This DPA applies to customers using the Amygdala API who are subject to GDPR. By using the API, you agree to these terms. If your organization requires a countersigned DPA, contact us at joran.cornelisse@gmail.com.
1. Definitions
"Controller" means you, the customer, who determines the purposes and means of processing personal data retrieved via the API.
"Processor" means Amygdala (Amygdala B.V. (soon to be established)), acting on your instructions when you query our API.
"Personal Data" has the meaning given in Article 4 GDPR.
"Processing" has the meaning given in Article 4 GDPR.
"Services" means the Amygdala API and related platform services.
2. Scope and relationship
This DPA applies where you, as a Controller, use the Amygdala API to retrieve personal data about individuals (indexed persons) and process that data within your own systems or products. In this context, Amygdala acts as your Processor for the personal data returned via API responses.
Amygdala remains an independent Controller for its own purposes (building and maintaining the Authority Index, billing, security, and service improvement).
3. Details of processing
Subject matter: Authority scores, expert profiles, and related signals for individuals indexed in the Amygdala Authority Index.
Duration: For the duration of your active account, unless terminated earlier.
Nature and purpose: Retrieval of publicly-derived authority data at your request, for purposes determined by you as Controller.
Types of personal data: Names, social handles, platform presence, areas of expertise, authority scores, and related public signals.
Categories of data subjects: Individuals with a publicly verifiable online presence indexed by Amygdala.
4. Processor obligations
Amygdala agrees to:
Process personal data only on your documented instructions (i.e. the API requests you make)
Ensure that personnel authorized to process personal data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures in line with Article 32 GDPR
Not engage sub-processors without informing you and giving you the opportunity to object
Assist you, where possible, in responding to data subject rights requests relating to the data we return
Notify you without undue delay if we become aware of a personal data breach affecting data returned via the API
Delete or return personal data upon termination of the agreement, at your request
Make available to you the information necessary to demonstrate compliance with this DPA
5. Controller obligations
As Controller, you agree to:
Use the API only for lawful purposes and in compliance with GDPR
Ensure you have a valid legal basis for any further processing of data retrieved via the API
Not use the API to process special categories of personal data (Article 9 GDPR)
Not use data retrieved via the API to make fully automated decisions that produce legal or similarly significant effects about individuals, without appropriate safeguards
Maintain your own records of processing activities as required by Article 30 GDPR
6. Sub-processors
Amygdala uses the following categories of sub-processors to deliver the service:
Cloud infrastructure and database hosting (within the EEA)
Payment processing (Stripe)
Transactional email delivery
We will notify you of any intended changes to sub-processors. You may object to a new sub-processor within 14 days of notification. If we cannot accommodate your objection, you may terminate your account without penalty.
7. International transfers
Amygdala processes and stores data within the EEA. Where sub-processors operate outside the EEA, Amygdala ensures appropriate safeguards are in place (Standard Contractual Clauses or equivalent). Details are available on request.
8. Security measures
Amygdala implements and maintains appropriate technical and organizational measures including:
Encryption of data in transit (TLS 1.2 or higher) and at rest
Role-based access controls and principle of least privilege
Regular security assessments
Incident detection and response processes
Secure development practices
9. Data subject rights
If a data subject contacts you regarding their rights (access, erasure, restriction, objection), you are responsible for responding as Controller. Amygdala will assist you by providing the information we hold that is relevant to that request, where technically feasible, and will direct data subjects who contact us directly to the appropriate Controller where we can identify them.
10. Audit rights
You have the right to audit Amygdala's compliance with this DPA, subject to reasonable notice (at least 30 days), not more than once per year, and at your own cost. Audits may be conducted by you or a mutually agreed third-party auditor under confidentiality obligations. We may satisfy audit requests by providing relevant certifications or third-party audit reports where available.
11. Term and termination
This DPA is effective for as long as your account is active. Upon termination, Amygdala will delete personal data attributable to your processing activities within 90 days, unless retention is required by law.
12. Governing law
This DPA is governed by Dutch law and forms part of the agreement between you and Amygdala as set out in our Terms of Service.
13. Contact
For questions about this DPA or to request a countersigned version, contact us at joran.cornelisse@gmail.com.