Skip to main content

Data Processing Addendum (DPA)

Last updated: November 4, 2025 This Data Processing Addendum (“DPA”) forms part of and is incorporated into the anysite.io General Terms and Conditions and/or any separately executed Master Service Agreement between Anysite, Inc., a Delaware corporation, with its principal place of business at Delaware, USA (“Anysite”, “we”, “us” or “Processor/Service Provider”) and the customer identified in the applicable agreement (“Customer” or “Controller/Business”) (each a “Party” and collectively, the “Parties”). This DPA governs Anysite’s Processing of Personal Data on behalf of Customer in connection with the anysite.io platform and related services (the “Services”). If there is any conflict between this DPA and the Agreement, this DPA will control with respect to its subject matter. Capitalized terms not defined here have the meanings in the Agreement or under applicable Data Protection Law.

1) Definitions

1.1. Data Protection Law

Data Protection Law means all laws and regulations relating to data privacy, data protection, data security, breach notification, or the Processing of Personal Data that apply to a Party’s performance under this DPA, including as applicable: the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK Data Protection Act 2018 and UK GDPR, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, “CCPA/CPRA”).

1.2. EU SCCs

EU SCCs means the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced.

1.3. UK Addendum

UK Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK ICO (version B1.0 in force 21 March 2022), as amended or replaced.

1.4. Personal Data Terms

Personal Data, Controller, Processor, Business, Service Provider, Sell, Share, Data Subject, Process/Processing, and related terms have the meanings given to them by the applicable Data Protection Law. For CPRA, “sharing” includes transfers for cross‑context behavioral advertising even when no money changes hands.

2) Roles; Scope; Customer Instructions

2.1. Roles

For Processing under this DPA, Customer acts as Controller/Business and Anysite acts as Processor/Service Provider. Where Customer acts as a Processor of a third‑party controller, Anysite acts as Sub‑processor.

2.2. Documented Instructions

Anysite will Process Personal Data solely:
  • (a) to provide the Services and perform the Agreement;
  • (b) in accordance with Customer’s documented, lawful instructions; and
  • (c) as required by applicable law (in which case, Anysite will inform Customer unless such notice is prohibited).

2.3. Customer Responsibilities

Customer is responsible for the lawfulness of the Personal Data and instructions it provides, including providing any necessary notices and obtaining valid legal bases (e.g., consent, legitimate interests) and honoring Data Subject rights.

2.4. No Restricted Data (by default)

Unless the Parties expressly agree in writing and implement appropriate safeguards, Customer will not provide Anysite with Special Categories of data (GDPR Art. 9), data on criminal convictions/offences (Art. 10), PHI under HIPAA, PCI‑DSS data, children’s data subject to parental consent regimes, FERPA data, or other sector‑specific regulated data.

2.5. Anysite as Independent Controller (limited)

Separately from Processing as a Processor, Anysite may Process certain Personal Data as its own Controller (e.g., account provisioning and management, billing, abuse detection, compliance with legal obligations, and creation of aggregated, de‑identified analytics to plan capacity and improve Services). Such Processing is described in the Anysite Privacy Policy and falls outside this DPA. This mirrors common platform practice and the approach outlined in Apify’s DPA for controller‑level operations.

3) Confidentiality

Anysite will ensure that personnel authorized to Process Personal Data are subject to binding duties of confidentiality and access Personal Data only as necessary to perform the Services.

4) Security Measures

4.1. Protection

Anysite implements and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, costs, and the nature, scope, context and purposes of Processing (see Schedule D – Security Measures).

4.2. Reviews & Updates

Anysite will regularly review and update its security measures to maintain an appropriate level of protection.

5) Security Incidents

5.1. Notice

Upon becoming aware of a confirmed Security Incident affecting Personal Data Processed by Anysite on Customer’s behalf, Anysite will notify Customer without undue delay and no later than 72 hours after confirmation, and will provide information reasonably available to assist Customer with its own notification obligations. (72‑hour timing aligns with common practice; Apify’s DPA uses the same window.)

