Skip to main content

Data Processing Agreement

Last updated: November 15 2025

Effective: November 30, 2025

Annexed to and forming part of the OverpoweredJS Terms of Service.

PARTIES

  1. OverpoweredJS, LLC ("Processor", "OPJS", "we", "us", "our")
    418 Broadway STE N, Albany, NY 12207 USA support@overpoweredjs.com

  2. Customer ("Controller", "you")
    The entity that has accepted the OverpoweredJS Terms of Service and embeds the OPJS code into its website(s) or application(s).

OPJS and the Customer are together the "Parties" and individually a "Party".

1 DEFINITIONS

TermMeaning
"Agreement"The OverpoweredJS Terms of Service (and any Order, SOW or MSA that references them).
"Applicable Laws"All privacy / data-protection laws that apply to the Processing, including but not limited to the GDPR, UK GDPR, CCPA/CPRA and any successor legislation.
"Personal Data"Any information relating to an identified or identifiable natural person that is Processed under this DPA.
"Processing", "Process"Any operation performed on Personal Data, as defined in the GDPR Art 4(2).
"Sub-processor"A third party engaged by the Processor to Process Personal Data on behalf of the Controller.
"Standard Contractual Clauses" / "SCCs"The clauses adopted by the European Commission in Decision (EU) 2021/914 (and any UK-addendum) for international transfers.
"Services"The browser-fingerprinting, bot-intelligence, API and related services supplied by OPJS under the Agreement.

Capitalised terms not defined here have the meaning given in the Agreement.

2 SCOPE & DURATION

2.1 Subject-matter. OPJS Processes Personal Data solely to provide, maintain and improve the Services and as further described in Annex I (Description of Processing).
2.2 Duration. This DPA is effective from the date the Customer first uses the Services and continues until OPJS ceases to Process Personal Data for or on behalf of the Customer.

2.3 Documented Instructions. Processor shall Process Personal Data only on the Controller's documented instructions (the Agreement, this DPA, and any further written instructions). If an instruction infringes Applicable Laws, Processor will notify Controller (unless prohibited by law).

2.4 Out‑of‑scope. OPJS's own marketing websites (e.g., overpoweredjs.com) and their advertising/analytics/support tags (e.g., Google Tag Manager/Analytics, Google Ads, LinkedIn Insight Tag, Stripe, Tawk.to) are outside this DPA. For those properties OPJS acts as an independent controller as described in the Privacy Policy; they do not form part of the Processing performed for Customer under this DPA.

3 OBLIGATIONS OF THE PROCESSOR

a. Confidentiality. Ensure that persons authorised to Process Personal Data are bound by confidentiality.
b. Security. Implement the technical and organisational measures set out in Annex II (Technical & Organisational Measures) and maintain them throughout the Processing.
c. Sub-processing. Engage Sub-processors only in accordance with § 5.
d. Data Subject Rights. Promptly assist Controller, insofar as possible, with Data Subject requests (access, rectification, erasure, restriction, portability, objection).
e. Data Breach. Notify Controller without undue delay (no later than 48 hours) after becoming aware of a Personal-Data Breach; provide all information reasonably required for Controller to comply with notification obligations.
f. Impact Assessments. Provide reasonable assistance with data-protection impact assessments and prior consultation with regulators, taking into account the nature of Processing.
g. Deletion / Return. At termination of the Agreement, delete or return Personal Data per Controller's choice, unless Applicable Laws require retention (§ 8).
h. Audit. Make available information necessary to demonstrate compliance and allow for audits as in § 8.

4 OBLIGATIONS OF THE CONTROLLER

a. Lawful Basis & Transparency. Ensure it has a valid legal basis for all Personal Data provided to Processor and has given all notices required by Applicable Laws (including any required cookie / tracking disclosures).
b. Accuracy. Provide accurate and up-to-date Personal Data.
c. Instructions. Ensure instructions are lawful; indemnify Processor against any loss arising from unlawful instructions.
d. End-User Requests. Be primarily responsible for responding to Data Subject requests; promptly forward any request received by Processor that pertains to Controller's data.

