Data Processing Agreement
Our DPA defines how we process personal data on your behalf, our security obligations, and your rights as a data controller.
Last updated: February 19, 2026
GDPR Compliant
Full Article 28 data processing terms
72h Breach Notice
Notification within 72 hours of breach
EU Data Hosting
Primary storage within European Union
Annual Audit Right
Controller audit rights included
1. Definitions & Scope
Parties
This Data Processing Agreement ("DPA") is entered into between you ("Controller", "Customer") and APIDLY LTD ("Processor", "Apidly"). This DPA forms part of our Terms of Use and applies to all personal data processed by Apidly on behalf of the Customer.
Applicable Law
This DPA is governed by and supplements the requirements of the UK GDPR, EU GDPR (Regulation 2016/679), and the Data Protection Act 2018. Where there is a conflict between this DPA and our Terms of Use, this DPA shall prevail with respect to data protection matters.
Duration
This DPA applies for the duration of the Customer's use of Apidly services and continues until all personal data has been deleted or returned in accordance with this agreement.
2. Processing Details
Subject Matter & Purpose
Apidly processes personal data to provide API management, compliance tools, and legal document generation services as described in our Terms of Use. Processing is necessary for the performance of the contract between Apidly and the Customer.
Categories of Data Subjects
Data subjects may include: the Customer's end users, website visitors, employees, contractors, and any individuals whose personal data is processed through the Customer's use of Apidly services.
Types of Personal Data
Personal data processed may include: names, email addresses, IP addresses, device identifiers, cookie data, usage analytics, and any personal data included in legal documents or compliance configurations created by the Customer.
3. Processor Obligations
Processing Instructions
Apidly shall process personal data only on documented instructions from the Controller, unless required by applicable law. We will inform the Controller if, in our opinion, an instruction infringes data protection legislation.
Confidentiality
All persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data is restricted to personnel who require access for the performance of services.
Security Measures
Apidly implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: encryption of personal data in transit and at rest, ongoing confidentiality and integrity of processing systems, ability to restore availability and access to personal data in a timely manner, and regular testing and evaluation of security measures.
Data Breach Notification
Apidly shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. Notification shall include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
4. Sub-Processors
Authorisation
The Controller grants general written authorisation for Apidly to engage sub-processors. A current list of sub-processors is maintained on our Sub-Processors page. We will notify the Controller of any intended changes to sub-processors, giving reasonable opportunity to object.
Sub-Processor Obligations
Where Apidly engages a sub-processor, we impose the same data protection obligations as set out in this DPA by way of a contract. Apidly remains fully liable for the performance of each sub-processor's obligations.
Right to Object
If the Controller objects to a new sub-processor on reasonable data protection grounds, and Apidly cannot provide an alternative, either party may terminate the affected services with 30 days' notice.
5. Data Subject Rights
Assistance with Requests
Apidly shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, and objection). We will promptly forward any data subject requests we receive directly to the Controller.
Technical Measures
We provide technical measures enabling the Controller to fulfil data subject requests, including self-service data export, account deletion functionality, and consent management tools.
6. International Data Transfers
Transfer Safeguards
Where personal data is transferred outside the UK/EEA, Apidly ensures appropriate safeguards are in place, including: Standard Contractual Clauses (SCCs) as approved by the European Commission and adopted by the UK ICO, adequacy decisions where applicable, and supplementary measures where required.
Data Localisation
Primary data storage is within the European Union. Where data is processed by sub-processors outside the EEA, we ensure appropriate transfer mechanisms are in place.
7. Audit & Termination
Audit Rights
The Controller may audit Apidly's compliance with this DPA once per year with 30 days' advance written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Apidly's operations. Contact dpo@apidly.com to arrange an audit.
Data Return & Deletion
Upon termination of services, Apidly shall, at the Controller's choice, return or delete all personal data within 30 days. The Controller may export their data at any time using our self-service tools. After deletion, Apidly shall provide written confirmation upon request.
Contact our Data Protection Officer for questions about our DPA or to request a signed copy.
DPO: dpo@apidly.com
Legal: legal@apidly.com