ModAPI
Legal
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Kay David Kalex ("ModAPI", "Processor") and the customer agreeing to those Terms ("Customer", "Controller") and governs ModAPI's processing of Personal Data on the Customer's behalf when providing the Service.
Introduction
This DPA reflects the parties' agreement on the processing of Personal Data in accordance with Article 28 of the GDPR and applicable U.S. state privacy laws including the CCPA. It applies where, and to the extent, ModAPI processes Personal Data that is subject to such laws on behalf of the Customer. Where the Customer acts as a processor for a third-party controller, the Customer enters into this DPA on behalf of that controller.
1. Definitions
"GDPR" means Regulation (EU) 2016/679. "CCPA" means the California Consumer Privacy Act, as amended by the CPRA. Terms such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", "Supervisory Authority", and (under the CCPA) "Business", "Service Provider", "Sell", and "Share" have the meanings given in the applicable law. "Customer Personal Data" means Personal Data contained in Customer Data that ModAPI processes on the Customer's behalf, as further described in Annex 1.
2. Roles of the parties
With respect to Customer Personal Data, the Customer is the Controller (or a processor acting on behalf of a third-party controller) and ModAPI is the Processor. Under the CCPA, the Customer is the Business and ModAPI is a Service Provider. Each party will comply with its obligations under applicable Data Protection Laws. With respect to account and billing data, ModAPI is an independent controller and its processing is described in the Privacy Policy.
3. Scope & processing instructions
ModAPI will process Customer Personal Data only:
- to provide, secure, and maintain the Service in accordance with the Terms;
- in accordance with the Customer's documented instructions, including those given through the dashboard, API configuration, and this DPA; and
- as required by applicable law, in which case ModAPI will inform the Customer of that requirement before processing, unless the law prohibits it.
The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Annex 1. ModAPI will inform the Customer if, in its opinion, an instruction infringes applicable Data Protection Laws.
4. Processor obligations
ModAPI will: (a) process Customer Personal Data only on documented instructions; (b) ensure persons authorized to process it are bound by confidentiality; (c) implement the security measures in Section 6 and Annex 2; (d) respect the conditions for engaging sub-processors in Section 7; (e) assist the Customer, taking into account the nature of processing, with Data Subject requests (Section 8) and with the Customer's obligations under Articles 32–36 GDPR (Sections 9–10); and (f) at the Customer's choice, delete or return Customer Personal Data after the end of the provision of the Service (Section 12).
5. Confidentiality
ModAPI will treat Customer Personal Data as confidential and ensure that personnel with access are subject to appropriate confidentiality obligations and receive appropriate data protection training. Access is limited to personnel who need it to provide the Service.
6. Security measures
Taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects, ModAPI implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2. These include encryption in transit, hashing of credentials and content identifiers, access controls, and monitoring.
7. Sub-processors
The Customer provides general authorization for ModAPI to engage sub-processors to process Customer Personal Data, provided that ModAPI: (a) imposes data protection obligations on each sub-processor that are no less protective than those in this DPA; and (b) remains liable for each sub-processor's performance. A current list of sub-processors is set out in Annex 3. ModAPI will give the Customer at least 30 days' notice (by email or through the Service) before adding or replacing a sub-processor, during which the Customer may object on reasonable data protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected part of the Service.
8. Data subject requests
Taking into account the nature of the processing, ModAPI will assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, objection). If ModAPI receives such a request directly, it will, unless legally prohibited, promptly inform the Customer and not respond except on the Customer's instruction.
9. Personal data breach notification
ModAPI will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe, to the extent known, the nature of the breach, likely consequences, and measures taken or proposed to address it, so that the Customer can meet its own obligations under Articles 33–34 GDPR.
10. DPIA & audits
ModAPI will provide the Customer, on request, with information reasonably necessary to demonstrate compliance with Article 28 GDPR and to support data protection impact assessments and prior consultations under Articles 35–36. ModAPI will make available such information and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, no more than once per year (unless required by a Supervisory Authority), on reasonable prior notice, subject to confidentiality and without compromising the security of other customers. ModAPI may satisfy audit requests by providing existing third-party reports or certifications where available.
