Data Processing Addendum
Last updated May 19, 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between PublicOptions (“Processor”) and the Customer (“Controller”) where Customer’s use of the Service involves PublicOptions processing personal data subject to the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the Swiss FADP, or equivalent laws.
1. Roles
Customer is the Controller of personal data processed through the Service. PublicOptions is the Processor and acts only on documented instructions from Customer (including via Customer’s configuration of the Service).
2. Subject matter, duration & nature
- Subject matter — provision of the PublicOptions historical options price API.
- Duration — the term of the underlying Terms of Service.
- Nature & purpose — authentication, request processing, billing, security, and support.
- Categories of data subjects — Customer’s end users, employees, or other individuals whose data Customer chooses to process via the Service.
- Categories of personal data — account identifiers, IP addresses, email addresses, and any data the Controller submits in queries or stores in their account.
3. Processor obligations
PublicOptions will: (a) process personal data only on Controller’s documented instructions; (b) ensure personnel are bound by confidentiality; (c) implement the technical and organizational measures in Annex A; (d) assist Controller with data-subject requests and DPIAs to the extent reasonable; (e) notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal-data breach; (f) on termination, delete or return personal data unless retention is required by law.
4. Subprocessors
Controller authorizes PublicOptions to engage subprocessors listed below. PublicOptions remains liable for their performance, imposes equivalent data-protection obligations on each, and will give at least 30 days’ notice (via this page and email to account owners) of any new subprocessor. Controller may object in writing for legitimate data-protection reasons within that period.
Current subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Edge hosting, DDoS protection, TLS termination | Global |
| Supabase, Inc. | Database, authentication, file storage | United States (EU region available) |
| Stripe, Inc. | Payment processing and invoicing | United States |
| Upstream market data provider | Historical US equity options data feed | United States |
| Resend, Inc. | Transactional email delivery | United States |
5. International transfers
Where personal data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the European Commission’s 2021 Standard Contractual Clauses (Module Two: controller to processor) and the UK Addendum, with the following selections: docking clause applies; Clause 17 Option 1 governed by Irish law; Clause 18 forum and jurisdiction Ireland; Annexes populated by this DPA and Annex A below.
6. Audits
PublicOptions will make available information necessary to demonstrate compliance with Article 28 GDPR, including current SOC 2 or equivalent attestations of its subprocessors. Customers with a paid plan may, on reasonable prior notice and no more than once per year, request an audit of PublicOptions’s controls under reasonable confidentiality terms.
7. Liability
Liability under this DPA is subject to the limitations in the Terms of Service.
Annex A — Technical & organizational measures
- Encryption — TLS 1.2+ in transit; AES-256 at rest. Passwords and API keys are stored as salted hashes.
- Access control — least-privilege, MFA-enforced, single sign-on for staff; production access logged and reviewed quarterly.
- Tenant isolation — row-level security in the database; per-account data segregation at every read.
- Network — private networking between application and database; managed WAF and DDoS protection at the edge.
- Backups — encrypted daily backups with a 30-day retention and tested restores.
- Monitoring & logging — centralized logging, alerting on anomalous access, retention 13 months.
- Vendor management — subprocessor security reviews on onboarding and annually thereafter.
- Incident response — on-call rotation; documented playbook; breach notification within 72 hours.
- Personnel — background checks where lawful, signed confidentiality agreements, annual security training.
8. Contact
To execute this DPA or request a signed copy: [email protected].