Data Processing Agreement

Last updated: 08 June, 2026

1. Parties and structure

This Data Processing Agreement ("DPA") is entered into between ONC Inc. ("REST Countries," the "Processor"), a corporation incorporated under the laws of the Province of Ontario, Canada, and the customer ("Customer," the "Controller") that has accepted the REST Countries Terms of Service ("Terms"). It forms part of those Terms and applies whenever REST Countries processes Personal Data on the Customer's behalf.

Capitalized terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, the EU-US Data Privacy Framework, Quebec Law 25, PIPEDA, or (where used in those regimes' equivalents) those regimes.

This DPA takes effect automatically when the Customer accepts the Terms. No separate signature is required, although REST Countries will counter-sign on request for procurement purposes.

2. Subject matter, duration, and roles

REST Countries processes Personal Data only to provide the Service as described in the Terms. Processing continues for as long as the Customer has an active account or until written instructions to delete the data are received. The Customer is the Controller; REST Countries is the Processor. Where REST Countries determines its own purposes (e.g. billing the Customer, securing its own infrastructure), REST Countries acts as an independent Controller; that processing is governed by the Privacy Policy, not this DPA.

3. Nature and purpose of processing

REST Countries processes account credentials (email, hashed password, name, timezone) and request metadata (URL path, query string, status code, latency, response size, originating IP, API-key identifier) for the purpose of authenticating requests, enforcing per-plan limits, debugging issues, and producing usage analytics for the Customer. REST Countries does not store API response bodies and does not access them for any purpose other than transient transmission.

4. Categories of data subjects and personal data

• Categories of data subjects. The Customer's authorized users (those who hold accounts on the Customer's behalf), and the Customer's end-users insofar as their IP address is captured in request logs.
• Categories of Personal Data. Identification data (email, name), authentication data (hashed password, hashed API key, session token, logged-in session state), billing data (billing address, last four digits of payment card), and traffic data (URL path, query string, status code, originating IP, timestamp).
• Special categories of data. None. REST Countries does not knowingly process special-category data (Article 9 GDPR) and the Customer agrees not to send such data to the Service.

5. Sub-processors

The Customer authorizes REST Countries to engage the sub-processors listed in our Privacy Policy (currently AWS for infrastructure, Cloudflare for network edge and DDoS protection, Stripe for payments, Postmark for transactional email, and Zenlogin for login-anomaly detection) on the terms set out there. Each sub-processor is bound by a written agreement that imposes data-protection obligations equivalent to those in this DPA.

REST Countries will give at least thirty (30) days' notice on the marketing site before adding or replacing a sub-processor. The Customer may object on reasonable grounds within that notice period. If the objection cannot be resolved, the Customer may terminate the affected portion of the Service.

6. Confidentiality

All REST Countries personnel with access to Personal Data are bound by written confidentiality obligations and are trained on data handling at hire and annually thereafter. Access is granted on a least-privilege basis and is revoked immediately on role change or departure.

7. Security measures

REST Countries implements appropriate technical and organizational measures, including:

• Encryption in transit (TLS 1.2+) for all customer traffic.
• Encryption at rest for backups.
• Role-based access control with audit logging on production systems.
• One-way password hashing (bcrypt) and one-way API-key hashing.
• Network-level isolation of production environments and least-privilege IAM.
• Annual third-party penetration testing and remediation tracking.
• Documented incident-response procedures with regular tabletop exercises.
• Background checks for personnel with production access, where permitted by local law.

8. Data subject rights

REST Countries will assist the Controller in responding to data-subject requests (access, rectification, erasure, restriction, portability, and objection) within thirty (30) days, taking into account the nature of the processing. Where the Customer can fulfil the request directly using the REST Countries dashboard's export and delete functions, REST Countries' role is limited to making those tools available.

9. Personal data breach

REST Countries will notify the Controller without undue delay, and in any event within seventy-two (72) hours, of becoming aware of any breach affecting the Controller's Personal Data. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

10. International transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the Standard Contractual Clauses (Module Two — Controller to Processor — adopted under Commission Implementing Decision (EU) 2021/914, with the UK International Data Transfer Addendum where applicable, and the Swiss FDPIC adaptation where applicable). Those clauses are incorporated by reference into this DPA. Where a conflict arises between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

For Quebec residents, REST Countries has performed and documented the privacy impact assessment required under An Act respecting the protection of personal information in the private sector (Quebec Law 25, s. 17) for cross-border transfers. A summary is available on request.

REST Countries has assessed the laws of recipient jurisdictions in line with Schrems II and applies supplementary measures (encryption in transit and at rest, sub-processor minimization, opposition to overreaching access requests) where required.

11. Return or deletion

On termination of the Service, REST Countries will return or delete all Personal Data within thirty (30) days unless retention is required by law (e.g. tax records). Encrypted backups age out within ninety (90) days of the underlying data being deleted.

12. Audits

REST Countries will make available the information necessary to demonstrate compliance with this DPA (including its most recent penetration-test summary, sub-processor list, and incident-response runbook on request) and will allow audits, conducted by the Controller or a mutually agreed independent auditor, on at least thirty (30) days' written notice and at reasonable intervals (no more than once per twelve-month period unless required by a regulator). The Controller will reimburse REST Countries' reasonable costs for audits beyond the standard documentation request.

13. Allocation of liability

Liability between the parties under this DPA is subject to the limitations of liability set out in the Terms of Service, except to the extent those limitations are unenforceable under applicable data-protection law. Nothing in this DPA limits any data subject's right to seek a remedy directly against either party under applicable law.

14. Order of precedence

If there is a conflict between this DPA and the Terms with respect to Personal Data, this DPA prevails. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

15. Contact

To execute this DPA on a counter-signed basis, request our security documentation, or for any data-protection question, contact support.