01
Agreement and execution#
This Data Processing Addendum ("DPA") is incorporated into IPkit's Terms of Service(the "Terms") and is accepted when you accept the Terms at signup. It is binding from account creation (or, for accounts created before this page was first published, from the date shown above).
On request to legal@ipkit.ai, we will countersign a PDF copy of this DPA within 5 business days. For the avoidance of doubt, the countersigned copy does not supersede this online version unless both parties sign a variation.
If any provision of this DPA conflicts with the Terms, for the processing of Customer Personal Data this DPA prevails over the Terms; a separately signed master services agreement or data processing agreement prevails over this page.
02
Definitions#
Capitalised terms not defined here have the meaning given in the Terms.
- "Data Protection Laws"means the EU General Data Protection Regulation ("EU GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("Swiss FADP"), and other data-protection laws applicable to the processing described in this DPA.
- "Customer Personal Data" means personal data that IPkit processes as a processor on your behalf under this DPA — personal data in Customer Content and in end-user queries sent through your application to api.ipkit.ai.
- "Sub-processor" means a third party engaged by IPkit to process Customer Personal Data.
- "Personal Data Breach" has the meaning given in Article 4(12) GDPR — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data, regardless of intent or cause.
- "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914.
- "UK Addendum"means the UK Information Commissioner's International Data Transfer Addendum to the SCCs.
03
Roles and scope#
This DPA applies only where IPkit processes Customer Personal Data as a processor on your documented instructions: personal data contained in Customer Content and in end-user queries sent through your application to api.ipkit.ai. The following categories of processing sit outside this DPA and are each independent-controller processing with their own disclosure.
Register-derived personal data. Where IPkit processes personal data drawn from public intellectual-property registers, IPkit is an independent controller of that data (see Privacy Policy — Personal data from public IP registers), and you are an independent controller for any register data you retain, subject to the restrictions in the Terms. IPkit and you are each independent controllers of that data — not joint controllers.
Returned results.Register records returned in response to a query remain register-derived data — IPkit and you are each independent controllers of them, and suppression of a record following a data subject's request is not a breach of this DPA. The queries themselves — search terms, request metadata, and usage — are Customer Personal Data covered by this DPA.
Account, billing, and telemetry data. IPkit is the controller for account, billing, and product-telemetry data collected through the customer portal — see the Privacy Policy.
04
Customer obligations#
You are responsible for:
- Having a lawful basis for the Customer Personal Data you submit to the Service and for any instructions you give IPkit regarding it.
- Providing any notices to, and obtaining any consents from, your end users and other data subjects that are required for IPkit's processing under this DPA.
- The accuracy and lawfulness of the instructions you give IPkit.
Unless we agree otherwise in writing, your documented instructions are these Terms, this DPA, and your configuration and use of the Service.
05
IPkit obligations as processor#
As processor of Customer Personal Data, IPkit will:
- Process Customer Personal Data only on your documented instructions, including with respect to international transfers, unless required to do otherwise by law applicable to IPkit — in which case IPkit will inform you of that legal requirement before processing, unless the law prohibits this.
- Ensure personnel authorised to process Customer Personal Data are bound by confidentiality.
- Implement the technical and organisational security measures described in Annex C.
- Engage sub-processors only as described in the Sub-processors section below.
- Notify you within 2 business days of receiving a request from a data subject that may concern Customer Personal Data, and not respond to that request except on your instruction. IPkit will provide all information and assistance necessary for you to comply with your obligations under Articles 12–23 GDPR, including providing data in a machine-readable form, confirming deletion, and supporting data portability.
- Notify you without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data — whether or not the full extent is yet known. That notice will include, to the extent known: the nature and scope of the breach; the categories and approximate numbers of data subjects and records concerned; the likely consequences; the measures taken and proposed to address the breach; and an IPkit contact for further information. IPkit will follow up with a forensic summary within 10 business days covering root cause, timeline, and the specifics of affected data. IPkit does not notify authorities or data subjects on your behalf unless you instruct us to.
- Provide reasonably requested assistance with data protection impact assessments and prior consultations with supervisory authorities (Articles 35–36 GDPR), including by making security and processing documentation available on request.
- Support deletion and return of Customer Personal Data as described below, and provide the information and audit rights described below.
06
Sub-processors#
You authorise IPkit to engage the sub-processors listed in Annex B to process Customer Personal Data. IPkit will give you at least 30 days' advance notice by email to account holders before adding or replacing a sub-processor of Customer Personal Data; your 14-day objection window (below) runs from that email.
You may object to a new or replacement sub-processor on reasonable data-protection grounds by emailing privacy@ipkit.ai within 14 days of the notice. If you object, the parties will work in good faith to resolve the objection; if unresolved, you may terminate the affected service with a pro-rata refund of prepaid unused fees, notwithstanding the non-refundability clause in the Terms. If you do not object within the 14-day window, you are deemed to have accepted the sub-processor.
IPkit remains fully liable to you for the acts and omissions of its sub-processors as if they were IPkit's own, and imposes written data-protection obligations on each sub-processor that are equivalent to those in this DPA.
07
International transfers#
IPkit is operated by Four Birds Limited, a New Zealand company. Transfers of personal data from the EEA and UK to IPkit in New Zealand are covered by the European Commission's adequacy decision for New Zealand and the equivalent UK adequacy regulations (and are recognised as adequate under the Swiss FADP).
