Data Processing Addendum
Last updated: 2026-04-11
This Data Processing Addendum ("DPA") forms part of the Terms of Service between TheFitnessDB ("Processor") and the customer ("Controller") and governs the processing of personal data in connection with the API Services.
1. Scope and Purpose
This DPA applies when the Controller sends API requests that may contain or return personal data. The Processor processes this data solely to deliver the API Services as described in the Terms of Service.
2. Data Processing Details
Categories of data subjects: end users of the Controller's applications. Types of personal data: API request metadata (IP addresses, timestamps, API key identifiers). No special category data or patient health information (PHI) is accepted or processed. Duration: for the term of the subscription plus the retention period specified in the Privacy Policy.
3. Processor Obligations
The Processor shall: process personal data only on documented instructions from the Controller; ensure that persons authorized to process personal data are bound by confidentiality obligations; implement appropriate technical and organizational security measures; assist the Controller in responding to data subject requests; delete or return all personal data at the end of the service relationship, at the Controller's election; and make available all information necessary to demonstrate compliance with GDPR Article 28.
4. Sub-Processors
The Processor uses the sub-processors listed in the Privacy Policy. The Controller authorizes the Processor to engage these sub-processors. The Processor will notify the Controller of any intended changes to sub-processors at least 30 days in advance, providing the Controller an opportunity to object.
5. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller's data. The notification shall include the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed to mitigate the breach.
6. International Transfers
The Processor shall not transfer personal data outside the EU/EEA without ensuring appropriate safeguards are in place, consistent with GDPR Chapter V. Where transfers are necessary, the Processor relies on Standard Contractual Clauses (SCCs) or equivalent mechanisms.
7. Audits
The Controller may audit the Processor's compliance with this DPA upon reasonable written notice. The Processor shall cooperate with such audits and make available relevant records and facilities.
8. Term and Termination
This DPA remains in effect for the duration of the API subscription. Upon termination, the Processor shall delete or return all personal data within 30 days, unless retention is required by applicable law.