authepy.
Enterprise Compliance

Data Processing Addendum

Effective Date: June 24, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Valipod Technologies ("Authepy", "Data Processor") and the Client ("Data Controller"). By utilizing the Authepy API, the Client agrees to this DPA to satisfy the requirements of the GDPR, CCPA/CPRA, and applicable global privacy frameworks.

1. Definitions

  • "Data Protection Laws" refers to the EU General Data Protection Regulation 2016/679 (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and any other applicable national privacy legislation.
  • "Personal Data" means any information relating to an identified or identifiable natural person processed by Authepy on behalf of the Client. For the purposes of our Service, this is strictly limited to end-user email addresses and transit IPs.
  • "Sub-processor" means any third-party data processor engaged by Valipod Technologies to assist in fulfilling its obligations under the Terms.

2. Roles and Scope of Processing

2.1 Role of the Parties: The Client acts as the Data Controller. Valipod Technologies acts exclusively as a Data Processor. Under the CCPA, Valipod Technologies acts exclusively as a "Service Provider".

2.2 Client Instructions: Authepy shall process Personal Data solely in accordance with the Client's documented instructions (which are effectuated by the Client's configuration of the API) and for the strict purpose of delivering and verifying cryptographic One-Time Passwords (OTPs).

2.3 Prohibition on Selling/Sharing: Authepy certifies that it will not sell, rent, release, disclose, disseminate, make available, or otherwise communicate Personal Data to any third party for monetary or other valuable consideration, or for cross-context behavioral advertising.

3. Sub-processing

3.1 Authorized Sub-processors: The Client grants Authepy general written authorization to engage Sub-processors. The current list of approved Sub-processors includes Amazon Web Services (AWS), Postmark (Wildbit), and Stripe, Inc.

3.2 Flow-down Obligations: Authepy shall impose data protection terms on any Sub-processor that protect Personal Data to the same standard provided for by this DPA. Authepy remains fully liable to the Client for the performance of the Sub-processor's obligations.

4. Security of Processing

Authepy implements and maintains state-of-the-art technical and organizational measures to ensure a level of security appropriate to the risk of processing. These measures include:

  • Volatile Memory Execution: Plaintext payloads are processed exclusively inside transient Node.js memory threads and are subjected to automated V8 engine garbage-collection upon verification completion.
  • Encryption: Enforcement of TLS 1.3 for data in transit and AES-256 envelope encryption for persistent workspace credentials at rest.
  • Cryptographic Hashing: One-way PBKDF2 hashing routines applied to Developer API Secret Keys prior to database storage.

5. Data Subject Rights (DSRs)

Due to the ephemeral nature of Authepy's architecture, Personal Data is not persistently stored. However, if a Data Subject makes a valid request regarding their data, Authepy shall, to the extent legally permitted, promptly notify the Client.

// Automated Fulfillment

Because transit logs and origin IPs are automatically purged on a rolling 30-day schedule, the Client acknowledges that "Right to Erasure" requests pertaining to data held on Authepy's infrastructure are programmatically satisfied without requiring manual intervention.

6. International Data Transfers

Any transfer of Personal Data originating from the European Economic Area (EEA), the UK, or Switzerland to Authepy's processing facilities in India or the United States shall be governed by the standard contractual clauses (SCCs) adopted by the European Commission. By agreeing to the Terms of Service, the parties are deemed to be signing the SCCs and their applicable annexes.

7. Security Incident Management

Authepy shall maintain an internal security incident response plan. Upon discovery of a confirmed Personal Data Breach, Authepy shall initiate said plan and notify the Data Controller without undue delay via the administrative contact email on file in the Client's Developer Dashboard.

8. Audits and Compliance

Upon Client's written request, Authepy shall make available all information necessary to demonstrate compliance with this DPA. Given the multi-tenant nature of the platform, the Client agrees to exercise its audit rights by requesting and reviewing Authepy's existing compliance certifications, summaries of penetration tests, or independent third-party audit reports (e.g., SOC 2 or ISO-27001 mappings) before requesting a physical or direct system audit, which shall be conducted at the Client's sole expense.

9. Return or Deletion of Data

Upon termination of the Client's account or expiration of the Terms, Authepy shall securely delete all Personal Data processed on behalf of the Client. As specified in Authepy's architecture, transient data is deleted instantly upon execution, and network routing logs are permanently purged no later than thirty (30) days following the date of creation.

10. Liability Restrictions

EACH PARTY'S LIABILITY ARISING OUT OF OR RELATED TO THIS DPA, WHETHER IN CONTRACT, TORT, OR UNDER ANY OTHER THEORY OF LIABILITY, IS SUBJECT TO THE LIMITATIONS OF LIABILITY SET FORTH IN SECTION 9 OF THE TERMS OF SERVICE. ANY REGULATORY FINES ASSESSED AGAINST THE CLIENT BY ANY SUPERVISORY AUTHORITY DUE TO THE CLIENT'S FAILURE TO SECURE PROPER LEGAL BASES FOR PROCESSING SHALL BE THE SOLE RESPONSIBILITY OF THE CLIENT.