EuroAPI | Version 1.0 | Effective date: 2026-05-19
This Data Processing Agreement ("DPA") supplements the EuroAPI Terms of Service and becomes effective for any Customer ("Controller") that processes personal data ("Personal Data") of EU/EEA residents using the EuroAPI service ("Processor", "we"). It reflects the parties' obligations under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
By using the Service to submit Content that includes Personal Data, the Controller accepts this DPA. Where a Controller requires a signed counterpart, please contact vandenbrandenglen@gmail.com.
1. Definitions
Capitalized terms not defined here have the meaning given in the Terms of Service or in the GDPR.
Personal Data: any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
Processing: any operation performed on Personal Data, as defined in Article 4(2) GDPR.
Data Subject: the natural person to whom Personal Data relates.
Sub-processor: any third party engaged by the Processor to assist in processing.
2. Roles
The Controller determines the purposes and means of the Processing.
The Processor processes Personal Data on behalf of the Controller, only on documented instructions.
This DPA does not change the underlying allocation of roles for any Personal Data that the Processor processes for its own purposes (e.g., account/billing data), which is described in the EuroAPI Privacy Policy.
3. Subject matter, duration, nature, and purpose
Subject matter: provision of the EuroAPI Service (audio transcription, language detection, translation).
Duration: for as long as the Controller uses the Service plus the 24-hour retention period.
Nature: short-lived storage of audio files and Processing by a Whisper-family open-source AI model to produce text Outputs.
Purpose: to fulfill the Controller's requests under the Terms of Service.
Categories of Data Subjects: individuals whose voice or speech appears in the Content. The Controller is solely responsible for the lawful basis to include such Data Subjects.
Categories of Personal Data: voice (biometric data, where used for identification), spoken content (potentially including names, addresses, opinions, health, financial information, or any other data the speaker chooses to mention).
Special categories (Art. 9 GDPR): the Processor does not actively seek special-category data. The Controller warrants that, where audio may contain such data, the Controller has an Article 9(2) basis.
4. Processor obligations
The Processor undertakes to:
Process Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do so by EU or Member-State law.
Ensure persons authorized to process Personal Data are bound by confidentiality obligations or are under a statutory obligation of confidentiality.
Implement appropriate technical and organizational measures (see Section 7).
Engage Sub-processors only in accordance with Section 8.
Assist the Controller in responding to requests by Data Subjects exercising their rights (Sections 9), and in fulfilling the Controller's obligations under Articles 32–36 GDPR.
Delete or return all Personal Data after the end of provision of services (see Section 11).
Make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits (see Section 12).
Inform the Controller without delay if, in its opinion, an instruction infringes the GDPR or other Union/Member-State data protection law.
5. Controller obligations
The Controller undertakes to:
Process Personal Data only with a valid legal basis under Article 6 GDPR (and Article 9 where special categories are involved).
Provide all required transparency information to Data Subjects under Articles 13–14 GDPR, including disclosing the use of EuroAPI as a Processor.
Not submit Content that the Controller does not have the right to submit (e.g., unauthorized recordings).
Respond to Data-Subject requests within statutory time limits, using the assistance from the Processor described in Section 9.
Indemnify the Processor against claims arising from the Controller's failure to meet its GDPR obligations.
6. Confidentiality
The Processor will:
Treat all Personal Data as confidential information.
Limit access to Personal Data to personnel who need it to perform the Service.
Ensure such personnel are bound by written confidentiality obligations.
Not disclose Personal Data to any third party except as permitted in this DPA or required by law.
7. Security measures
The Processor implements the following measures pursuant to Article 32 GDPR:
Domain
Measure
Encryption in transit
TLS 1.3 minimum; HSTS preload; HTTP/2 and HTTP/3
Encryption at rest
Server volumes encrypted; audio files deleted within 24 hours
Pseudonymization
API keys hashed; no plain-text storage of credentials
Access control
SSH key-only access; 2FA on all admin accounts; principle of least privilege
Network security
Firewall restricting inbound traffic to ports 22/80/443; fail2ban for brute-force protection
Logging and monitoring
Administrative actions logged with timestamps; security patches applied automatically
Resilience
Daily snapshot of metadata (excluding audio); regular restore tests
Incident response
Documented procedure; 72-hour notification to Controller upon Personal Data breach
Personnel
Single operator with explicit Confidentiality undertaking
The Processor may update these measures over time but will not materially decrease the level of protection.
