage sub-processors without prior authorization (or provide a general authorization subject to notification)
• Assist the Controller in responding to data subject requests where technically feasible
• Delete or return personal data upon termination of services, at the Controller's request
• Provide information necessary to demonstrate compliance with this DPA

The Controller agrees to:

• Ensure a lawful basis exists for any personal data submitted to the API
• Only submit data that is necessary for the intended API use case
• Comply with applicable data protection laws in their jurisdiction
• Not instruct the Processor to process data in ways that violate applicable law

Basanta SEO API maintains appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure. These include encrypted data transmission, access controls, and routine security reviews.

We may use sub-processors for infrastructure, analytics, and payment processing. A list of current sub-processors is available upon request. We provide reasonable notice of any sub-processor changes.

If personal data is transferred outside the EEA or other jurisdictions with data protection requirements, we will ensure appropriate safeguards are in place, such as standard contractual clauses or other approved transfer mechanisms.

API usage logs containing request data are retained for up to 90 days for security and debugging purposes. Upon account closure or written request, we will delete personal data within a reasonable timeframe, except where retention is required by law.

This DPA remains in effect for the duration of the service agreement. Upon termination, the Processor will securely delete or return personal data as directed.

To execute a formal DPA for enterprise or compliance purposes, or for any data protection inquiries, contact us at support@seo.basantasapkota.com.