Existing customer? Sign in
Legal Data Processing Agreement
Effective March 31, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written or electronic agreement (the “Agreement”) between SearchApi LLC (“SearchApi”) and the entity or person agreeing to these terms (“Customer”) for the provision of the SearchApi API and related services (the “Services”).
This DPA reflects the parties’ agreement on the Processing of Personal Data by SearchApi on behalf of Customer in connection with the Services, and applies to all Customers whose use of the Services involves the Processing of Personal Data subject to Applicable Data Protection Law.
This DPA applies automatically. No signature is required for it to take effect. By using the Services, Customer accepts the terms of this DPA. Notwithstanding the foregoing, the parties may execute this DPA as a standalone agreement (for example, as part of an Enterprise plan), in which case the executed version shall prevail over this standard DPA to the extent of any conflict.
1. Definitions
- “Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including: (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (b) the UK Data Protection Act 2018 and UK GDPR; (c) the Swiss Federal Act on Data Protection (“FADP”); (d) the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”); and (e) any other applicable data protection or privacy legislation.
- “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
- “Customer Data” means any Personal Data that Customer submits to the Services or that SearchApi Processes on behalf of Customer in connection with providing the Services.
- “Data Subject” means an identified or identifiable natural person to whom Customer Data relates.
- “EEA” means the European Economic Area.
- “Personal Data” has the meaning given in GDPR Article 4(1). Where CCPA applies, “Personal Data” includes “personal information” as defined under CCPA.
- “Processing” has the meaning given in GDPR Article 4(2). “Process”, “Processes”, and “Processed” shall be construed accordingly.
- “Processor” means the entity that Processes Personal Data on behalf of the Controller.
- “Restricted Transfer” means a transfer of Personal Data from the EEA, United Kingdom, or Switzerland to a country outside such territory that is not subject to an adequacy decision by the relevant authority.
- “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored, or otherwise Processed by SearchApi.
- “Standard Contractual Clauses” (“SCCs”) means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914, as may be amended or replaced.
- “Sub-processor” means any third party engaged by SearchApi to Process Customer Data on behalf of Customer.
2. Scope and Roles
2.1 Roles. As between the parties, Customer is the Controller of Customer Data. SearchApi is the Processor of Customer Data. Where Customer itself acts as a Processor on behalf of a third-party Controller, SearchApi is a Sub-processor.
2.2 Processing Details. The subject matter, duration, nature and purpose of Processing, the types of Personal Data, and categories of Data Subjects are described in Schedule 1 (Details of Processing).
2.3 CCPA. To the extent CCPA applies, SearchApi is a “Service Provider” as defined under CCPA. SearchApi shall: (a) comply with its applicable obligations under CCPA and provide the same level of privacy protection as required by CCPA; (b) not sell or share Customer Data; (c) not retain, use, or disclose Customer Data for any purpose other than performing the Services as specified in the Agreement; (d) not combine Customer Data with personal information received from or on behalf of another person or collected from its own interactions with Data Subjects, except as permitted by CCPA; and (e) notify Customer if SearchApi determines that it can no longer meet its obligations under CCPA. Customer may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Data.
2.4 Independent Controller Activities. SearchApi acts as an independent Controller with respect to account registration data, billing information, and service usage analytics, which SearchApi processes for its own legitimate business purposes in accordance with its Privacy Policy. This Section 2.4 does not limit or modify SearchApi’s obligations as a Processor under the remainder of this DPA.
3. Customer Obligations
3.1 Customer shall comply with its obligations under Applicable Data Protection Law, including ensuring that it has a lawful basis for the Processing of Customer Data and that all necessary notices have been given to, and consents obtained from, Data Subjects as required.
3.2 Customer is responsible for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired it.
3.3 Customer shall not submit any special categories of Personal Data (as defined in GDPR Article 9) to the Services unless expressly agreed in writing.
4. SearchApi Processing Obligations
4.1 Instructions. SearchApi shall Process Customer Data only on documented instructions from Customer, unless required by applicable law to Process for another purpose. The Agreement and this DPA constitute Customer’s complete and final documented instructions for the Processing of Customer Data. Additional or alternative instructions require prior written agreement. If SearchApi believes an instruction infringes Applicable Data Protection Law, it shall promptly notify Customer. SearchApi shall not use Customer Data to train, fine-tune, or improve machine learning or artificial intelligence models.
4.2 Confidentiality. SearchApi shall ensure that all persons authorized to Process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. SearchApi shall ensure that access to Customer Data is limited to those personnel who require such access to perform the Services.