5.2. Mitigation

Anysite will take reasonable steps to contain, investigate, and remediate the Security Incident.

5.3. No Admission

Incident notifications are not an admission of fault or liability.

6) Sub‑processors

6.1. Authorization

Customer authorizes Anysite to engage Sub‑processors to provide the Services.

6.2. List & Notice

Anysite will maintain a public list of current Sub‑processors at https://docs.anysite.io/legal/subprocessors (the “Sub‑processors Page”) and will provide at least 10 days’ prior notice of new Sub‑processors by updating that page (and, if available, an email subscription mechanism). This approach mirrors Apify’s public Sub‑processor notice model.

6.3. Objection

Customer may object on reasonable data‑protection grounds within 10 days of notice. The Parties will work in good faith to find a reasonable alternative. If none is available, Customer may suspend the affected Services.

6.4. Flow‑down; Liability

Anysite will impose data‑protection terms on Sub‑processors that are no less protective than this DPA and remains responsible for Sub‑processors’ performance.

7) International Data Transfers

7.1. General

Customer authorizes Anysite to transfer, store, and Process Personal Data in the United States and other jurisdictions in which Anysite or its Sub‑processors operate, subject to transfer safeguards in this Section.

7.2. EU/EEA → non‑EEA transfers

Where Customer’s Personal Data is subject to the GDPR and is transferred to Anysite in a country without an adequacy decision, the EU SCCs are incorporated by reference and completed as set out in Schedule A (typically Module Two: Controller → Processor; Module Three may apply where Customer is a Processor). In case of conflict between this DPA and the EU SCCs, the EU SCCs prevail.

7.3. UK transfers

For Personal Data subject to UK GDPR, the UK Addendum is incorporated and completed as set out in Schedule A.

7.4. Supplementary measures; TIA

Where required, the Parties will cooperate in good faith to implement supplementary measures and complete transfer impact assessments.

8) Audits & Assistance

8.1. Documentation

Upon written request (no more than once in any 12‑month period), Anysite will make available information reasonably necessary to demonstrate compliance with this DPA (e.g., summaries of security controls, third‑party compliance reports, or certifications if available).

8.2. Audits

If such information does not reasonably demonstrate compliance, Customer may conduct (or have conducted by a mutually agreed independent auditor) an on‑site or remote audit of Anysite’s relevant systems and facilities under reasonable confidentiality, time, scope, and cost‑reimbursement parameters, and during normal business hours, no more than once every 12 months.

8.3. Regulatory Cooperation

Anysite will reasonably cooperate with competent supervisory authorities in relation to Processing performed under this DPA.

9) Return & Deletion

At termination or upon written request, Anysite will delete or return Personal Data (at Customer’s choice), unless retention is required by law (in which case Anysite will continue to protect the data per this DPA and delete as soon as legally permissible).

10) Data Subject Requests

Taking into account the nature of the Processing, Anysite will provide reasonable assistance to Customer, by appropriate technical and organizational measures, to enable Customer to respond to Data Subject requests (access, deletion, portability, objection, restriction, etc.). Where a request is made directly to Anysite, Anysite will redirect it to Customer without responding (unless legally required). (This mirrors the approach outlined in Apify’s DPA.)

11) DPIAs & Prior Consultations

Anysite will provide reasonable assistance to Customer in carrying out data protection impact assessments and consultations with supervisory authorities where required by Data Protection Law, considering the nature of Processing and information available to Anysite. (Comparable to Apify’s DPIA section.)

12) Anysite Policies & AUP

Customer’s use of the Services must comply with the Anysite Acceptable Use Policy and Privacy Policy, each incorporated by reference.

