Data Processing Agreement
Last updated: 28 June 2025
This Data Processing Agreement ("DPA") governs IPLocate’s processing of Personal Data on behalf of the Customer in providing the services. It is intended to ensure both parties meet their obligations under applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and analogous laws in other jurisdictions.
This DPA is entered into by and between:
- The Customer (as defined in the IPLocate Terms of Service) ("Controller"); and
- IPLocate Pty Ltd (ACN 687 851 261), of 81-83 Campbell Street, Surry Hills NSW 2010, Australia, an Australian company ("Processor").
This DPA is incorporated into and forms an integral part of the IPLocate Terms of Service or any other master agreement between the Controller and the Processor (the "Agreement").
This DPA shall become effective on the date the Controller electronically accepts or signs the Agreement.
1. Definitions
For the purposes of this DPA:
1.1. "Applicable Data Protection Law" means all applicable data protection and privacy laws and regulations, including but not limited to the GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Brazilian Lei Geral de Proteção de Dados (LGPD), and the Personal Information Protection Law of the People's Republic of China (PIPL).
1.2. "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in the course of providing the Services. To the extent that IP addresses submitted to the Service by the Controller are considered Personal Data under Applicable Data Protection Law, they shall be treated as such under this DPA.
1.3. "Processing", "Data Subject", "Personal Data Breach", and "Supervisory Authority" shall have the meanings ascribed to them in the GDPR.
1.4. "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
1.5. "Services" means the IP geolocation services provided by the Processor to the Controller as described in the Agreement.
1.6. "SCCs" means the Standard Contractual Clauses annexed to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced from time to time.
1.7. "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner.
2. Processing of Personal Data
2.1. Roles of the Parties. The parties acknowledge and agree that for the purposes of the Applicable Data Protection Law, the Controller is the controller (or "business") of the Personal Data, and the Processor is the processor (or "service provider") of such data.
2.2. Processor's Instructions. The Processor shall only Process Personal Data on behalf of and in accordance with the Controller’s documented lawful instructions. The Agreement and this DPA constitute the Controller's complete and final instructions to the Processor for the Processing of Personal Data. Any additional or alternative instructions must be agreed upon in writing.
2.3. Details of Processing. The subject matter, duration, nature, purpose, categories of Data Subjects, and categories of Personal Data processed under this DPA are set forth in Appendix 1.
3. Processor's Obligations
3.1. Confidentiality. The Processor shall ensure that its personnel authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2. Security. The Processor shall implement and maintain appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in Appendix 2.
3.3. Subprocessing.
- The Controller provides a general written authorization for the Processor to engage third-party subprocessors to Process Personal Data in connection with the provision of the Services.
- The Processor shall maintain an up-to-date list of its subprocessors, which is available at https://www.iplocate.io/legal/service-providers.
- The Processor shall notify the Controller of any intended changes concerning the addition or replacement of subprocessors, thereby giving the Controller the opportunity to object to such changes. If the Controller has a reasonable objection related to data protection, the parties will work together in good faith to find a resolution.
- The Processor shall impose on its subprocessors data protection obligations that are no less protective than those in this DPA. The Processor shall remain fully liable to the Controller for the performance of the subprocessor's obligations.
3.4. Data Subject Rights. The Processor shall, to the extent legally permitted, provide reasonable assistance to the Controller to enable the Controller to respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Law.
3.5. Personal Data Breaches. The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The Processor shall provide the Controller with sufficient information to allow the Controller to meet its own breach notification obligations.
3.6. Data Protection Impact Assessments. The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with Supervisory Authorities which the Controller reasonably considers to be required by Applicable Data Protection Law.
4. International Transfers
4.1. The parties agree that when the transfer of Personal Data from the Controller to the Processor is a transfer from the European Economic Area (EEA) to a country not recognized by the European Commission as providing an adequate level of protection (such as Australia), the parties are deemed to have entered into the SCCs. 4.2. For the purposes of the SCCs:
- The parties agree to be bound by the terms of Module Two: Controller to Processor (C2P).
- Clause 7 (Docking Clause) shall not apply.
- In Clause 9, Option 2 (General written authorisation) shall apply, and the time period for notice of subprocessor changes shall be 30 days.
- In Clause 17, the governing law shall be the law of an EU Member State that allows for third-party beneficiary rights. The parties agree this shall be the law of Ireland.
- In Clause 18, the forum for dispute resolution shall be the courts of Ireland.
- The Appendices of this DPA shall serve as the Appendices of the SCCs.