4.3 Security. SearchApi shall implement and maintain appropriate technical and organizational measures designed to protect Customer Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage, appropriate to the risk. These measures are described in Schedule 2 (Security Measures) and shall meet the requirements of GDPR Article 32. SearchApi may update these measures from time to time, provided that such updates do not materially decrease the overall level of protection.
4.4 Data Subject Requests. SearchApi shall, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. If SearchApi receives a request from a Data Subject directly, it shall promptly forward the request to Customer.
4.5 Assistance. SearchApi shall assist Customer in ensuring compliance with Customer’s obligations under GDPR Articles 32 to 36, taking into account the nature of Processing and the information available to SearchApi. This includes reasonable assistance with: (a) security of Processing; (b) notification of Security Incidents to supervisory authorities and Data Subjects; (c) data protection impact assessments; and (d) prior consultation with supervisory authorities.
5. Sub-processors
5.1 General Authorization. Customer provides general written authorization for SearchApi to engage Sub-processors to Process Customer Data in connection with the Services. The current list of Sub-processors is set out in Schedule 3 and maintained at searchapi.io/legal/subprocessors.
5.2 Sub-processor Obligations. SearchApi shall: (a) impose on each Sub-processor, by way of written contract, data protection obligations that are no less protective than those set out in this DPA, including obligations regarding confidentiality, security, and Processing restrictions; and (b) remain fully liable to Customer for the performance of each Sub-processor’s obligations. If a Sub-processor fails to fulfill its data protection obligations, SearchApi shall be liable to Customer for the acts and omissions of such Sub-processor.
5.3 Notification of Changes. SearchApi shall notify Customer at least 30 days before adding or replacing a Sub-processor by updating the Sub-processor list at searchapi.io/legal/subprocessors. Customers who wish to receive proactive email notification of changes may subscribe by emailing privacy@searchapi.io with the subject “Subscribe to Sub-processor Updates.” By using the Services, Customer agrees that publication on the Sub-processor page constitutes valid notification under this DPA.
5.4 Objection Right. If Customer has a reasonable, legitimate objection to a new Sub-processor based on data protection grounds, Customer may notify SearchApi in writing. The parties shall discuss the objection in good faith with the aim of achieving a commercially reasonable resolution. If no resolution is reached, Customer may terminate the affected portion of the Services without penalty by providing written notice to SearchApi.
6. International Data Transfers
6.1 Processing Location. SearchApi’s Services are operated from the United States. Customer Data may be transferred to and Processed in the United States.
6.2 Transfer Mechanisms. To the extent that the Processing of Customer Data involves a Restricted Transfer, the parties agree to the Standard Contractual Clauses as set out in Schedule 4, supplemented by additional safeguards where required. The SCCs are incorporated by reference and form an integral part of this DPA.
6.3 SCC Modules. Module Two (Controller to Processor) applies where Customer is a Controller. Module Three (Processor to Processor) applies where Customer is a Processor acting on behalf of a third-party Controller.
6.4 UK Transfers. For Restricted Transfers subject to UK data protection law, the International Data Transfer Addendum to the EU SCCs (the “UK Addendum”), as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018 (version B1.0, in force 21 March 2022), is incorporated by reference.
6.5 Swiss Transfers. For Restricted Transfers subject to the Swiss FADP, the SCCs apply with the adaptations required by the Swiss Federal Data Protection and Information Commissioner, including: references to GDPR are read as references to the FADP; the competent supervisory authority is the Swiss FDPIC; and “Member State” is not interpreted to exclude Swiss Data Subjects from exercising their rights in Switzerland.
6.6 Data Privacy Framework. Where applicable, SearchApi and its Sub-processors rely on certification under the EU-US Data Privacy Framework (“DPF”), the UK Extension to the DPF, and the Swiss-U.S. Data Privacy Framework as independent adequacy-based transfer mechanisms under Article 45 GDPR (and equivalent provisions under UK and Swiss law). Where DPF certification applies, it serves as the primary transfer mechanism. The SCCs remain in effect as a fallback safeguard in the event that DPF certification is invalidated or ceases to apply.
6.7 Alternative Mechanisms. If any transfer mechanism relied upon under this Section 6 is invalidated by a court of competent jurisdiction or supervisory authority, the parties shall cooperate in good faith to implement a suitable alternative transfer mechanism that provides an adequate level of protection in compliance with Applicable Data Protection Law.
