Data Processing Agreement

Version 1.0·Last Updated: February 22, 2026

This Data Processing Agreement ("DPA") supplements our Terms of Service and Privacy Policy where we process Personal Data on behalf of Customers (as Data Controller) in connection with the LukeAPIplatform. This DPA is designed to meet the requirements of GDPR Article 28 and other applicable data protection laws.

1. Definitions

• "Controller" means the Customer who determines the purposes and means of processing Personal Data (e.g., an API provider or developer using the Service).
• "Processor" means LukeAPI (or the legal entity operating the platform) who processes Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
• "Processing" means any operation performed on Personal Data (collection, storage, use, disclosure, etc.) as defined in GDPR Article 4(2).
• "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

2. Roles and Responsibilities

The Customer acts as Controller with respect to Personal Data it provides or causes to be processed via the Service (e.g., end-user data, developer account data, API usage data). LukeAPI acts as Processor when processing such data in accordance with the Customer's instructions.

The Processor shall process Personal Data only on documented instructions from the Controller, including as set forth in the Terms of Service, Privacy Policy, and this DPA. The Processor shall not process Personal Data for any other purpose except as required by applicable law; in such case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such disclosure.

3. Processing Instructions and Scope

The Processor processes Personal Data for the following purposes:

• Providing and operating the LukeAPI platform (marketplace, API gateway, billing, analytics, playground, forum, challenges)
• Authenticating users and managing accounts and organizations
• Processing subscriptions, payments (via Stripe), and referral/affiliate attribution
• Storing and serving API documentation, metadata, and webhook configuration
• Delivering AI-powered features (e.g., code generation); processing inputs and outputs as necessary to provide and improve these features
• Monitoring usage, performance, and security
• Communicating with users (support tickets, notifications, transactional email via Resend)
• Complying with legal obligations

Categories of Personal Data: Account identifiers (name, email, organization), payment information (processed by Stripe), usage data (API calls, subscriptions, analytics), referral/affiliate data, webhook and notification preferences, AI/playground inputs and outputs where applicable, forum and support content, device and log data (IP address, user agent, timestamps).

Categories of Data Subjects: Developers, API providers, organization administrators, end users of APIs (where the Controller passes such data through the platform).

Duration: Processing continues for the term of the Customer's use of the Service and for as long as necessary thereafter to fulfill legal retention requirements (e.g., 7 years for financial records).

4. Sub-Processors

The Processor engages the following Sub-Processors to assist in providing the Service. Each Sub-Processor is bound by contractual obligations substantially similar to those in this DPA.

We will notify Customers of any new Sub-Processors at least 30 days before authorizing them to process Personal Data. Customers may object on reasonable grounds relating to data protection. If we cannot reasonably accommodate the objection, the Customer may terminate the affected services without penalty.

5. Security Measures (Article 32)

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256). API keys and credentials are hashed; plain-text keys are never stored.
• Access control: Role-based access control (RBAC), row-level security (RLS), and principle of least privilege. Production access is limited, logged, and reviewed.
• Authentication: Secure authentication via Supabase Auth with support for MFA. Session management with secure token handling.
• Infrastructure: Hosting on trusted cloud providers (Vercel, Supabase) with security certifications. Regular dependency updates and security patching.
• Incident response: Defined procedures for detecting, containing, and resolving security incidents. Affected Controllers notified per Section 7.

For more details, see our Security & Compliance page.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection) as set forth in GDPR Articles 12–22.

To the extent a Data Subject request is directed to the Processor, the Processor shall promptly inform the Controller and shall not respond to the Data Subject except with the Controller's prior authorization or as required by law. The Processor shall provide reasonable assistance, including by providing the Controller with the ability to access, correct, or delete Personal Data through the Service or upon request.

Controllers and Data Subjects may also contact us or via Privacy Settings.

7. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

1. Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
2. Provide information reasonably available to assist the Controller in meeting its breach notification obligations
3. Include, where possible: nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach

The Processor shall document breaches, their effects, and remedial action taken, and make such documentation available to the Controller and supervisory authorities upon request.

8. International Data Transfers

Personal Data may be transferred to and processed in countries outside the EEA, UK, or Switzerland. Where such transfers occur, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use the EU Commission's Standard Contractual Clauses (2021) with our Sub-Processors where required.
• adequacy: Transfers to countries deemed adequate by the EU Commission, UK, or Swiss authorities are permitted without additional safeguards.
• Supplementary measures: Where necessary, we implement supplementary measures (encryption, access controls) to ensure an essentially equivalent level of protection.

Enterprise customers may request a signed DPA incorporating SCCs. Contact DPO.

9. Audit and Compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws. Upon reasonable notice and no more than once per year, the Processor shall allow for and contribute to audits or inspections conducted by the Controller or an agreed third-party auditor, subject to confidentiality obligations and reasonable scheduling to avoid disruption.

The Processor maintains documentation of its processing activities and security measures. We are on a SOC 2 Type II roadmap and will share relevant compliance certifications when available.

10. Deletion and Return of Data

Upon termination of the Service or upon the Controller's request, the Processor shall delete or return all Personal Data processed on behalf of the Controller, unless required to retain it by law. Deletion shall be completed within 90 days of termination or request, except where longer retention is required for legal, regulatory, or audit purposes (e.g., financial records for 7 years).

11. Contact

By using LukeAPI and processing Personal Data through the Service, you acknowledge that you have read and agree to this Data Processing Agreement.