Data Processing Agreement

Last updated: April 21, 2026

This Data Processing Agreement (the "DPA") forms part of the agreement between FEELTECH ("Processor") and the Customer ("Controller") for the provision of the RDAP API service (the "Service"), and governs the processing of personal data by the Processor on behalf of the Controller, in accordance with Article 28 of Regulation (EU) 2016/679 (the "GDPR").

It is designed to be directly binding without negotiation. The Controller accepts this DPA by subscribing to the Service. A counter-signed copy is available on written request to [email protected].

1. Definitions

Terms used in this DPA that are not defined here have the meaning given to them in the GDPR. In particular, "personal data", "processing", "controller", "processor", "data subject", "sub-processor", "supervisory authority", and "personal data breach" have the meaning set out in Article 4 of the GDPR. "Service Agreement" refers to the Terms of Service between FEELTECH and the Controller.

2. Parties and Roles

  • Processor: FEELTECH, a French limited liability company (SARL), registered office 110 rue de Fontenay, 94300 Vincennes, France, SIREN 443 191 754 (R.C.S. Créteil). Full identification is set out in our Legal Notice.
  • Controller: the natural or legal person identified in the Controller's account on the Service.
  • For the processing covered by this DPA, the Processor acts on behalf of the Controller. For processing carried out by the Processor for its own purposes (for example, identification of its own customer, billing, tax compliance, or security), the Processor acts as an independent controller, as described in our Privacy Policy.

3. Subject Matter, Duration, Nature and Purpose

  • Subject matter. Processing of personal data necessary to provide the Service to the Controller, as described in the Service Agreement.
  • Nature and purpose. Account management, authentication, delivery of RDAP API responses, enforcement of plan quotas and rate limits, billing and payment, transactional communications, abuse prevention, and compliance with legal obligations.
  • Duration. This DPA takes effect on the date the Controller first subscribes to the Service and remains in force for as long as the Processor processes personal data on behalf of the Controller under the Service Agreement, plus any post-termination obligations set out in §13.

4. Categories of Data Subjects and Personal Data

The personal data processed by the Processor on behalf of the Controller is limited to what is necessary to provide the Service. Categories are as follows:

  • Data subjects. The Controller and the natural persons authorised by the Controller to access the Service (for example, the Controller's staff holding valid credentials).
  • Account data. Full name, email address, hashed password.
  • Billing data. Stripe customer identifier, last four digits of the payment instrument, billing address where provided. Full payment credentials are processed directly by Stripe and are not accessible to the Processor.
  • Usage data. API request metadata, including query type, queried domain name, response time, cache status, timestamp, and the authenticated user identifier.
  • Technical data. Session identifiers. IP addresses and user agents may appear transiently in web server access logs, which are rotated and discarded. They are also processed by Cloudflare as part of inbound traffic handling.

No special categories of personal data within the meaning of Article 9 of the GDPR are processed by the Processor on behalf of the Controller.

5. Controller Obligations

  • The Controller warrants that it has a valid legal basis under the GDPR for the processing instructed to the Processor and that, where required, it has obtained the informed consent of the data subjects.
  • The Controller is responsible for the accuracy, quality, and legality of the personal data submitted to the Service, and for the instructions given to the Processor.
  • The Controller undertakes to respond, within the time limits set by the GDPR, to any data subject request concerning personal data that it has submitted to the Service.

6. Processor Obligations

The Processor undertakes to:

  • Process only on documented instructions. Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law, in which case the Processor will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Service Agreement, this DPA, and the Controller's use of the Service through its account constitute the Controller's documented instructions.
  • Confidentiality. Ensure that persons authorised to process the personal data are bound by confidentiality obligations. As at the date of this DPA, the Processor operates as a single-person company; the sole individual with access is bound by confidentiality obligations as company director under French law.
  • Security. Implement appropriate technical and organisational measures pursuant to Article 32 of the GDPR, as described in our Technical and Organisational Measures.
  • Sub-processors. Engage sub-processors only under the conditions set out in §7.
  • Assistance to the Controller. Assist the Controller, by appropriate technical and organisational measures and insofar as possible, for the fulfilment of its obligations to respond to requests for exercising data subject rights, and its obligations pursuant to Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessment, and prior consultation with the supervisory authority).
  • Return and deletion. At the choice of the Controller, delete or return all personal data to the Controller at the end of the provision of the Service, and delete existing copies, under the terms set out in §13.
  • Information and audits. Make available to the Controller the information necessary to demonstrate compliance with the obligations under Article 28 of the GDPR, and allow for and contribute to audits as set out in §12.

