Legal

Data Processing Agreement

Last updated: 1 April 2025 · Between MindGear ("Processor") and the API customer ("Controller")

This Data Processing Agreement ("DPA") applies when you use the RouteForge API and your usage involves processing personal data on behalf of your end users. If you operate as a data controller and RouteForge processes personal data on your behalf, this DPA governs that relationship as required by GDPR Article 28.

1. Definitions

  • "Controller" — the API customer who determines the purposes and means of processing personal data.
  • "Processor" — MindGear, operating RouteForge, processing data on behalf of the Controller.
  • "Personal data" — any data relating to an identified or identifiable natural person transmitted through API requests (e.g., GPS coordinates that could identify a person's home or workplace).

2. Scope and nature of processing

MindGear processes data solely to deliver the API response requested. Request payloads are not stored. The only data retained is: endpoint name, HTTP status, response time, cost, and timestamp — none of which constitutes personal data in isolation.

3. Processor obligations

MindGear shall:

  • Process personal data only on documented instructions from the Controller (the API request itself constitutes such instructions).
  • Ensure confidentiality obligations are imposed on all personnel with access to personal data.
  • Implement appropriate technical and organisational measures (TLS encryption in transit, encryption at rest, access controls).
  • Notify the Controller within 72 hours of becoming aware of a personal data breach.
  • Delete or return all personal data upon termination of the service relationship.
  • Make available all information necessary to demonstrate compliance with Article 28 obligations.

4. Sub-processors

MindGear uses the following sub-processors and will notify Controllers of any intended changes:

  • Supabase (EU region) — database and authentication infrastructure.
  • VPS provider (Romania, EU) — server infrastructure.

Controllers may object to new sub-processors within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the service.

5. Controller obligations

The Controller is responsible for:

  • Having a lawful basis to process personal data before sending it to the API.
  • Ensuring end users are informed about data processing as required by GDPR.
  • Not transmitting special category data (health, biometric, etc.) through the API.

6. Data subject requests

Because MindGear does not store request payload data, we cannot fulfill data subject requests for data that exists only within the Controller's own systems. Requests relating to usage logs (endpoint, status, timestamp) can be submitted to hello@routeforge.eu.

7. Duration and termination

This DPA is effective for the duration of your RouteForge account. Upon account deletion, all associated data is erased within 30 days.

8. Governing law

This DPA is governed by the laws of Romania and EU regulation (GDPR — Regulation 2016/679).

Need a signed DPA for enterprise compliance requirements?

Request signed DPA