7. Security Incident Notification
7.1 Notification. SearchApi shall notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Data. Notification shall be sent to Customer’s registered account email address.
7.2 Content. Such notification shall include, to the extent reasonably available at the time of notification: (a) the nature of the Security Incident, including the categories and approximate number of Data Subjects and Customer Data records concerned; (b) the name and contact details of SearchApi’s point of contact for further information; (c) the likely consequences of the Security Incident; and (d) the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.
7.3 Cooperation. SearchApi shall cooperate with Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of any Security Incident. SearchApi shall provide Customer with such information as Customer reasonably requires to fulfill its own notification obligations under Applicable Data Protection Law.
7.4 Record. SearchApi shall maintain a record of Security Incidents, including the facts relating to the incident, its effects, and the remedial action taken.
7.5 Exclusions. The obligations in this Section 7 do not apply to Security Incidents caused by Customer’s own actions or omissions. Breach reporting shall not constitute an acknowledgment of fault or liability by SearchApi.
8. Audit and Compliance
8.1 SearchApi shall make available to Customer, upon reasonable request, information regarding its security practices and compliance posture as described in Schedule 2. SearchApi maintains independent security certifications and audit reports, including SOC 2 Type II and ISO 27001 assessments. These reports, along with on-site audit rights and detailed security assessments, are available to customers on an Enterprise plan.
9. Data Return and Deletion
9.1 During Term. Customer may retrieve or export Customer Data via the API at any time during the term of the Agreement.
9.2 Post-Termination. Upon termination or expiration of the Agreement, SearchApi shall delete search result data (cached HTML and JSON) in accordance with its standard data retention schedule. Account-level data (contact information, billing records, API usage history) shall be retained for legitimate business purposes unless Customer requests deletion, in which case SearchApi shall delete such data within 30 days of receiving the request.
9.3 Exceptions. SearchApi may retain Customer Data to the extent required by applicable law or regulation, provided that SearchApi: (a) isolates and protects such data from further Processing; (b) limits Processing to the specific purpose required by law; and (c) deletes the data as soon as the retention obligation expires.
10. Records of Processing Activities
10.1 SearchApi shall maintain records of Processing activities carried out on behalf of Customer as required by GDPR Article 30(2), including: (a) the name and contact details of SearchApi and, where applicable, each Controller on whose behalf SearchApi is acting; (b) the categories of Processing carried out on behalf of each Controller; (c) where applicable, details of Restricted Transfers and the transfer mechanisms relied upon; and (d) a general description of the technical and organizational security measures referred to in Schedule 2.
11. Data Protection Contact
11.1 SearchApi is not required to appoint a Data Protection Officer under GDPR Article 37, as its core activity does not consist of processing operations that require regular and systematic monitoring of Data Subjects on a large scale, nor does it involve large-scale processing of special categories of data. SearchApi is a US-registered entity that does not maintain an establishment in the EU within the meaning of GDPR Article 3(1), and accordingly is not required to designate an EU representative under GDPR Article 27.
11.2 For all data protection inquiries, requests, or concerns related to Customer Data, Customer may contact SearchApi at: privacy@searchapi.io.
12. Liability
12.1 Each party’s total aggregate liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the limitations and exclusions of liability set out in the Agreement.
12.2 Nothing in this DPA limits or excludes either party’s liability for: (a) fraud or fraudulent misrepresentation; (b) death or personal injury caused by negligence; (c) any liability that cannot be excluded or limited under applicable law; or (d) each party’s indemnification obligations, if any, as set out in the Agreement.
13. General Provisions
13.1 Precedence. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Customer Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
13.2 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
13.3 Governing Law. This DPA shall be governed by the laws of the State of New York, except where Applicable Data Protection Law requires otherwise. The SCCs shall be governed by the law of the EU Member State in which the data exporter is established.
13.4 Amendments. SearchApi may update this DPA from time to time to reflect changes in Applicable Data Protection Law, regulatory guidance, or Processing activities. Material changes will be published at searchapi.io/legal/dpa at least 30 days before taking effect. Continued use of the Services after the effective date constitutes acceptance of the updated DPA.
13.5 Third-Party Beneficiaries. Data Subjects who are third-party beneficiaries under the SCCs may enforce the SCCs as set forth therein. Otherwise, this DPA does not confer any third-party beneficiary rights.
13.6 Entire Agreement. This DPA, together with the Agreement and any applicable SCCs, constitutes the entire agreement between the parties regarding the Processing of Customer Data and supersedes all prior negotiations, representations, or agreements relating to this subject matter.