13) CCPA/CPRA – Service Provider Terms (Schedule B incorporated)

To the extent Anysite Processes Personal Information subject to CCPA/CPRA on behalf of Customer, Anysite will act as Service Provider and will not:
  • (a) sell such Personal Information;
  • (b) share such Personal Information for cross‑context behavioral advertising;
  • (c) retain, use, or disclose such Personal Information for any purpose other than providing the Services or as otherwise permitted by CCPA/CPRA; or
  • (d) combine such Personal Information with other data except as permitted by CCPA/CPRA (e.g., for certain business purposes).

14) Liability; Order of Precedence

14.1. Liability

Each Party’s liability arising under or in connection with this DPA is subject to the limitations and exclusions set out in the Agreement.

14.2. Precedence

In case of conflict: EU SCCs/UK Addendum (Schedule A) prevail over this DPA; this DPA prevails over the Agreement.

15) Term; Changes; Governing Law

15.1. Term

This DPA is effective as of the Effective Date of the Agreement (or the date accepted by Customer, if later) and remains in force while Anysite Processes Personal Data for Customer.

15.2. Changes

Anysite may update this DPA to reflect legal or operational changes, with notice to Customer in accordance with the Agreement and applicable law.

15.3. Governing Law; Venue

This DPA (excluding the EU SCCs/UK Addendum, which specify their own governing law/forum) is governed by the laws of the State of Delaware, with exclusive venue as set out in the Agreement.

15.4. Contact

DPO/Privacy contact: privacy@anysite.io (or as updated on our Website).

Schedule A – Cross‑Border Transfer Mechanisms

A. EU SCCs (Controller → Processor; Processor → Processor as applicable)

The EU SCCs (2021/914) are incorporated by reference and deemed executed between the Parties as follows:
  • Module Two (C→P) applies where Customer is Controller and Anysite is Processor;
  • Module Three (P→P) applies where Customer is Processor and Anysite is Sub‑processor.
  • Clause 7 (Docking Clause): not applied.
  • Clause 9 (Sub‑processor authorization): general authorization with notice per Section 6.
  • Clause 17 (Governing law): Ireland.
  • Clause 18 (Forum): Irish courts.
  • Annex I(A)–(C) and Annex II are completed by Schedules C–D of this DPA.

B. UK Addendum

For Personal Data subject to UK GDPR, the UK Addendum (version B1.0 in force 21 March 2022) is incorporated and completed as follows:
  • Tables 1–3 pull the corresponding information from the EU SCCs/Annexes as above;
  • In Table 4, the “neither party” option is selected unless the Parties agree otherwise.
  • The Addendum start date is the DPA effective date.
If the Parties later adopt alternative or additional transfer tools (e.g., adequacy decisions or certification schemes), they may supersede or supplement the above by written agreement.

Schedule B – CCPA/CPRA Additional Terms

  1. Service Provider. Anysite acts as a Service Provider (Cal. Civ. Code §1798.140) in Processing Personal Information on Customer’s behalf.
  2. No Sale/Share. Anysite will not sell or share Personal Information, including no cross‑context behavioral advertising use, and will not retain, use, or disclose it outside the business purpose of providing the Services, except as permitted by CCPA/CPRA.
  3. Assistance. Anysite will provide reasonable assistance to enable Customer to honor consumer rights requests, opt‑out signals, and to implement deletion/retention obligations.
  4. Subcontractors. Anysite will impose Service‑Provider‑level restrictions on Sub‑processors and remains responsible for their compliance.
  5. Certifications. Upon Customer’s written request, Anysite will certify compliance with this Schedule B.

Schedule C – Details of Processing (Annex I & Annex I(B) to SCCs)

1. Parties

Data Exporter: Customer (name and contact details as set forth in the Agreement or account profile). Role: Controller (or Processor, where applicable). Data Importer: Anysite, Inc. (Delaware, USA); contact: privacy@anysite.io. Role: Processor (or Sub‑processor, where applicable).