4.3. For transfers of data from the United Kingdom, the SCCs as implemented by this section shall be supplemented by the UK Addendum. The information required by Part 1 of the UK Addendum is located in the Appendices of this DPA.
5. Audits
5.1. The Processor shall make available to the Controller, upon reasonable request, all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
5.2. Such audits shall be conducted during regular business hours, with reasonable advance notice, and subject to the Processor's confidentiality obligations. The parties shall agree on the scope of the audit in advance.
6. Return and Deletion of Data
Upon termination of the Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller, and delete existing copies unless applicable law requires storage of the Personal Data.
7. General Provisions
7.1. Precedence. In the event of a conflict between the terms of this DPA and the Agreement, this DPA shall prevail.
7.2. Governing Law. This DPA and any disputes arising from it shall be governed by the laws of New South Wales, Australia, without regard to its conflict of laws principles. This is without prejudice to the governing law stipulated in the SCCs under Clause 4.
7.3. Changes to this DPA. This DPA may be amended from time to time to reflect changes in Applicable Data Protection Law.
Appendix 1: Details of Processing
| Topic | Description |
|---|---|
| List of Parties |
Data Exporter: The Customer, as defined in the Agreement. Data Importer: IPLocate Pty Ltd., an Australian company. |
| Subject Matter of Processing | The provision of IP geolocation and related data services as described in the Agreement. |
| Duration of Processing | For the term of the Agreement, and thereafter for as long as required by applicable law or for legitimate business purposes. |
| Nature and Purpose of Processing | The Processor will process Personal Data for the purposes of providing, maintaining, and improving the Services. This includes receiving an IP address from the Controller's system via an API call and returning associated geolocation data. |
| Categories of Data Subjects | The categories of Data Subjects are determined and controlled by the Controller. To the extent the data processed constitutes Personal Data, Data Subjects may include the Controller's own end-users, website visitors, or other individuals whose IP addresses are submitted to the Service by the Controller. |
| Categories of Personal Data Transferred | The Personal Data submitted is determined by the Controller, but is limited to IP addresses. The Controller must not send any other Personal Data to the Service. |
| Sensitive Data Transferred | No sensitive data is intended to be transferred. The Controller is prohibited from sending such data to the Service. |
| Frequency of Transfer | Continuous, on the basis of API calls made by the Controller. |
| Subprocessor Transfers | The subject matter, nature, and duration of processing by subprocessors are outlined on our public list of Service Providers available at https://www.iplocate.io/legal/service-providers. |
Appendix 2: Technical and Organizational Security Measures
IPLocate implements and maintains the following technical and organizational measures to protect Personal Data:
| Category | Description of Measures |
|---|---|
| 1. Service Providers & Hosting | All infrastructure and services are hosted with major, reputable cloud service providers (including Amazon Web Services and Cloudflare) who maintain industry-leading physical and environmental security (e.g., SOC 2, ISO 27001 certifications). |
| 2. Access Control | - Principle of Least Privilege: Access to production environments is strictly limited to authorized personnel on a need-to-know basis. - Strong Authentication: Access to all critical infrastructure and service provider dashboards is secured with strong, unique passwords and multi-factor authentication (MFA). - Customer Access: Customer access to the IPLocate dashboard is protected by password and email verification. |
| 3. Encryption | - Data in Transit: All data transmission between the Controller and the Processor's API, as well as all traffic to the iplocate.io website, is encrypted using industry-standard TLS (HTTPS). - Data at Rest: While API logs containing IP addresses are not stored long-term, any sensitive configuration or customer account information in databases is encrypted at rest. |
| 4. Network Security | A Web Application Firewall (WAF) and CDN services are provided by Cloudflare to protect against common web threats, including DDoS attacks and other malicious traffic. |
| 5. Data Minimization & Retention | - API Logs: API request logs containing Personal Data are not logged, except where required for technical debugging, after which they are deleted. - Customer Account Data: Customer account information is retained only as long as necessary to provide the Services and for legal and financial record-keeping. |
| 6. Incident Management | In the event of a Personal Data Breach, we will promptly investigate, take reasonable steps to mitigate the effects, and notify affected Controllers without undue delay, in accordance with our legal obligations. |
| 7. Personnel | Personnel are trained in secure development and operational practices. All personnel with access to Personal Data are subject to strict confidentiality obligations. |
| 8. Third-Party Vendor Management | All third-party subprocessors are selected for their strong security posture and commitment to data protection. We maintain DPAs with our subprocessors where required. A full list is maintained at the URL specified in this DPA. |