11. International transfers
Where ModAPI processes Customer Personal Data subject to the GDPR in a country outside the EEA, UK, or Switzerland without an adequacy decision, the parties agree that the European Commission's Standard Contractual Clauses (Decision 2021/914), together with the UK International Data Transfer Addendum and the Swiss amendments as applicable, are incorporated into this DPA by reference and apply to that transfer. For these clauses, the Customer is the data exporter and ModAPI the data importer; Annex 1 and Annex 2 populate the corresponding annexes, and Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) applies according to the Customer's role.
12. Return & deletion of data
Upon termination or expiry of the Service, and at the Customer's choice, ModAPI will delete or return all Customer Personal Data and delete existing copies, unless applicable law requires further storage. Cached content identifiers and moderation results are purged on the schedules described in Annex 1. The Customer may also delete Customer Personal Data through the dashboard during the term.
13. CCPA-specific terms
To the extent ModAPI processes Personal Information subject to the CCPA as a Service Provider, ModAPI will: (a) process it only to perform the Service and for the business purposes specified in this DPA and the Terms; (b) not Sell or Share it; (c) not retain, use, or disclose it for any purpose other than those specified, or outside the direct business relationship; (d) not combine it with Personal Information from other sources except as permitted by the CCPA; and (e) comply with applicable obligations under the CCPA and provide the same level of privacy protection as required of a Business. ModAPI certifies that it understands and will comply with these restrictions. The Customer may take reasonable steps to ensure ModAPI uses Personal Information consistently with the Customer's CCPA obligations.
14. Liability, term & conflicts
This DPA takes effect when the Customer accepts the Terms and remains in force for as long as ModAPI processes Customer Personal Data. Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. In case of conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA prevails; in case of conflict between this DPA and the Standard Contractual Clauses, the Clauses prevail.
Annex 1 — Details of processing
| Subject matter | Provision of automated content moderation of text and images via the ModAPI API. |
|---|---|
| Duration | For the term of the Service and until deletion or return of Customer Personal Data under Section 12. |
| Nature & purpose | Receiving, analyzing, scoring, and returning moderation results for content submitted by the Customer; caching of content hashes and results to improve performance. |
| Categories of Data Subjects | The Customer's end users and any individuals referenced in content submitted for moderation. |
| Types of Personal Data | Any Personal Data contained in submitted text, images, or metadata as determined by the Customer — which may include usernames, identifiers, roles, message content, and images. The Customer controls what is submitted and should avoid submitting special-category data unless necessary. |
| Special categories | May incidentally be present in submitted content; not intentionally requested by ModAPI. The Customer is responsible for any lawful basis required. |
| Retention / purge | Cached hashes and results are retained per the Customer's configuration and purged on a rolling basis; raw content is not retained beyond what is necessary to return results and operate the cache. |
Annex 2 — Technical & organizational measures
- Encryption — TLS for data in transit; hashing (SHA-256) of content identifiers; hashed storage of passwords and API keys.
- Access control — role-based access, least-privilege, multi-factor authentication for privileged access, session and CSRF protection.
- Resilience — monitoring, logging, and maintenance procedures to preserve confidentiality, integrity, and availability.
- Sub-processor management — contractual data protection terms and due diligence.
- Incident response — procedures to detect, investigate, and notify Personal Data Breaches.
- Data minimization — caching of hashes and results rather than indefinite retention of raw content.
Annex 3 — Approved sub-processors
The Service is hosted on the Processor's own self-managed infrastructure located in Germany; no third-party hosting sub-processor is engaged. The following sub-processors are engaged for specific functions:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe (Stripe Payments Europe, Ltd.) | Payment processing | Ireland / USA |
| PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A.) | Payment processing | Luxembourg / USA |
| Discord (Discord, Inc.) | Optional OAuth sign-in | USA |
| Mailgun (Mailgun Technologies, Inc.) | Transactional & verification email | USA (EU region optionally available) |
Contact
For questions about this DPA, contact [email protected] or write to Kay David Kalex, c/o Online-Impressum #4165, Europaring 90, 53757 St Augustin.