5 SUB-PROCESSORS

5.1 Authorised List. Controller grants general authorisation for the Sub-processors listed below - and in Annex I.

Sub-processorServiceLocationSafeguards
Google LLC / Firebase (Google Cloud)Auth, DB, analyticsEU & USASCCs; EU-U.S. DPF (Google LLC); ISO/IEC 27001; SOC 2 Type II; PCI DSS (GCP infra)
Cloudflare, Inc.CDN / DDoSGlobalSCC-backed DPA; EU-U.S. DPF; ISO/IEC 27001; SOC 2 Type II; PCI DSS; Global CBPR & Global PRP
DigitalOcean Holdings, Inc.Hosting (NYC)USAEU-U.S. DPF; SCCs; SOC 2 Type II
Stripe, Inc.PaymentsEU (Ireland) & USEU-U.S. DPF; SCCs; PCI DSS Level 1; SOC 1 & SOC 2 Type II (no public ISO 27001 certification)
Synthient LLCIP intelligence (Standard)USADPA; SCCs; EU-U.S. DPF
MaxMind, Inc.IP intelligence (Advanced)USAEU-U.S. DPF; SCCs; data-center attestations (SOC 2 / ISO 27001)

5.2 Changes. Processor shall notify Controller (email or dashboard) at least 30 days before adding/replacing a Sub-processor. Controller may object on reasonable data-protection grounds.
5.3 Flow-down. Processor imposes on Sub-processors data-protection obligations that are no less protective than those in this DPA.

6 INTERNATIONAL TRANSFERS

Where Processing involves a transfer of Personal Data from the EEA/UK to a third country, the Parties rely on:

  • SCCs – incorporated by reference with OPJS as data‐importer, Controller as data‐exporter; and/or
  • EU-U.S. Data Privacy Framework certifications of relevant Sub-processors; plus
  • industry-standard encryption in transit and at rest.

EEA transfers. The parties adopt SCC Module Two (Controller → Processor); the choices for Clause 17 (law) and Clause 18 (forum) are set to Ireland as stated in § 11.

UK transfers. The parties adopt the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”, ICO version B1.0, in force 21 March 2022). Part 1: Tables are completed as follows:

  • Table 1 (Parties). Exporter: Customer (Controller). Importer: OverpoweredJS (Processor). Parties' details and key contacts: as set out in Annex I of this DPA. Start date: the Effective Date of the Terms of Service. Signature: each Party's execution/acceptance of the Agreement or this DPA is deemed signature to the UK Addendum.
  • Table 2 (Selected SCCs). Approved EU SCCs: Commission Implementing Decision (EU) 2021/914. Modules: Module Two (C→P) and—where Customer acts as a processor—Module Three (P→P). Clause 7 (Docking): not used (unless otherwise agreed in writing). Clause 9(a): general authorisation (Sub-processor list/notice per § 5). Clause 11 (Optional): not used. Clauses 17–18: for UK transfers, these are replaced by the UK Addendum's mandatory provisions (governing law and courts of England & Wales, unless Scotland or Northern Ireland are expressly selected).
  • Table 3 (Appendix Information). Annex I (Description of Processing) and Annex II (Technical & Organisational Measures) of this DPA; Sub-processor list in § 5.1.
  • Table 4 (Ending the Addendum when the Approved Addendum changes). Neither Party.

Swiss transfers (if applicable). The parties adopt the EU SCCs as recognized under Swiss law with the modifications recommended by the Swiss FDPIC.

7 SECURITY INCIDENT MANAGEMENT

Processor shall maintain written incident-response procedures and log and investigate all Personal-Data Breaches. Notifications under § 3(e) shall describe:

  • nature of the breach (categories & approximate number of Data Subjects / records affected);
  • likely consequences;
  • measures taken or proposed to address the breach;
  • contact point for further information.

8 RETENTION, DELETION & AUDIT

8.1 Retention Schedules are in the Privacy Policy. Processor anonymises or deletes raw logs when no longer required for security or statutory reasons.
8.2 Deletion / Return. Within 30 days of Controller's written request or termination, Processor will (at Controller's option) securely delete or return all Personal Data (unless retention required by law). Deletion is by crypto-erase with annual retention logs.
8.3 Audit. No more than once in any 12-month period, and on at least 30 days’ prior written notice, Controller (or its independent third-party auditor bound by confidentiality) may audit Processor’s compliance with this DPA and Applicable Laws. Processor will, in the first instance, make available current third-party attestations and reports (e.g., SOC 2 Type II report, ISO/IEC 27001 certificate and Statement of Applicability, PCI DSS AOC, and penetration-test summaries). Where such materials do not reasonably address Controller’s legitimate concerns, or where required by a supervisory authority, following a personal-data breach, or upon a material change to the Processing or Sub-processors, Controller may conduct a remote or on-site audit of relevant facilities, systems, and records during business hours, subject to reasonable security and confidentiality requirements. Audits are limited to information reasonably necessary to verify compliance, must not unreasonably disrupt Processor’s operations, and will not require disclosure of other customers’ data or Processor’s trade secrets (beyond appropriately redacted materials).

Costs. Controller bears its own costs. Processor will provide the third-party reports described above at no charge; for any on-site audit or for additional assistance beyond providing such reports (including evidence collation, data extractions, redactions, and staff time), Processor may charge reasonable, cost-based fees agreed in advance; such fees are waived if an audit identifies a material breach by Processor.

