← Back to Home

GDPR Data Processing Addendum

Last updated: January 2025

1. Purpose & Scope

This Data Processing Addendum (DPA) governs the processing of personal data in accordance with the EU General Data Protection Regulation (GDPR) when using IntelligentAPI services.

Note: This DPA automatically applies to all enterprise customers and is incorporated by reference into our Terms of Service.

2. Definitions & Roles

Data Controller

Customer - The organization using IntelligentAPI services, who determines the purposes and means of personal data processing.

Data Processor

IntelligentAPI GmbH - Processes personal data on behalf of the Customer in accordance with documented instructions.

Data Subjects

Individuals whose personal data is contained within company information accessed through our API (e.g., company executives, employees).

3. Data Processing Details

Categories of Personal Data

  • Names and job titles of company executives
  • Professional contact information (business emails, phone numbers)
  • Employment history and professional qualifications
  • Company ownership and shareholding information
  • Publicly available social media profiles

Categories of Data Subjects

  • Company directors and executives
  • Senior management and key personnel
  • Company owners and shareholders
  • Public-facing company representatives

Purpose of Processing

  • Providing company intelligence and market research
  • Business development and lead generation
  • Due diligence and investment research
  • Competitive analysis and market mapping

4. Data Sources & Legal Basis

Data Sources (All Publicly Available)

  • Official business registries (Handelsregister, Firmenbuch)
  • Company websites and press releases
  • Professional networking platforms (LinkedIn, XING)
  • News articles and industry publications
  • Government databases and regulatory filings

Legal Basis (GDPR Article 6(1)(f))

Legitimate Interests: Processing is necessary for legitimate business purposes of both IntelligentAPI and our customers, balanced against data subjects' rights and freedoms. Data subjects can reasonably expect such processing given the public nature of the information.

5. Data Processor Obligations

Processing Instructions

IntelligentAPI will process personal data only on documented instructions from the Customer, including with regard to transfers of data to third countries.

Security Measures (Article 32)

  • Encryption of personal data at rest and in transit
  • Regular security testing and vulnerability assessments
  • Access controls and authentication mechanisms
  • Regular backups and disaster recovery procedures
  • Staff training on data protection requirements

Data Breach Notification

We will notify Customers of any personal data breach without undue delay and no later than 72 hours after becoming aware, providing all relevant information required under Article 33 GDPR.

6. Sub-processors

Authorized Sub-processors

Service ProviderServiceLocation
RailwayCloud hostingEU/US (adequacy decision)
StripePayment processingEU/US (SCCs)
OpenAIAI processingUS (SCCs)

Changes to Sub-processors: We will inform customers of any intended changes to sub-processors, giving them the opportunity to object.

7. Data Subject Rights

Support for Customer Compliance

IntelligentAPI will assist Customers in responding to data subject requests by providing relevant information and, where feasible, enabling the Customer to fulfill data subject rights.

Available Rights

  • Access to personal data (Article 15)
  • Rectification of inaccurate data (Article 16)
  • Erasure ("right to be forgotten") (Article 17)
  • Restriction of processing (Article 18)
  • Data portability (Article 20)
  • Objection to processing (Article 21)

Note: Some rights may be limited where data is publicly available or processing is necessary for legitimate interests.

8. International Transfers

Transfer Mechanisms

  • EU/EEA: No restrictions apply
  • Adequate Countries: Based on EC adequacy decisions
  • Third Countries: Standard Contractual Clauses (SCCs) 2021
  • UK: Based on adequacy decision

Additional Safeguards

Where SCCs are used, we implement additional technical and organizational measures to ensure data protection standards equivalent to those in the EU.

9. Contact & DPO

Data Protection Officer

Email: dpo@intelligentapi.ch
Response Time: Within 30 days

Data Processing Requests

For data subject requests, processing questions, or DPA-related inquiries, contact us at: gdpr@intelligentapi.ch

Audit Rights: Customers have the right to audit our data processing activities upon reasonable notice and in accordance with confidentiality obligations.