Schedule 1: Details of Processing
| Element | Description |
|---|---|
| Subject matter | Processing of Customer Data by SearchApi in connection with the provision of search API services, including executing search queries, caching results, logging API usage, billing, and customer support. |
| Duration | For the term of the Agreement between SearchApi and Customer, plus the period until all Customer Data has been deleted or returned in accordance with Section 9. |
| Nature and purpose of Processing | SearchApi receives search queries and parameters from Customer via its API, executes those queries against third-party search engines, online platforms, and other publicly accessible websites on Customer’s behalf, and returns structured results. Processing activities include: receiving and routing API requests; caching search results for performance optimization; logging API usage for billing, rate limiting, and abuse prevention; processing payments via a third-party payment processor; and providing customer support via a third-party support platform. |
| Categories of Data Subjects | Customer’s end users whose search queries are submitted to the API; Customer’s employees, agents, or contractors who interact with the Services; Individuals whose Personal Data may be contained within search queries or results. |
| Types of Personal Data | Search queries (which may contain Personal Data entered by end users); IP addresses associated with API requests; API keys and account identifiers; Account holder contact information (name, email address); Billing and payment information (processed by a third-party payment Sub-processor); API usage logs, access logs, and error logs; Support correspondence content (processed by a third-party support Sub-processor). |
| Special categories of data | None. Customer shall not submit special category data (GDPR Article 9) to the Services unless expressly agreed in writing. |
| Frequency of transfer | Continuous basis, in real time, as Customer submits API requests to the Services. |
Schedule 2: Technical and Organizational Security Measures
SearchApi implements and maintains the following measures to protect Customer Data. These measures are reviewed periodically as part of SearchApi’s information security management program and may be updated provided the overall level of protection is not materially decreased.
- Encryption. All data transmitted between Customer and SearchApi is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256 or equivalent industry-standard encryption. Internal service-to-service communication uses encrypted channels.
- Network Security. Production infrastructure runs in a cloud environment with private network segmentation, security groups, and access control lists. Databases are not accessible from the public internet. Infrastructure is defined and managed as code.
- Access Control. Access to production systems follows the principle of least privilege. All administrative access requires multi-factor authentication (MFA). Credentials are short-lived and managed through role-based access. Customer API access is authenticated via unique API keys.
- Logging and Monitoring. SearchApi maintains audit logs of administrative and API activity. Continuous threat detection and anomaly monitoring are in place. Security logs are retained in immutable storage.
- Data Minimization and Retention. SearchApi follows data minimization principles. Caches are automatically purged on a scheduled basis. Application logs are retained for a limited period. Account-level data is retained for legitimate business purposes and deleted within 30 days of customer request.
- Personnel Security. All personnel with access to Customer Data are bound by written confidentiality obligations. Identity verification and background screening are performed at onboarding. Access to Customer Data is limited to personnel who require it to provide support, maintain the service, or resolve errors.
- Incident Response. SearchApi maintains documented incident response procedures covering identification, containment, eradication, recovery, and notification. Security incidents are triaged and escalated according to severity classification.
- Business Continuity and Disaster Recovery. Production databases run in a high-availability configuration with automated daily backups. Disaster recovery procedures are tested periodically and documented in internal runbooks.
- Vulnerability Management. Software dependencies are continuously monitored for known vulnerabilities. Infrastructure changes are reviewed through pull requests. Security patches are applied promptly in accordance with severity.
- Sub-processor Security. SearchApi’s infrastructure providers maintain industry-standard security certifications. Sub-processors are assessed for their data protection posture and are bound by written data processing agreements.
Schedule 3: Authorized Sub-processors
The authoritative, up-to-date list of Sub-processors authorized to Process Customer Data is maintained at searchapi.io/legal/subprocessors. That page is the single source of truth and includes each Sub-processor’s name, purpose of Processing, location of Processing, and applicable transfer mechanism.
Customer may subscribe to Sub-processor update notifications via that page. Changes to the Sub-processor list are subject to the notice and objection procedures described in Section 5 of this DPA.
As of the effective date of this DPA, SearchApi’s Sub-processors that Process Customer Data include providers of: cloud infrastructure and hosting, payment processing, customer support and messaging, transactional email delivery, email communications, application error monitoring, anti-bot protection, and affiliate and referral tracking. All current Sub-processors are located in the United States and transfers are covered by the SCCs and, where applicable, EU-US Data Privacy Framework certification.
