Data Processing Agreement
Last updated: May 28 2025 Annexed to and forming part of the OverpoweredJS Terms of Service.
PARTIES
-
OverpoweredJS (“Processor”, “OPJS”, “we”, “us”, “our”)
123 Windermere Ave #192, Greenwood Lake, NY 10925, USA
support@overpoweredjs.com -
Customer (“Controller”, “you”)
The entity that has accepted the OverpoweredJS Terms of Service and embeds the OPJS code into its website(s) or application(s).
OPJS and the Customer are together the “Parties” and individually a “Party”.
1 DEFINITIONS
Term | Meaning |
---|---|
“Agreement” | The OverpoweredJS Terms of Service (and any Order, SOW or MSA that references them). |
“Applicable Laws” | All privacy / data-protection laws that apply to the Processing, including but not limited to the GDPR, UK GDPR, CCPA/CPRA and any successor legislation. |
“Personal Data” | Any information relating to an identified or identifiable natural person that is Processed under this DPA. |
“Processing”, “Process” | Any operation performed on Personal Data, as defined in the GDPR Art 4(2). |
“Sub-processor” | A third party engaged by the Processor to Process Personal Data on behalf of the Controller. |
“Standard Contractual Clauses” / “SCCs” | The clauses adopted by the European Commission in Decision (EU) 2021/914 (and any UK-addendum) for international transfers. |
“Services” | The browser-fingerprinting, bot-intelligence, API and related services supplied by OPJS under the Agreement. |
Capitalised terms not defined here have the meaning given in the Agreement.
2 SCOPE & DURATION
2.1 Subject-matter. OPJS Processes Personal Data solely to provide, maintain and improve the Services and as further described in Annex I (Description of Processing).
2.2 Duration. This DPA is effective from the date the Customer first uses the Services and continues until OPJS ceases to Process Personal Data for or on behalf of the Customer.
2.3 Documented Instructions. Processor shall Process Personal Data only on the Controller’s documented instructions (the Agreement, this DPA, and any further written instructions). If an instruction infringes Applicable Laws, Processor will notify Controller (unless prohibited by law).
3 OBLIGATIONS OF THE PROCESSOR
a. Confidentiality. Ensure that persons authorised to Process Personal Data are bound by confidentiality.
b. Security. Implement the technical and organisational measures set out in Annex II (Technical & Organisational Measures) and maintain them throughout the Processing.
c. Sub-processing. Engage Sub-processors only in accordance with § 5.
d. Data Subject Rights. Promptly assist Controller, insofar as possible, with Data Subject requests (access, rectification, erasure, restriction, portability, objection).
e. Data Breach. Notify Controller without undue delay (no later than 48 hours) after becoming aware of a Personal-Data Breach; provide all information reasonably required for Controller to comply with notification obligations.
f. Impact Assessments. Provide reasonable assistance with data-protection impact assessments and prior consultation with regulators, taking into account the nature of Processing.
g. Deletion / Return. At termination of the Agreement, delete or return Personal Data per Controller’s choice, unless Applicable Laws require retention (§ 8).
h. Audit. Make available information necessary to demonstrate compliance and allow for audits as in § 8.
4 OBLIGATIONS OF THE CONTROLLER
a. Lawful Basis & Transparency. Ensure it has a valid legal basis for all Personal Data provided to Processor and has given all notices required by Applicable Laws (including any required cookie / tracking disclosures).
b. Accuracy. Provide accurate and up-to-date Personal Data.
c. Instructions. Ensure instructions are lawful; indemnify Processor against any loss arising from unlawful instructions.
d. End-User Requests. Be primarily responsible for responding to Data Subject requests; promptly forward any request received by Processor that pertains to Controller’s data.
5 SUB-PROCESSORS
5.1 Authorised List. Controller grants general authorisation for the Sub-processors listed below - and in Annex I.
Sub-processor | Service | Location | Safeguards |
---|---|---|---|
Google Cloud / Firebase | Auth, DB, analytics | EU & USA | SCCs + EU-U.S. DPF |
Cloudflare | CDN / DDoS | Global | SCCs + EU-U.S. DPF |
DigitalOcean | Hosting (NYC) | USA | SCCs + EU-U.S. DPF |
Stripe | Payments | EU / USA | SCCs + EU-U.S. DPF |
ipapi.is | IP intelligence | Germany | EU-only |
MaxMind | IP intelligence | USA | SCCs + EU-U.S. DPF |
5.2 Changes. Processor shall notify Controller (email or dashboard) at least 30 days before adding/replacing a Sub-processor. Controller may object on reasonable data-protection grounds.
5.3 Flow-down. Processor imposes on Sub-processors data-protection obligations that are no less protective than those in this DPA.
6 INTERNATIONAL TRANSFERS
Where Processing involves a transfer of Personal Data from the EEA/UK to a third country, the Parties rely on:
- SCCs – incorporated by reference with OPJS as data‐importer, Controller as data‐exporter; and/or
- EU-U.S. Data Privacy Framework certifications of relevant Sub-processors; plus
- industry-standard encryption in transit and at rest.
