Data Processing Agreement
Last updated: January 28, 2025
This Data Processing Agreement ("DPA") forms part of the Agreement between RenderScreenshot ("Processor", "we", "us") and the customer ("Controller", "you") for the provision of screenshot API services.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on Personal Data, including collection, storage, retrieval, and deletion.
- Sub-processor: Any third party engaged by us to process Personal Data on your behalf.
- Data Subject: The individual to whom Personal Data relates.
- GDPR: The General Data Protection Regulation (EU) 2016/679.
2. Scope and Purpose
This DPA applies when we process Personal Data on your behalf while providing our screenshot API services. We process Personal Data only to:
- Capture screenshots of URLs you submit
- Cache and deliver screenshot images
- Provide usage analytics and billing
- Maintain service security and reliability
3. Your Responsibilities
As the Controller, you are responsible for:
- Ensuring you have a lawful basis to process Personal Data
- Obtaining necessary consents from Data Subjects where required
- Ensuring URLs submitted do not contain sensitive Personal Data unless necessary
- Complying with applicable data protection laws
4. Our Responsibilities
As the Processor, we will:
- Process Personal Data only on your documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to Data Subject requests
- Delete or return Personal Data upon termination of services
- Make available information necessary to demonstrate compliance
5. Security Measures
We implement the following security measures to protect Personal Data:
Technical Measures
- Encryption in transit (TLS 1.2+)
- Encryption at rest for stored data
- Access controls and authentication
- Regular security assessments
- Automated vulnerability scanning
- DDoS protection
Organizational Measures
- Employee security training
- Access on a need-to-know basis
- Incident response procedures
- Regular policy reviews
6. Sub-processors
We use the following sub-processors to provide our services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare | CDN, browser rendering, storage | Global (US HQ) |
| Hetzner | Server hosting | Germany |
| Stripe | Payment processing | United States |
| Analytics (optional) | United States |
We will notify you of any changes to sub-processors via email at least 30 days before the change takes effect. You may object to a new sub-processor by terminating the Agreement.
7. Data Transfers
Personal Data may be transferred to countries outside the European Economic Area. We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) with sub-processors
- Adequacy decisions where applicable
- Additional technical measures where required
8. Data Subject Rights
We will assist you in responding to Data Subject requests to:
- Access their Personal Data
- Rectify inaccurate data
- Erase their data ("right to be forgotten")
- Restrict processing
- Data portability
- Object to processing
We will respond to your assistance requests within 10 business days.
9. Data Breach Notification
In the event of a Personal Data breach, we will:
- Notify you without undue delay (within 72 hours of becoming aware)
- Provide details of the breach, including affected data and Data Subjects
- Describe measures taken to address the breach
- Cooperate with your investigation and notification obligations
10. Data Retention
We retain Personal Data as follows:
| Data Type | Retention Period |
|---|---|
| Cached screenshots | Per cache TTL (default 24h, max 30 days) |
| API request logs | 30 days |
| Account data | Duration of account + 30 days |
| Billing records | 7 years (legal requirement) |
Upon termination, we will delete your Personal Data within 30 days, except where retention is required by law.
11. Audits
You may audit our compliance with this DPA by:
- Requesting our latest security certifications and audit reports
- Submitting written questions about our data processing practices
- Conducting an on-site audit with reasonable notice (at your expense)
We will cooperate with reasonable audit requests and provide necessary documentation.
12. Liability
Our liability under this DPA is subject to the limitations set forth in our Terms of Service. Each party is liable for damages caused by its breach of data protection laws.
13. Term and Termination
This DPA remains in effect for the duration of our Agreement. Upon termination:
- We will stop processing Personal Data on your behalf
- We will delete or return Personal Data as specified above
- Provisions that should survive termination will remain in effect
14. Governing Law
This DPA is governed by the same law as our Terms of Service. For EU Data Subjects, the GDPR and applicable member state laws also apply.
15. Updates to This DPA
We may update this DPA to reflect changes in our practices or legal requirements. Material changes will be notified via email at least 30 days before taking effect.
Contact
For questions about this DPA or to exercise your rights:
- Email: [email protected]
- Data Protection Contact: [email protected]