Internal tools that do not Process Customer Data (e.g., source code repositories, internal messaging, documentation platforms, credentials management) are not classified as Sub-processors.
Schedule 4: International Transfer Mechanisms
This Schedule sets out the framework for Restricted Transfers of Customer Data under this DPA.
4.1 EU Standard Contractual Clauses
The SCCs approved by the European Commission in Implementing Decision (EU) 2021/914 are incorporated by reference. The following elections apply:
- Modules: Module Two (Controller to Processor) applies where Customer is a Controller. Module Three (Processor to Processor) applies where Customer is itself a Processor.
- Clause 7 (Docking clause): The optional docking clause applies, allowing additional data exporters to accede to the SCCs.
- Clause 9(a) (Sub-processors): Option 2 (General written authorization) applies. The minimum time period for prior notice of Sub-processor changes is 30 days.
- Clause 11 (Redress): The optional clause permitting Data Subjects to lodge complaints with an independent dispute resolution body does not apply.
- Clause 13 and Annex I.C (Supervisory authority): The competent supervisory authority shall be determined in accordance with Clause 13. Where the data exporter is established in an EU Member State, it shall be the supervisory authority of that Member State. Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with Article 3(2), the competent supervisory authority shall be that of the Member State in which the data exporter’s representative under Article 27(1) is established, or, where no representative is required, that of one of the Member States in which the Data Subjects whose Personal Data is transferred under the SCCs are located.
- Clause 17 (Governing law): The SCCs shall be governed by the law of the EU Member State in which the data exporter is established. Where the data exporter is not established in the EU, the SCCs shall be governed by the law of Ireland.
- Clause 18(b) (Forum): Disputes arising from the SCCs shall be resolved before the courts of the EU Member State in which the data exporter is established. Where the data exporter is not established in the EU, disputes shall be resolved before the courts of Ireland.
4.2 UK International Data Transfer Addendum
For Restricted Transfers subject to UK data protection law, the International Data Transfer Addendum to the EU SCCs, as issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018 (version B1.0, in force 21 March 2022), is incorporated by reference. The information required by Table 1 of the UK Addendum is set out in the Agreement and the SCCs as completed in this Schedule 4.
4.3 Swiss Addendum
For Restricted Transfers subject to the Swiss FADP, the SCCs apply with the following adaptations: (a) references to “Regulation (EU) 2016/679” are read as references to the FADP; (b) references to “EU”, “Union”, and “Member State” are read to include Switzerland; (c) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and (d) Data Subjects in Switzerland may exercise their rights in Switzerland.
4.4 Supplementary Measures
In addition to the SCCs, SearchApi implements the following supplementary measures to protect Customer Data in connection with Restricted Transfers: (a) encryption of all Customer Data in transit (TLS 1.2+) and at rest (AES-256); (b) access controls, including role-based access and MFA, limiting access to Customer Data to authorized personnel on a need-to-know basis; (c) SearchApi’s default position is to reject government or law enforcement requests for Customer Data unless compelled by a valid US warrant, criminal subpoena, or court order, and to notify Customer of any such request where legally permitted.
Annex I to the Standard Contractual Clauses
A. List of Parties
| Data Exporter (Customer) | Data Importer (SearchApi) | |
|---|---|---|
| Name | As identified in the Agreement | SearchApi LLC |
| Address | As specified in Customer’s account | 447 Broadway, 2nd Floor, New York, NY 10013, United States |
| Contact | As specified in Customer’s account | privacy@searchapi.io |
| Role | Controller (or Processor, where Customer processes data on behalf of a third party) | Processor (or Sub-processor, as applicable) |
| Activities | Submitting search queries via the SearchApi API on behalf of end users | Executing search queries, caching results, logging usage, billing, support |
B. Description of Transfer
As set out in Schedule 1 (Details of Processing) of this DPA.
C. Competent Supervisory Authority
Determined in accordance with Clause 13 of the SCCs and Schedule 4, Section 4.1 of this DPA.
Annex II: Technical and Organizational Measures
The technical and organizational security measures implemented by the data importer are as described in Schedule 2 (Technical and Organizational Security Measures) of this DPA.
Annex III: List of Sub-processors
The list of Sub-processors authorized by the Controller is as set out in Schedule 3 (Authorized Sub-processors) of this DPA.
This DPA is effective as of the date Customer accepts the Agreement or first submits Customer Data to the Services, whichever is earlier. No signature is required for this DPA to take effect.