7. Sub-processors

  • The Controller provides general authorisation for the Processor to engage the sub-processors listed in our Privacy Policy, §6.
  • The Processor imposes on each sub-processor the same data protection obligations as those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.
  • The Processor will notify the Controller in advance of any intended addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes. If the Controller has a reasonable objection, it may terminate the Service Agreement by written notice, and the Processor will refund on a pro-rata basis any prepaid fees covering the period after termination.
  • The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

8. International Data Transfers

  • The Processor's primary hosting, billing, and operational infrastructure is located inside the European Union.
  • Transfers of personal data to sub-processors located outside the European Economic Area (Cloudflare, Backblaze, Mailgun) are governed by the Standard Contractual Clauses (Module Two, Controller to Processor) adopted by the European Commission in Implementing Decision (EU) 2021/914.
  • Where required, the Processor and the relevant sub-processor implement supplementary measures, including encryption in transit and at rest for the data concerned.

9. Security Measures

The Processor implements the technical and organisational measures described in our Technical and Organisational Measures, which constitute Annex 1 to this DPA. The measures are reviewed periodically and updated as appropriate.

10. Assistance with Data Subject Rights

  • The Service provides the Controller with self-service tools to access, correct, export, and delete its account data and the personal data submitted through its account.
  • Where a data subject addresses a request directly to the Processor, the Processor will, unless legally required to respond itself, promptly forward the request to the Controller and will not respond to the data subject directly without the Controller's instructions.
  • The Processor will assist the Controller, by appropriate technical and organisational measures and insofar as reasonably possible, in responding to data subject requests within the time limits set by the GDPR.

11. Personal Data Breach Notification

  • The Processor will notify the Controller without undue delay, and in any case within 72 hours after becoming aware of a personal data breach affecting the Controller's personal data.
  • The notification will describe, insofar as the information is available at the time, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.
  • The Processor will notify the competent supervisory authority (in France, the CNIL) within 72 hours where required under Article 33 of the GDPR, and will cooperate with the Controller in fulfilling any notification duties the Controller has under Articles 33 and 34 of the GDPR.
  • Breach reports and security incidents may be raised at any time to [email protected].

12. Audits and Inspections

  • The Processor will make available to the Controller, on written request, the information necessary to demonstrate compliance with this DPA, including an up-to-date copy of the Technical and Organisational Measures, the current sub-processor list, and any third-party certifications held by sub-processors (for example, ISO 27001).
  • Where the Controller reasonably demonstrates that the documentation made available is insufficient to demonstrate compliance, the Controller may request a written questionnaire or a video conference with the Processor, no more than once per calendar year, unless a specific security incident justifies a further review. Such reviews are carried out at the Controller's own cost.
  • Nothing in this DPA restricts the audit and investigation powers of the competent supervisory authority.

13. Return and Deletion of Data

  • At the end of the Service Agreement, the Controller may request, in writing and within 30 days of termination, the return of its personal data in a commonly used electronic format.
  • In the absence of such a request, or once the return has been completed, the Processor will delete the personal data processed on behalf of the Controller from its production systems within 30 days of termination.
  • Encrypted off-site backups are retained for up to 30 days from the date of the relevant backup and are automatically deleted thereafter through the lifecycle policy described in our Technical and Organisational Measures, §6.
  • Accounting records associated with invoices issued to the Controller are retained for the period required by French commercial law (10 years), in accordance with a legal obligation incumbent on the Processor.

14. Liability

Each party's liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set out in the Service Agreement. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under applicable law, including liability under Article 82 of the GDPR.

15. Term and Termination

This DPA takes effect upon the Controller's first subscription to the Service and remains in force for the duration of the Service Agreement and, thereafter, for as long as the Processor processes personal data on behalf of the Controller. The obligations set out in §11 and §13 survive termination.

16. Changes to this DPA

The Processor may update this DPA from time to time, provided that no update will reduce the level of protection afforded to personal data. Material changes will be notified to the Controller via email and through our public changelog before they take effect.

17. Governing Law and Jurisdiction

This DPA is governed by French law. Any dispute arising out of or in connection with this DPA falls under the exclusive jurisdiction of the competent courts of Créteil, France, without prejudice to the rights of consumers under Regulation (EU) No 1215/2012 (Brussels I recast) or any other non-waivable provision of applicable law.

18. Acceptance and Counter-signing

By subscribing to the Service, the Controller accepts this DPA. Controllers whose compliance framework requires a counter-signed copy may export this page as a PDF, sign it, and email the signed copy to [email protected]. The Processor will return a counter-signed copy within a reasonable time.

19. Contact

Privacy and data protection requests under this DPA: [email protected]. Security incidents and suspected personal data breaches: [email protected].