7 SECURITY INCIDENT MANAGEMENT
Processor shall maintain written incident-response procedures and log and investigate all Personal-Data Breaches. Notifications under § 3(e) shall describe:
- nature of the breach (categories & approximate number of Data Subjects / records affected);
- likely consequences;
- measures taken or proposed to address the breach;
- contact point for further information.
8 RETENTION, DELETION & AUDIT
8.1 Retention Schedules are in the Privacy Policy. Processor anonymises or deletes raw logs when no longer required for security or statutory reasons.
8.2 Deletion / Return. Within 30 days of Controller’s written request or termination, Processor will (at Controller’s option) securely delete or return all Personal Data (unless retention required by law). Deletion is by crypto-erase with annual retention logs.
8.3 Audit. Once per 12-month period, and upon 30 days’ notice, Controller may audit Processor’s compliance (incl. by independent third-party auditor bound by confidentiality). Audits are limited to SOC 2, ISO 27001 or equivalent reports plus on-site or remote review during business hours. Controller bears its own costs; Processor may charge reasonable costs for on-site audits.
9 LIABILITY & INDEMNITY
Liability is governed by the limitations in the Agreement. Each Party is liable for the damages it causes by any breach of this DPA. Nothing limits either Party’s liability for breaches of the SCCs (where they apply).
10 TERM & TERMINATION
This DPA terminates automatically upon the later of (i) deletion / return of all Personal Data under § 8.2, or (ii) termination of the Agreement.
11 GOVERNING LAW & JURISDICTION
This DPA — and, where permissible, the SCCs — are governed by the laws of the State of New York, excluding conflict-of-law rules. Any dispute not subject to the SCCs’ mandatory jurisdiction shall be brought in the state or federal courts located in New York County, NY, USA.
12 MISCELLANEOUS
- Order of Precedence. If there is conflict between this DPA, the SCCs, and the Agreement, the following order prevails: (a) SCCs, (b) this DPA, (c) Agreement.
- Entire Agreement. This DPA (including its Annexes) constitutes the entire data-processing agreement between the Parties and supersedes any prior agreements on the same subject.
- Amendments. Any amendment must be in writing and signed (electronic signature acceptable) by both Parties, except Processor may update Annex I (Sub-processor list) per § 5.2.
- Severability. If any provision is held invalid, the remainder of the DPA remains in effect.
13 ACCEPTANCE OF THIS DPA
Binding effect. This Data Processing Agreement is automatically incorporated into, and forms an integral part of, the OverpoweredJS Terms of Service. By executing the Order Form, clicking “I Agree,” or otherwise continuing to use the Services on or after 1 June 2025, the entity identified as the Customer in the Terms of Service is deemed to have executed this DPA in the capacity of Controller without the need for a separate signature.
Countersigned copy on request.
If Customer’s internal policies require a fully-signed document, Customer may download a PDF version pre-signed by OverpoweredJS at https://overpoweredjs.com/legal/dpa.pdf and return a countersigned copy to support@overpoweredjs.com. Such countersignature will not affect the date on which this DPA became binding.
Annex I — Description of Processing
Item | Details |
---|---|
Nature & Purpose | Collection and analysis of browser / device signals, IP intelligence and related telemetry to detect bots, prevent fraud, and provide analytics & customer dashboard. |
Data Categories | IP addresses, ports, ASN, coarse geolocation, HTTP headers, JavaScript API outputs (Canvas, WebGL, WebRTC), device fingerprints, unique identifiers (clusterUUID ), request logs, account metadata (name, email, company) for authorised users. |
Special Categories | None intentionally collected. |
Data Subjects | End-users (visitors) of Controller’s website(s); authorised users of Controller’s OPJS account. |
Retention | See § 8 and Privacy Policy. |
Sub-processors | Listed in § 5.1 above. |
Frequency | Continuous and event-driven during use of Services. |
Annex II — Technical & Organisational Measures
- Encryption – TLS 1.3 in transit, AES-256 at rest.
- Access Control – Role-based, least-privilege IAM; hardware-token MFA for production systems.
- Network Security – Cloudflare WAF, rate-limiting, DDoS mitigation; segmented VPC networks.
- Monitoring & Logging – Centralised logging, anomaly detection, 24 × 7 on-call.
- Vulnerability Management – Monthly scans, critical patching ≤ 72 h; annual penetration tests.
- Incident Response – Documented playbooks, breach notification within 48 h.
- Business Continuity – Encrypted off-site backups (daily); disaster-recovery drills twice yearly.
- Personnel – Background checks for employees; mandatory security & privacy training.
- Physical Security – Tier III datacentres with 24 × 7 guards, CCTV, biometric access.
- Supplier Management – Due-diligence and contractual DPAs with all Sub-processors; annual review.