Data Processing Addendum

1. Scope and order of precedence

This Data Processing Addendum applies where APITier processes personal data on behalf of a customer in connection with the APITier services and applicable data protection law requires a controller-processor agreement.

This Addendum forms part of the agreement between APITier and the customer. If there is a conflict between this Addendum and the main services agreement, this Addendum controls to the extent of that conflict for data protection matters.

2. Roles of the parties

For customer-submitted data processed through the services, the customer acts as controller or processor, as applicable under law, and APITier acts as processor or subprocessor on the customer’s documented instructions.

The customer is responsible for determining whether use of the services is lawful, for providing required notices, and for ensuring it has an appropriate legal basis for the processing of personal data submitted to the services.

3. Subject matter, duration, and purpose

The subject matter of the processing is the provision of APITier services, including API request handling, MCP tool execution, account administration, support, security monitoring, and other related service operations requested by the customer.

The duration of the processing is the period during which APITier provides the services to the customer and any limited post-termination period required for secure deletion, legal compliance, dispute resolution, or backup rotation.

The nature and purpose of the processing include receiving, storing, organizing, consulting, transmitting, and otherwise processing personal data as necessary to provide and secure the services in accordance with the customer’s instructions.

4. Categories of data and data subjects

Depending on how the customer uses the services, personal data may include identification data, contact data, address data, account data, device or usage metadata, support data, and other categories submitted by the customer through API requests or MCP tool calls.

Data subjects may include the customer’s end users, employees, contractors, suppliers, prospects, consumers, or other individuals whose personal data the customer submits to the services.

5. Customer instructions

APITier will process personal data only on the customer’s documented instructions, including the customer’s use of the services in accordance with the agreement, documentation, and configuration choices made available by APITier.

If APITier believes an instruction infringes applicable data protection law, APITier may inform the customer and suspend the relevant processing until the issue is resolved.

6. Confidentiality and personnel

APITier will ensure that personnel authorized to process personal data are subject to appropriate confidentiality obligations and receive access only where needed to perform their duties.

APITier will limit access to personal data using role-based or equivalent operational controls appropriate to the services.

7. Security measures

APITier will implement and maintain appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

These measures may include access management, logging, encryption in transit, environment segregation, credential controls, monitoring, and incident response practices proportionate to the nature of the services and risks presented by the processing.

8. Subprocessors

The customer authorizes APITier to use subprocessors to support the delivery of the services, including providers of cloud hosting, observability, communications, support, and billing infrastructure.

APITier will impose data protection obligations on subprocessors that are materially no less protective than the obligations in this Addendum and remains responsible for the performance of its subprocessors to the extent required by law.

If APITier maintains a public subprocessor list or notice mechanism, that list or mechanism may be used to describe current subprocessors and updates.

9. International transfers

Where APITier or its subprocessors process personal data outside the UK, EEA, or another jurisdiction with transfer restrictions, APITier will implement an appropriate lawful transfer mechanism.

Such mechanisms may include adequacy regulations, the European Commission standard contractual clauses, the UK International Data Transfer Addendum, or another valid transfer safeguard recognized under applicable law.

10. Assistance with rights and compliance

Taking into account the nature of the processing, APITier will provide reasonable assistance to the customer in responding to requests from data subjects exercising rights under applicable data protection law.

APITier will also provide reasonable assistance, taking into account the nature of the processing and the information available to APITier, for data protection impact assessments, prior consultations, and compliance inquiries where required by law.

11. Security incidents

If APITier becomes aware of a personal data breach affecting customer personal data, APITier will notify the customer without undue delay and provide available information reasonably necessary for the customer to assess the incident and meet its notification obligations.

APITier may provide information in phases as it becomes available and may take steps necessary to contain, investigate, and remediate the incident.

12. Deletion and return

Upon termination of the applicable services, APITier will delete or return customer personal data in its possession or control, unless continued retention is required by applicable law, for security logging, backup rotation, dispute resolution, or another legitimate and documented basis.

Where deletion is not immediately possible because data remains in encrypted backups or archived systems, APITier will continue to protect that data and isolate it from further active processing until deletion occurs in the ordinary course.

13. Audits and information rights

APITier will make available information reasonably necessary to demonstrate compliance with this Addendum.

Where required by applicable law and where reasonable documentation is insufficient, APITier will allow audits or inspections by the customer or an independent auditor bound by confidentiality obligations, subject to reasonable advance notice, security requirements, scope limitations, and frequency limits designed to avoid disruption and protect other customers.

14. Liability

Liability arising under this Addendum is subject to the liability limitations and exclusions in the main services agreement, except to the extent those limitations are not permitted by applicable data protection law.

Nothing in this Addendum removes any mandatory rights or obligations imposed by applicable data protection law.