2. Subject Matter; Nature; Purpose; Duration

  • Subject Matter: Processing of Personal Data submitted to or collected through the Services (e.g., datasets obtained via Customer‑configured API/data extraction workflows).
  • Nature of Processing: collection, retrieval, ingestion, storage, structuring, transmission, analysis, output generation, deletion.
  • Purpose: provision, maintenance, and improvement of the Services as instructed by Customer; support; security; incident prevention/detection; account management; billing; usage analytics (aggregated/de‑identified).
  • Duration: for the term of the Agreement and any lawful retention period.

3. Data Subjects & Categories of Personal Data (at Customer’s discretion and configuration)

  • Data Subjects: may include Customer’s end users, website visitors, prospects, employees/contractors (business contacts), vendors, and other individuals whose data Customer lawfully provides.
  • Personal Data Categories: identifiers and contact data (e.g., name, email, IP, device/online identifiers), professional information, transactional and usage metadata, and other data fields that Customer elects to Process through the Services.
  • Sensitive Data: not anticipated by default. If Customer instructs Anysite to Process special categories or other sensitive data, the Parties will document additional safeguards in writing before Processing.

4. Frequency of Transfers

Continuous or as determined by Customer’s use.

5. Sub‑processor Transfers

Limited to infrastructure and tooling needed to provide the Services, for the duration necessary to fulfill the purpose.

Schedule D – Security Measures (Annex II to SCCs)

Anysite maintains the following technical and organizational measures (non‑exhaustive and subject to reasonable updates):
  1. Governance & Access Control: role‑based access; unique credentials; MFA for privileged access; least‑privilege and need‑to‑know; periodic access reviews; timely revocation.
  2. Data Security: encryption in transit (TLS) and at rest (industry‑standard); key management with restricted access; data segregation/tenant isolation; hardened storage.
  3. Network & Infrastructure: firewalls and network segmentation; baseline hardening; system patching cadence; vulnerability scanning and risk‑based remediation; DDoS protections.
  4. Monitoring & Logging: centralized logging; security event monitoring and alerting; audit trails for administrative actions; time synchronization.
  5. Application Security: secure SDLC; code reviews; dependency management; secrets management; regular security testing (including third‑party testing where appropriate).
  6. Business Continuity & DR: documented backup and recovery procedures; redundancy for critical components; recovery objectives aligned to service tier.
  7. Incident Response: documented plan; defined roles; triage/containment/eradication steps; post‑incident reviews; customer communications workflow (see Section 5).
  8. Personnel Security & Training: background checks where lawful; confidentiality undertakings; periodic security and privacy training.
  9. Vendor & Sub‑processor Management: security due diligence; contractual flow‑down of obligations; ongoing monitoring aligned with risk.
  10. Physical Security: data center controls provided by reputable hosting providers; visitor management; access logs.
  11. Privacy by Design/Default: minimization; purpose limitation; configurable retention; de‑identification/aggregation where feasible.
  12. Change Management: documented change control; emergency change procedures; rollback plans.
These security controls are comparable to the security control families commonly referenced in DPAs; Apify’s DPA describes similar categories of measures.

Schedule E – List of Sub‑processors

An up‑to‑date list of Sub‑processors engaged by Anysite is published at: https://docs.anysite.io/legal/subprocessors Customers may subscribe to changes where available and will receive at least 10 days’ advance notice before a new Sub‑processor is engaged.
This approach is aligned with Apify’s public Sub‑processors list model.

Notes on Sources & Alignment

  • This DPA aligns with the EU SCCs (2021/914) and UK Addendum B1.0 (in force 21 Mar 2022) for cross‑border transfers.
  • CPRA’s definition of “sharing” (cross‑context behavioral advertising) is reflected in Schedule B.
  • The structure and certain concepts mirror the public Apify DPA (e.g., controller‑level purposes, breach notice timing, public subprocessors page with notice).

Contact Us

For questions about this Data Processing Addendum, contact us at: