Data Processing Addendum

Capitalised terms not defined here have the meaning given in the EU GDPR / UK GDPR. “Personal Data”, “Process”, “Data Subject”, “Sub-processor” and “Supervisory Authority” have the meaning given in those laws.

Subject-matter: the provision of cloud browser automation services as described in our Terms.
Duration: for as long as your account is active and for any retention period required by Section 6 of the Privacy Policy.
Nature and purpose: running ephemeral Chromium sessions, screenshot/PDF/scrape rendering, and storing API usage events for billing and security.
Categories of Data Subject: the Controller’s end users and the operators of websites the Controller chooses to fetch through the Service.
Categories of Personal Data: account email, hashed password, source IP, request URL, response status and timing.

• Process Personal Data only on documented Controller instructions, including with regard to international transfers, unless required to do otherwise by EU, UK or member-state law.
• Ensure persons authorised to process Personal Data are bound by confidentiality.
• Take all measures required by Article 32 GDPR (security of processing) — see Section 6 below.
• Engage Sub-processors only as permitted by Section 4.
• Assist the Controller (taking into account the nature of the processing) in fulfilling its obligation to respond to Data Subject rights requests, breach notifications, DPIAs and prior consultations.
• Delete or return all Personal Data to the Controller at the Controller’s choice on termination, except where retention is legally required.
• Make available all information necessary to demonstrate compliance with Article 28 and allow for audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (subject to reasonable confidentiality and notice).

The Controller hereby grants a general written authorisation for the engagement of the Sub-processors listed at /sub-processors. We will inform Controllers of any intended additions or replacements at least 30 days in advance. The Controller may object on reasonable data-protection grounds, in which case the parties will negotiate in good faith; if no resolution is found within 30 days the Controller may terminate the affected portion of the Service.

Where Personal Data is transferred outside the United Kingdom or the European Economic Area, the parties incorporate by reference the EU Standard Contractual Clauses (Commission Decision 2021/914, Module 2 — Controller-to-Processor) and the UK International Data Transfer Addendum (issued by the UK Information Commissioner’s Office in 2022). Annexes I, II and III are populated by the information in this DPA, the Privacy Policy and the sub-processors page. The optional docking clause (Clause 7) is enabled.

• TLS 1.2+ in transit; HSTS preloaded; HTTP/2 over Nginx with Let’s Encrypt certificates.
• Account passwords hashed with scrypt (N=16384, r=8, p=1).
• API keys stored as SHA-256 hashes; only a non-reversible prefix is shown after creation.
• Browser sessions are ephemeral — the per-session profile directory is destroyed when the session ends; nothing is written to a persistent disk unless the Controller passes ?session=<id>.
• Server hardening: SSH key-only login, UFW firewall, fail2ban, automatic security updates.
• Logical separation between marketing site, dashboard and gateway processes; the gateway runs as an unprivileged systemd user.
• 30-day Nginx access-log retention; 90-day API usage-log retention.
• Annual third-party penetration test commencing with the SOC 2 Type II audit window.

We will notify the Controller without undue delay (and in any event within 72 hours of confirmation) of any Personal Data breach affecting the Controller’s data, with all information required by Article 33(3) GDPR to the extent then known, and provide updates as the investigation progresses.

The Controller may, at its own expense and not more than once per twelve-month period (except where required by a Supervisory Authority or following a confirmed Personal Data breach), audit our compliance with this DPA. We will reasonably cooperate with audits subject to confidentiality undertakings and 30 days’ written notice.

Liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable data-protection law.

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data. The Standard Contractual Clauses prevail over both in the event of conflict.

Data-protection enquiries: dpo@cloudbrowserapi.com.
Postal address: LMTS DEVELOPMENT LTD, 12-14 Kennington Road, London, SE1 7BL, United Kingdom.