Data Processing Agreement
Version 1.1 · Effective: February 19, 2026
Download this DPA
This Data Processing Agreement applies automatically to all Langbly API customers. You can download a signed copy for your records, or reference this page directly.
Download PDF1. Parties and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between:
- Data Controller ("Customer"): The entity or individual using Langbly API services.
- Data Processor ("Langbly"): Langbly, registered in the Netherlands under Chamber of Commerce (KvK) number 90013700.
This DPA applies to the processing of personal data that Langbly performs on behalf of the Customer through the Langbly translation API. It supplements the Langbly Terms of Service and Privacy Policy.
2. Definitions
Terms used in this DPA carry the same meaning as defined in the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679. In particular:
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
- "Processing" means any operation performed on Personal Data, including translation, transmission, and temporary storage in memory during API request handling.
- "Sub-processor" means a third party engaged by Langbly to process Personal Data on behalf of the Customer.
3. Nature and Purpose of Processing
Langbly processes Customer data solely for the purpose of providing translation services through the API. The processing involves:
- Type of data: Text content submitted for translation via the API. This may contain personal data if the Customer submits text that includes names, addresses, or other identifiable information.
- Categories of data subjects: Determined by the Customer. Langbly does not control which data subjects' information is included in translation requests.
- Duration: Processing occurs only during the active API request. Translation content is not stored after the response is returned to the Customer.
4. Obligations of Langbly
In accordance with Article 28 GDPR, Langbly shall:
- Process Personal Data only on documented instructions from the Customer, which are defined by the API requests the Customer submits.
- Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 6).
- Not engage a new sub-processor without providing the Customer at least 30 days' prior notice, as described in Section 8. The Customer may object to a new sub-processor within 14 days of notification.
- Assist the Customer in responding to requests from data subjects exercising their rights under Chapter III of the GDPR.
- Assist the Customer in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to Langbly.
- At the choice of the Customer, delete or return all Personal Data after the end of the provision of services. Given Langbly's zero-retention policy, this is satisfied by default.
- Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.
5. Obligations of the Customer
The Customer is responsible for ensuring a valid legal basis for the processing of Personal Data submitted to the API. The Customer determines which data is submitted for translation and warrants that it has the right to process such data.
6. Security Measures
Langbly implements the following technical and organisational measures:
- Encryption in transit: All API communication uses TLS 1.3. Unencrypted connections are rejected.
- Encryption at rest: All stored data (account information, usage metrics) is encrypted at rest using AES-256 via the cloud provider's managed encryption.
- Zero content retention: Translation content (request body and response body) is not persisted to any database or log file. Content exists only in memory during request processing and is discarded immediately after the response is sent.
- Authentication: API access requires a unique API key per customer, verified on every request.
- Access controls: Production systems follow the principle of least privilege. Only essential personnel have access to infrastructure.
- Monitoring: Automated uptime monitoring, error tracking, and alerting are in place. No translation content is included in monitoring data.
- EU Data Residency: Customers can opt for the dedicated EU endpoint (eu.langbly.com), where all processing occurs within the European Union (Finland).
7. Data Breach Notification
Langbly shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer's data. The notification shall include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
Given Langbly's zero content retention policy, the scope of potential data breaches is limited to account information (email, name, billing data) and API keys. Translation content cannot be breached because it is not stored.
8. Sub-processors
Langbly uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | API hosting and infrastructure | Netherlands / Finland (EU) |
| Supabase | Database and authentication | EU (Frankfurt) |
| Stripe | Payment processing | United States (with EU SCCs) |
| Upstash | Rate limiting and caching | EU (Frankfurt) |
| Unkey | API key validation | EU |
| Resend | Transactional email | United States (with EU SCCs) |
| Sentry | Error monitoring | United States (with EU SCCs) |
| Cloudflare | CDN and DNS | Global (with EU SCCs) |
Langbly will inform the Customer of any intended changes to this list at least 30 days in advance. The Customer may object to a new sub-processor within 14 days of notification. If the objection cannot be resolved, the Customer may terminate the agreement.
9. International Transfers
By default, Langbly processes data on Google Cloud Platform in the Netherlands (europe-west4). Customers who require full EU data residency can use the dedicated EU endpoint (eu.langbly.com), where all processing takes place in Finland (europe-north1). For sub-processors located outside the EEA, Langbly relies on EU Standard Contractual Clauses (SCCs) as the transfer mechanism.
10. Data Subject Rights
If Langbly receives a request from a data subject regarding Personal Data processed on behalf of the Customer, Langbly will promptly notify the Customer and will not respond to the request directly unless authorised to do so. Langbly will assist the Customer in fulfilling its obligations to respond to data subject requests under GDPR Articles 15 through 22.
11. Audits
Langbly shall make available to the Customer all information necessary to demonstrate compliance with this DPA. Langbly will allow and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audit requests should be submitted at least 30 days in advance and will be conducted during normal business hours at the Customer's expense.
12. Duration and Termination
This DPA remains in effect for the duration of the Customer's use of Langbly API services. Upon termination, Langbly's zero-retention architecture means no translation content needs to be deleted or returned. Account data (email, name, billing records) will be deleted upon request, subject to any legal retention obligations.
13. Governing Law
This DPA is governed by the laws of the Netherlands, without regard to conflict of law provisions. Any dispute arising from this DPA shall be submitted to the competent court in the Netherlands.
14. Contact
For questions about this DPA or to exercise data protection rights:
Langbly, KvK 90013700, the Netherlands. For data protection inquiries, you can reach our data protection contact at the email address above.