Data Processing Agreement

Last updated: March 4, 2026

This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policy between you ("Customer", "Controller") and PeekAPI ("Processor"). It applies when PeekAPI processes personal data on your behalf as part of providing the service.

This page serves as a reference DPA. For formal execution of this agreement, contact us at [email protected].

1. Scope and Purpose of Processing

PeekAPI processes personal data solely to provide the API analytics service described in the Terms of Service. Processing includes ingesting, storing, aggregating, and displaying API request metadata transmitted by the Customer's servers via PeekAPI SDKs.

2. Roles

Customer is the data controller who determines the purposes and means of processing API request metadata from their end users.

PeekAPI is the data processor who processes API request metadata on the Customer's behalf and in accordance with the Customer's documented instructions.

3. Types of Data Processed

PeekAPI does not process request bodies, response bodies, raw credentials, or IP addresses of API end users.

4. Data Subject Categories

Data subjects are the Customer's API end users whose requests generate the metadata collected by PeekAPI SDKs. The Customer is responsible for informing their end users about this data collection.

5. Processing Instructions

PeekAPI processes personal data only as necessary to provide the service and in accordance with the Customer's documented instructions. The Terms of Service and this DPA constitute the Customer's complete processing instructions. PeekAPI will inform the Customer if, in its opinion, an instruction infringes applicable data protection law.

6. Security Measures

PeekAPI implements the following technical and organizational security measures:

7. Sub-processors

PeekAPI uses the sub-processors listed on our Sub-processors page. The Customer authorizes PeekAPI to engage these sub-processors. PeekAPI will notify the Customer at least 30 days before adding a new sub-processor. If the Customer objects, they may terminate the agreement within the notice period.

8. Data Breach Notification

PeekAPI will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting the Customer's data. The notification will include the nature of the breach, categories of data affected, approximate number of data subjects, and measures taken or proposed to address the breach.

9. Audit Rights

Upon reasonable request and subject to confidentiality obligations, PeekAPI will make available to the Customer information necessary to demonstrate compliance with this DPA. PeekAPI will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer, with reasonable advance notice.

10. Data Deletion

Upon termination of the service agreement, PeekAPI will delete all Customer personal data within 30 days, unless retention is required by applicable law. API request metadata is automatically deleted according to the Customer's plan retention schedule. The Customer may request earlier deletion at any time.

11. International Data Transfers

Where personal data is transferred outside the EEA or UK, PeekAPI relies on Standard Contractual Clauses (SCCs) as approved by the European Commission. The SCCs are incorporated by reference into this DPA. Details of transfer mechanisms used by each sub-processor are available upon request.

12. Term and Termination

This DPA remains in effect for the duration of PeekAPI's processing of Customer personal data. It automatically terminates when all personal data has been deleted or returned. The obligations in this DPA survive termination to the extent necessary to complete deletion of personal data.

Contact

To execute this DPA or ask questions, contact us at [email protected].