8. Sub-processors
8.1 Authorized sub-processors
The Controller hereby provides general written authorization for the engagement of the following Sub-processors as of the Effective date:
Sub-processor
Service
Location
Hetzner Online GmbH
Hosting / server infrastructure
Falkenstein, Germany (EU)
Cloudflare, Inc.
DNS, TLS termination at edge, DDoS mitigation
EU edges; some metadata may transit US/UK
RapidAPI (Nordic APIs Inc.)
Payment and marketplace platform (only for Customers signing up via RapidAPI)
US; EU SCCs apply
Stripe Payments Europe Ltd.
Payment processing (direct customers only)
Ireland (EU)
Let's Encrypt (ISRG)
TLS certificate issuance
US; metadata only, no Personal Data of Data Subjects
8.2 Changes
The Processor will give the Controller at least 30 days' prior written notice of any new or replaced Sub-processor (by email to active customers and a notice on the Service). The Controller may object on reasonable data-protection grounds within that period. If objection is not resolvable, the Controller may terminate the affected portion of the Service.
8.3 Liability
The Processor remains liable for the acts and omissions of its Sub-processors as if performed by the Processor.
9. Assistance to Controller
The Processor will, to the extent legally permitted, assist the Controller in:
Responding to Data Subject requests under Articles 15–22 GDPR within 5 business days of a written request.
Conducting Data Protection Impact Assessments (Article 35).
Prior consultation with supervisory authorities (Article 36) where required.
For Data Subject requests, the Controller should first attempt to satisfy them using the self-service controls available (deleting audio is automatic after 24 hours; account deletion can be requested via email).
10. Personal Data breach
In the event of a Personal Data breach affecting the Controller's data, the Processor will:
Notify the Controller without undue delay and at the latest within 72 hours of becoming aware.
Provide all information reasonably required for the Controller to comply with Articles 33 and 34 GDPR, including: nature of the breach, categories and approximate numbers of Data Subjects and records, likely consequences, measures taken or proposed.
Cooperate with the Controller's investigation and reasonable requests for mitigation.
Breach notifications should not be construed as an admission of fault.
11. Return or deletion of Personal Data
Upon termination of the Service or upon Controller's written request:
Audio files are automatically deleted 24 hours after upload during normal operation.
API metadata is retained for up to 30 days (logs) and 12 months (aggregated billing data) unless earlier deletion is requested.
Account data is deleted within 30 days of account closure, except where retention is required by law (e.g., 7-year retention of invoice data under Belgian tax law).
On request, the Processor will provide written certification of deletion.
12. Audits
The Controller may, no more than once per calendar year and on at least 30 days' written notice, request information necessary to demonstrate the Processor's compliance with this DPA and Article 28 GDPR.
The Processor will respond to reasonable, written questionnaires within 30 days.
On-site audits will be conducted only if questionnaire responses are insufficient, must respect Processor's confidentiality and operational requirements, and will be at the Controller's expense unless a material non-compliance is identified.
13. International transfers
The Processor does not transfer Personal Data (other than incidental metadata at Sub-processors) outside the European Economic Area. Where transfer occurs (e.g., to RapidAPI for billing), the Processor relies on the EU Standard Contractual Clauses under Commission Decision (EU) 2021/914, supplemented by additional safeguards as required by Schrems II case law.
14. Liability and indemnification
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
The Controller will indemnify the Processor for any third-party claims arising from the Controller's breach of its own GDPR obligations or the warranties in Sections 3 and 4 of the Terms of Service.
15. Duration and termination
This DPA enters into effect on the Effective Date and remains in effect until the Service Agreement ends and all Personal Data has been deleted or returned per Section 11. Provisions concerning confidentiality, liability, and law/jurisdiction survive termination.
16. Governing law
This DPA is governed by Belgian law and is part of the Service Agreement. The provisions of the GDPR prevail in case of conflict with this DPA.
17. Signatures / acceptance
By using the Service to process Personal Data, the Controller is deemed to have accepted this DPA. For Controllers requiring a counter-signed version, please request via vandenbrandenglen@gmail.com.