Skip to main content

Data Processing Agreement

FOR B2B API PARTNERS — EFFECTIVE APRIL 2026

This Data Processing Agreement (“DPA”) forms part of the API Access Agreement between Arctic Labs LLC (d/b/a StatusForge, the “Data Controller”) and the API partner (“Data Processor”). This DPA governs the processing of personal data accessed through the StatusForge B2B API.

By executing an API Access Agreement, the Data Processor agrees to be bound by the terms of this DPA.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person accessed through the StatusForge API.
  • “Processing” means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, or erasure.
  • “Data Subject” means the individual whose Personal Data is being processed (StatusForge users).
  • “Applicable Data Protection Laws” means GDPR, UK GDPR, Swiss nFADP, CCPA/CPRA, and any other applicable data protection legislation.
  • “Sub-processor” means any third party engaged by the Data Processor to process Personal Data on its behalf.

2. Scope and Purpose of Processing

Subject matter: Professional identity data of StatusForge users, including name, profession, career achievements, capabilities, and other self-disclosed professional information.

Purpose: The Data Processor may process Personal Data solely for the purposes specified in the API Access Agreement, which may include: improving AI system accuracy about individuals, responding to user queries about professional identities, and enriching professional data sources.

Duration: Processing is permitted for the duration of the API Access Agreement plus 15 business days for deletion.

Categories of data: Name, profession, role level, career highlights, skills, professional narrative, verification status, and other fields as documented in the API specification.

3. Obligations of the Data Processor

The Data Processor shall:

  • Process Personal Data only on documented instructions from the Data Controller, unless required by law.
  • Ensure that persons authorized to process Personal Data have committed to confidentiality.
  • Implement appropriate technical and organizational measures to ensure security of processing (see Section 5).
  • Not engage a sub-processor without prior written authorization from the Data Controller.
  • Assist the Data Controller in responding to data subject rights requests within 15 business days.
  • Notify the Data Controller without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach.
  • Delete or return all Personal Data upon termination of the API Access Agreement, and certify deletion within 15 business days.
  • Make available all information necessary to demonstrate compliance and allow for audits.

4. Prohibited Uses

The Data Processor shall not:

  • Use Personal Data for automated decision-making that produces legal or similarly significant effects on individuals (employment decisions, credit scoring, insurance underwriting, educational admissions, law enforcement, immigration).
  • Use Personal Data to build profiles for targeted advertising.
  • Use Personal Data for social scoring or behavioral prediction.
  • Sell, rent, or sublicense Personal Data to third parties.
  • Combine Personal Data with other data sources to re-identify individuals who have opted out.
  • Use Personal Data to train AI models that produce discriminatory outputs.
  • Retain Personal Data beyond the cache period specified in provenance receipts (30 days).

5. Technical and Organizational Measures

The Data Processor shall implement at minimum:

  • Encryption: TLS 1.2+ for data in transit, AES-256 or equivalent for data at rest.
  • Access controls: Role-based access, principle of least privilege, multi-factor authentication for data systems.
  • Logging: Maintain access logs for Personal Data for a minimum of 12 months.
  • Incident response: Documented incident response plan with 48-hour notification capability.
  • Data minimization: Process only the minimum Personal Data necessary for the stated purpose.
  • Regular testing: Annual security assessments, penetration testing, and vulnerability scanning.

6. Deletion and Revocation

When StatusForge sends a deletion notification (via webhook or API):

  • The Data Processor must delete all cached copies of the affected data subject’s Personal Data within 15 business days.
  • The Data Processor must confirm deletion in writing (or via API acknowledgment).
  • Failure to honor deletion notifications will result in immediate API access revocation.

Provenance receipts include a revocation-check URL. The Data Processor must check this URL before serving cached data. A 404 response means the data subject has been deleted and cached data must be purged immediately.

7. International Transfers

If the Data Processor transfers Personal Data outside the EU/EEA:

  • The transfer must be covered by an adequacy decision, Standard Contractual Clauses (European Commission Decision 2021/914), or another valid transfer mechanism under GDPR Chapter V.
  • The Data Processor must notify the Data Controller of any transfer and the mechanism relied upon.
  • Supplementary measures must be implemented where required by the Schrems II decision.

8. Sub-Processors

The Data Processor must obtain prior written consent from the Data Controller before engaging any sub-processor. The Data Processor shall:

  • Provide the Data Controller with at least 30 days’ notice of any intended sub-processor change.
  • Impose the same data protection obligations on sub-processors as contained in this DPA.
  • Remain fully liable for the acts and omissions of its sub-processors.

9. Data Breach Notification

In the event of a personal data breach:

  • The Data Processor must notify the Data Controller within 48 hours of becoming aware.
  • The notification must include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
  • The Data Processor must cooperate fully with the Data Controller’s investigation and any required notifications to supervisory authorities or data subjects.

10. Audit Rights

The Data Controller may audit the Data Processor’s compliance with this DPA:

  • On reasonable notice (minimum 30 days, except in case of suspected breach).
  • During normal business hours.
  • The Data Processor shall provide all reasonable cooperation and access to relevant records, facilities, and personnel.
  • Alternatively, the Data Processor may provide a recent SOC 2 Type II or ISO 27001 audit report.

11. Liability and Indemnification

The Data Processor shall indemnify and hold harmless the Data Controller against all claims, damages, losses, and expenses arising from:

  • The Data Processor’s breach of this DPA.
  • Processing of Personal Data outside the scope of documented instructions.
  • Failure to honor deletion notifications.
  • Any act or omission of the Data Processor’s sub-processors.

12. Standard Contractual Clauses

Where Personal Data of EU/EEA/UK/Swiss residents is processed, this DPA incorporates by reference the Standard Contractual Clauses (European Commission Decision 2021/914), with:

  • Module Two (Controller to Processor) applying to the relationship between StatusForge and the API partner.
  • The Data Controller as the “data exporter” and the Data Processor as the “data importer.”
  • The technical and organizational measures in Section 5 of this DPA as Annex II.
  • The sub-processor list maintained by the Data Processor as Annex III.

For UK transfers, the International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner’s Office is incorporated. For Swiss transfers, the applicable Swiss amendments to the SCCs apply.

13. Term and Termination

This DPA takes effect upon execution of the API Access Agreement and remains in effect until all Personal Data has been deleted or returned. The obligations in Sections 4 (Prohibited Uses), 5 (Security Measures), 6 (Deletion), and 11 (Liability) survive termination.

Execution

To execute this DPA as part of your API Access Agreement, contact:

[email protected]

Arctic Labs LLC (d/b/a StatusForge)
6545 Market Ave. North, STE 100
Canton, OH 44721

STATUSFORGE
PRIVACYGDPRAI ACT