For Sub-processors, Processor will provide available summaries of their audit reports/certifications and coordinate any further audit rights consistent with Sub-processor terms. Nothing in this § 8.3 limits Controller’s rights under GDPR Art. 28(3)(h) or the SCCs.

9 LIABILITY & INDEMNITY

Liability is governed by the limitations in the Agreement. Each Party is liable for the damages it causes by any breach of this DPA. Nothing limits either Party's liability for breaches of the SCCs (where they apply).

10 TERM & TERMINATION

This DPA terminates automatically upon the later of (i) deletion / return of all Personal Data under § 8.2, or (ii) termination of the Agreement.

11 GOVERNING LAW & JURISDICTION

This DPA is governed by the laws of the State of New York, excluding conflict-of-law rules. Any dispute not subject to the SCCs' mandatory jurisdiction shall be brought in the state or federal courts located in New York County, NY, USA.

SCC choices. Solely for the Standard Contractual Clauses: under Clause 17 the parties select the law of Ireland as the governing law; under Clause 18 the parties agree that the courts of Ireland shall have jurisdiction.

12 MISCELLANEOUS

  • Order of Precedence. If there is conflict between this DPA, the SCCs, and the Agreement, the following order prevails: (a) SCCs, (b) this DPA, (c) Agreement.
  • Entire Agreement. This DPA (including its Annexes) constitutes the entire data-processing agreement between the Parties and supersedes any prior agreements on the same subject.
  • Amendments. Any amendment must be in writing and signed (electronic signature acceptable) by both Parties, except Processor may update Annex I (Sub-processor list) per § 5.2.
  • Severability. If any provision is held invalid, the remainder of the DPA remains in effect.

13 ACCEPTANCE OF THIS DPA

Binding effect. This Data Processing Agreement is automatically incorporated into, and forms an integral part of, the OverpoweredJS Terms of Service. By executing the Order Form, clicking "I Agree," or otherwise continuing to use the Services on or after the Effective Date of the Terms of Service, the entity identified as the Customer in the Terms of Service is deemed to have executed this DPA in the capacity of Controller without the need for a separate signature.

Countersigned copy on request.
If Customer's internal policies require a fully-signed document, Customer may download a PDF version pre-signed by OverpoweredJS at this link and return a countersigned copy to support@overpoweredjs.com. Such countersignature will not affect the date on which this DPA became binding.

Annex I — Description of Processing

ItemDetails
Nature & PurposeCollection and analysis of browser / device signals, IP intelligence and related telemetry to detect bots, prevent fraud, and provide analytics & customer dashboard.
Data CategoriesDevice & Browser Signals (UA string, screen size, WebGL/WebRTC/Canvas outputs, JavaScript‑API behaviour, fonts, timezone, language, OS hints); Network Data (IP, port, ASN, coarse geolocation, proxy/VPN/Tor flags) including enrichment via Synthient or MaxMind, Inc. per Customer tier; Unique identifiers (e.g., clusterUUID; browser‑side identifiers written by the SDK such as cookies __opjs_id, __opjs and localStorage keys __opjs_id, __opjs); Usage & telemetry (API key, plan tier, call volume, error logs, timings). Customer/admin account data (e.g., billing contact name, email, company) is processed by OPJS as an independent controller under the Privacy Policy and is out of scope of this DPA.
Special CategoriesNone intentionally collected.
Data SubjectsEnd-users (visitors) of Controller's website(s); authorised users of Controller's OPJS account.
RetentionSee § 8 and Privacy Policy.
Sub-processorsListed in § 5.1 above.
FrequencyContinuous and event-driven during use of Services.

Annex II — Technical & Organisational Measures

  1. Encryption – TLS 1.3 in transit, AES-256 at rest.
  2. Access Control – Role-based, least-privilege IAM; hardware-token MFA for production systems.
  3. Network Security – Cloudflare WAF, rate-limiting, DDoS mitigation; segmented VPC networks.
  4. Monitoring & Logging – Centralised logging, anomaly detection, 24 × 7 on-call.
  5. Vulnerability Management – Monthly scans, critical patching ≤ 72 h; annual penetration tests.
  6. Incident Response – Documented playbooks, breach notification within 48 h.
  7. Business Continuity – Encrypted off-site backups (daily); disaster-recovery drills twice yearly.
  8. Personnel – Background checks for employees; mandatory security & privacy training.
  9. Physical Security – Tier III datacentres with 24 × 7 guards, CCTV, biometric access.
  10. Supplier Management – Due-diligence and contractual DPAs with all Sub-processors; annual review.