You authorise IPkit to engage the sub-processors listed in Annex B and to make the onward transfers their engagement entails. Where a sub-processor is located outside an adequate jurisdiction (for example, the United States), IPkit executes the 2021 SCCs (Module 3, processor-to-processor) with that sub-processor, together with the UK Addendum where UK data is in scope. Where applicable, a sub-processor's EU-U.S. Data Privacy Framework certification provides supplementary assurance but is not the transfer mechanism IPkit relies on. Supplementary measures for these transfers include encryption in transit and at rest.
Onward transfers made under this DPA also comply with IPP 12 of the New Zealand Privacy Act 2020.
Copies of the executed transfer documentation (SCCs) are available on request.
08
Deletion and return#
On termination of the Service, you may elect, within 30 days, either return of Customer Personal Data — provided by IPkit in a structured, commonly used, machine-readable format on request — or deletion of it. If you do not make an election within that window, IPkit deletes it by default.
Deletion from active systems completes within 30 days of your election (or of the 30-day election window closing), with written confirmation to you within 10 business days. Backup copies age out within 35 days.
Where New Zealand law requires IPkit to retain certain data for longer (for example, 7-year tax and financial-record obligations), IPkit retains only what the law requires, and that data continues to be protected under this DPA.
09
Information and audits#
On request, IPkit will make available the information and documentation reasonably necessary to demonstrate compliance with this DPA. If that documentation is not reasonably sufficient, you may conduct one audit per 12 monthsof IPkit's processing of Customer Personal Data (an auditor you mandate counts as customer-initiated), on 30 days' notice, during business hours, under a mutual non-disclosure agreement, at your cost, and without access to other customers' data. Audits required by a data-protection authority, regulator, or court are not subject to the once-per-12-months cap, and IPkit will cooperate with them in good faith.
10
Liability#
Claims arising from a breach of this DPA or of Data Protection Laws are capped at 2× the fees you paid IPkit in the 12 months preceding the event giving rise to the claim. The limitation of liability in the Terms continues to govern all other claims. A separately signed agreement may provide a different cap and prevails. Nothing in this DPA or the Terms reduces either party's liability to data subjects under Article 82 GDPR or limits data subjects' rights.
11
Term and survival#
This DPA is co-extensive with the Terms: it takes effect when the Terms take effect for you and continues for as long as the Terms remain in effect. It survives termination of the Terms until deletion of Customer Personal Data completes under the Deletion and return section above.
12
Governing law#
This DPA is governed by the laws of New Zealand, consistent with the Terms' governing-law clause. Regardless of this clause, all data-processing obligations under this DPA are governed by the applicable Data Protection Laws. Either party may seek injunctive relief in any competent court to protect data subjects' rights.
13
Changes to this DPA#
We may update this DPA as our infrastructure and legal obligations evolve. If we make a material change, we will give account holders 30 days' email notice before it takes effect, using the same mechanism as material changes to the Terms. Changes to Annex B follow the notice and objection process in the Sub-processors section above.
Changelog:
- 2026-07-05 — first published.
14
Contact#
Processing and data-subject matters: privacy@ipkit.ai.
Contract matters, including countersigned copies: legal@ipkit.ai.
15
Annex A — Processing details#
Subject matter
IPkit's processing of Customer Personal Data to provide the Service to you.
Duration
For the term of the Terms, plus the deletion window described in the Deletion and return section above.
Nature and purposes of processing
Hosting, transmission, search execution, monitoring, analysis, and support of the Service.
Categories of data
Determined by you: identifiers and content within Customer Content and end-user queries.
Categories of data subjects
Your end users, your personnel, and individuals identified in submitted content.
Processing locations
EU/UK for register-data systems; United States for the sub-processors marked accordingly in Annex B.
No special categories of personal data are intended or required.
16
Annex B — Sub-processors#
v1 · 2026-07-05
B.1 Sub-processors of Customer Personal Data
| Provider | Purpose | Region |
|---|---|---|
| Vercel | Portal hosting (queries in transit) | US / global edge |
| Fly.io | API application hosting | EU/UK (London) |
| Supabase | Authentication and database | EU/UK (Ireland / London) |
| Neon | Application database | EU/UK (London) |
| Upstash | Caching and rate limiting | Global edge |
| Cloudflare | DNS, edge security, R2 object storage | Global edge / EU (R2) |
| Tinybird | Usage analytics | EU |
B.2 Providers for IPkit's own processing (transparency only)
Stripe (billing) and Resend (transactional email) are engaged for processing where IPkit is the controller — see the Privacy Policy. They are not sub-processors of Customer Personal Data and are not subject to the objection rights in the Sub-processors section above.
The Privacy Policy's sub-processor section lists all providers across both roles; for this DPA, this Annex controls.
17
Annex C — Technical and organisational measures#
IPkit implements the following technical and organisational measures:
- TLS 1.2+ in transit and encryption at rest.
- Least-privilege access controls with single sign-on for staff.
- Mandatory two-factor authentication for production systems.
- API keys shown once at creation and stored only as keyed hashes (HMAC-SHA256).
- Structured logging and alerting.
- Automated dependency vulnerability monitoring.
- Encrypted backups aged out within 35 days.
- A documented security-incident response runbook.
- Personnel confidentiality commitments.
IPkit does not currently hold SOC 2 or ISO 27001 certification; security documentation is available for review, and certification is on our roadmap as the company grows.