Data Processing Addendum

1. Parties

This Data Processing Addendum (“DPA”) is entered into between SAVELIST SL, doing business as KonbiniAPI, a company registered in Spain (Tax ID ESB87747499; Mercantile Registry of Madrid, Vol. 35481, Folio 173, Sheet M-637776, 1st Entry) (“Processor”), and the customer identified in the applicable order form or account (“Controller”, together with Processor, the “Parties”), and forms part of the KonbiniAPI Terms of Service (the “Agreement”).

2. Definitions

Capitalized terms not defined in this DPA have the meaning given to them in the Agreement.

  • “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.
  • “Approved Jurisdiction” means a member state of the European Economic Area (EEA), or another jurisdiction recognized by the European Commission as providing an adequate level of data protection.
  • “Data Protection Laws” means all applicable laws and regulations relating to data privacy and the protection of Personal Data, including the GDPR, the UK Data Protection Act 2018, and the CCPA, in each case as amended or replaced from time to time.
  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
  • “Personal Data”, “Process” (and its variants), “Controller”, “Processor”, and “Personal Data Breach” have the meanings given in the GDPR.
  • “Sub-processor”means any third party engaged by Processor to Process Personal Data on Processor's behalf in connection with the Agreement.

3. Subject Matter and Duration

This DPA applies to Processor's processing of Personal Data on behalf of Controller in connection with Controller's use of the KonbiniAPI service (API and MCP server). It remains in effect for as long as Processor processes Personal Data under the Agreement.

4. Nature and Purpose of Processing

Processor retrieves publicly available social media data (Instagram, TikTok, X, Reddit) in real time in response to API requests made by Controller, and returns it directly to Controller. Processor does not decide what data Controller requests or how Controller uses the response.

Where the retrieved data includes Personal Data (e.g. public profile names, usernames, bios, or engagement content), Processor acts as a processor solely to transmit that data to Controller. Processor does not store, cache, or index the content of API responses beyond what is necessary to fulfill the individual request. Controller is the controller of any Personal Data it subsequently stores, analyzes, or otherwise processes.

5. Categories of Data and Data Subjects

Categories of Personal Data: publicly displayed profile information (names, usernames, profile photos, bios), public posts, comments, and public engagement metadata (likes, view counts) associated with social media accounts. Processor does not intentionally process Special Categories of Data, but cannot exclude that some publicly posted content may incidentally reveal such data; Controller is responsible for handling this appropriately if encountered.

Data subjects: individuals who maintain public social media profiles or have publicly posted content on the supported platforms.

6. Controller Responsibilities and Warranties

Controller represents and warrants that:

  • it has, and will maintain throughout the term of the Agreement, a valid legal basis under Data Protection Laws for its own collection, use, and further processing of any Personal Data obtained through the Service;
  • its instructions to Processor regarding the processing of Personal Data, including the specific API requests it makes, comply with applicable Data Protection Laws;
  • it is solely responsible for determining whether its intended use of the Service and the resulting data is appropriate and lawful for its purposes; and
  • it will handle any data subject requests, complaints, or regulatory inquiries relating to its own processing of Personal Data obtained through the Service.

7. Processor Obligations

Processor shall:

  • process Personal Data only on documented instructions from Controller, namely to fulfill the API requests Controller initiates;
  • ensure persons authorized to process Personal Data are subject to confidentiality obligations;
  • implement the technical and organizational security measures described in Section 10;
  • not engage a Sub-processor without providing Controller notice as described in Section 8;
  • notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller's Personal Data, and provide reasonably available information to help Controller meet its own breach notification obligations under Data Protection Laws;
  • provide reasonable assistance to Controller, taking into account the nature of the processing, in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) and in fulfilling any data protection impact assessment or supervisory authority consultation obligations relating to the Service;
  • process Personal Data only to the extent necessary to perform its obligations under the Agreement; and
  • at Controller's request, or upon termination of the Agreement, delete or return all Personal Data in its possession, except where retention is required by law.

8. Sub-processors

Controller provides general authorization for Processor to continue engaging the Sub-processors listed below as of the effective date of this DPA, and to engage additional Sub-processors in the future with at least 14 days' prior notice to Controller. Controller may object within that period on reasonable, documented data protection grounds. Processor remains responsible for each Sub-processor's acts and omissions to the same extent as its own.

  • Google Cloud Platform (Google LLC) — hosting and infrastructure for the API.
  • Cloudflare, Inc. — hosting and infrastructure for the dashboard and website.
  • Supabase, Inc. — database hosting for account and billing records (AWS, US East).
  • Resend — transactional email delivery (account, billing, and service notifications).
  • Stripe, Inc. — payment processing (account and billing data only).
  • Residential/datacenter proxy providers — network egress for API requests; do not receive Controller account data.

9. International Transfers

Processor's infrastructure runs across Google Cloud Platform, Cloudflare, and Supabase (on AWS), which may involve processing Personal Data outside an Approved Jurisdiction, including in the United States. Where this occurs, Processor shall ensure a valid transfer mechanism is in place, including the EU Standard Contractual Clauses (with Controller as data exporter and Processor, or the relevant Sub-processor, as data importer, as applicable) or another mechanism recognized under GDPR Chapter V.

10. Security Measures

Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:

  • encryption of Personal Data in transit (HTTPS/TLS) and at rest;
  • measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems, including API key authentication for all programmatic access and hashed storage of account credentials;
  • the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing and evaluating the effectiveness of these measures; and
  • minimizing retention by not persisting API response content beyond the individual request lifecycle.

11. Audit Rights

Processor shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA, including responding to a reasonable security questionnaire. On at least 30 days' prior written notice, no more than once per calendar year, and during normal business hours, Controller (or an independent auditor designated by Controller and reasonably acceptable to Processor) may conduct an audit of Processor's compliance with this DPA, subject to reasonable confidentiality safeguards and without unreasonably disrupting Processor's business.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA expands either party's liability beyond what is set out in the Agreement, except to the extent required by applicable Data Protection Laws.

13. Term and Termination

This DPA is incorporated into, and takes effect automatically upon, Controller's acceptance of the Terms of Service, for as long as Processor processes Personal Data on Controller's behalf under the Agreement. It terminates automatically upon termination of the Agreement. Controllers that require a separately countersigned copy for their own records may request one at hello@konbiniapi.com.

14. Contact

To countersign this DPA or ask questions about it, contact hello@konbiniapi.com.