Data Processing Agreement (DPA)

Last updated: 12 August 2025

This Data Processing Agreement (“DPA”) forms part of the Chartopia API Terms of Use (“Terms”) between [Developer Name] (“Processor”) and Chartopia (Operated by d12dev) (“Controller”), collectively referred to as the “Parties.”

NOTE Personally Identifiable Information (PII)
Chartopia keeps a very limited amount of user data, with strictly limited access via the API. Given its importance, this data processing agreement must be agreed to before using the Chartopia API.

1. Purpose

This DPA is designed to align with GDPR requirements where applicable. Nothing in this Agreement shall be interpreted as imposing obligations beyond those required under applicable data protection laws.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.
  • Controller: Chartopia (operated by d12dev), determining the purposes and means of processing.
  • Processor: The developer or organisation using the Chartopia API to process Personal Data on behalf of Chartopia.

3. Processor Obligations

The Processor acknowledges that Chartopia's API generally exposes only limited personal data. Where processing of Personal Data does occur, the Processor shall:

  • Promptly assist the Controller, upon request, in responding to data subject rights requests.
  • Ensure confidentiality by persons authorised to process Personal Data.
  • Implement appropriate technical and organisational security measures.
  • Assist the Controller in meeting GDPR obligations regarding data subject rights, security, and breach notifications. This includes, but is not limited to, the following rights:
    • Right of access
    • Right to rectification
    • Right to erasure
    • Right to restriction/objection
  • Delete or return all Personal Data to the Controller upon termination of API access.

4. Sub-Processors

The Processor shall not engage any sub-processor in connection with Chartopia data without prior written consent from the Controller. Approved sub-processors must be bound by equivalent data protection obligations.

5. International Transfers

The Processor shall not transfer Personal Data outside the European Economic Area (EEA) without the Controller's written consent and without appropriate safeguards as required under GDPR Chapter V. Where transfers are permitted, they must rely on an adequacy decision, Standard Contractual Clauses (SCCs), or another valid GDPR mechanism.

6. Security Measures

The Processor must:

  • Encrypt Personal Data in transit and at rest where technically feasible.
  • Maintain access logs for Personal Data.
  • Protect against unauthorised or unlawful processing and accidental loss, destruction, or damage.

7. Breach Notification

The Processor shall notify the Controller without undue delay, and in any case within 24 hours, to enable the Controller to comply with GDPR Article 33.

8. Audit Rights

The Controller may audit the Processor's compliance with this DPA. Audits will ordinarily be conducted remotely (e.g., via questionnaires or reports). On-site audits may only be requested in exceptional circumstances and where required by law.

9. Liability

Each Party's liability is subject to the limitations set forth in the API Terms of Use, except where prohibited by law.

10. Duration

This DPA remains in force for as long as the Processor processes Personal Data on behalf of the Controller.

11. Data Retention and Cooperation with Authorities

Upon account termination or deletion, Chartopia will retain only the minimal records necessary for compliance, legal, and security purposes. This is necessary to:

  • Investigate or document potential violations of the API Terms of Use or this DPA.
  • Comply with legal or regulatory obligations.
  • Establish, exercise, or defend legal claims.
  • Respond to valid requests from law enforcement or data protection authorities.

Retained records may include:
- Your developer account identifier (e.g., email address, API key history)
- Relevant API usage logs
- Records of DPA acceptance
- Related correspondence

No unrelated personal data will be retained.

All retained data will be stored securely and used only for the purposes above, and will be deleted once it is no longer needed.

Acceptance

By generating an API key or otherwise electronically accepting this DPA, the date of such acceptance will be recorded automatically by Chartopia.

NOTE For Developers
Chartopia is not operated by a corporation but by two individuals under the name d12dev. This DPA is intended to provide clarity and assurance on how personal data is handled.