A standalone DPA for compliance, procurement, and InfoSec teams. Aligns to UK GDPR Article 28 and the IDTA for cross-border transfers.
This Data Processing Addendum (DPA) applies when Entylink processes personal data on behalf of a customer ("Controller") as part of the Entylink API service. It forms part of the Terms of Service and takes precedence over conflicting terms solely on the subject of data processing.
The Controller is the customer. The Processor is ENTYLINK LTD. Entylink acts as Processor for any personal data the customer submits in the course of using the service (for example, the set of company numbers monitored via webhooks, which can reveal the customer's business interests).
The subject-matter of processing is the provision of the Entylink API (reading UK company-registry data, delivering webhook events, accounting for usage). Processing continues for the duration of the subscription and ends on termination per the retention schedule in our Privacy Policy.
Data subjects: employees or contractors of the Controller who interact with Entylink (dashboard users, key creators).
Data categories: business contact details, authentication artefacts (hashed API keys), request metadata (timestamps, endpoints, company numbers queried).
We do not require or intentionally process special category data.
Process personal data only on documented instructions from the Controller, including these Terms and any configuration the Controller chooses in the dashboard.
Ensure personnel authorised to process personal data are bound by confidentiality.
Take appropriate technical and organisational measures under Article 32 UK GDPR — see the Security section.
Assist the Controller in fulfilling data-subject requests and in meeting Articles 32–36 obligations.
On termination, delete or return personal data subject to statutory retention.
Encryption in transit (TLS 1.2+) for all public endpoints.
API keys stored only as SHA-256 hashes; passwords as bcrypt.
Access to production systems restricted to named engineers; access logged.
Request logs partitioned per-customer; retained 90 days.
Network exposure limited to Fastify behind nginx on a dedicated VPS; database and Redis bound to loopback only.
Lemon Squeezy (merchant of record) — US/IE — billing and tax.
Hostinger — UK/EU — email delivery for transactional notifications.
Our hosting provider — EU — VPS infrastructure.
We will give at least 30 days' notice of any new or replacement sub-processor by email to the address on the account. If the Controller reasonably objects we will work in good faith to resolve the objection or allow termination without penalty.
Where personal data is transferred outside the UK, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (or equivalent valid mechanism) and supplementary measures where required by a transfer-impact assessment.
We will notify the Controller of any confirmed personal data breach affecting the Controller's data without undue delay and in any event within 48 hours of becoming aware. Notices will be sent to the account email and, where provided, a designated security contact.
We make available to the Controller information reasonably necessary to demonstrate compliance, including security and control documentation on request. On-site audits are available to Professional and Enterprise customers subject to a confidentiality agreement and reasonable notice.
Liability under this DPA is subject to the limitation of liability in the Terms of Service. Nothing in this DPA varies the allocation of liability under the Terms.
This DPA is automatically binding on customers of the Professional and Enterprise plans. Starter customers who require a signed DPA can request an executable copy by emailing hello@entylink.com with subject DPA.