LoomAPIBETA

Data Processing Addendum

Last updated: 22 November 2025

1. Definitions

This Data Processing Addendum ("DPA") forms part of the Terms of Service between LoomAPI ("Processor") and you ("Controller"). Capitalized terms not defined herein have the meanings set forth in the Terms of Service.

  • "Controller" means the entity that determines the purposes and means of processing personal data
  • "Processor" means LoomAPI, which processes personal data on behalf of the Controller
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on personal data
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679

2. Scope and Purpose

This DPA applies to the processing of personal data by LoomAPI in connection with the provision of age and risk verification services. The purpose of processing is to:

  • Provide age and risk verification services
  • Generate and validate JWT tokens for access control
  • Enforce rate limits and quotas
  • Process metered billing
  • Maintain service security and prevent abuse

3. Processing Details

Subject Matter: Age and risk verification services

Duration: For the duration of the service agreement

Nature and Purpose: Verification processing, token generation, billing, and service operation

Types of Personal Data:

  • Verification metadata (verification IDs, status, timestamps)
  • Technical data (IP addresses, user agents) for rate limiting and security
  • Billing-related identifiers (tenant IDs, usage metrics)

Categories of Data Subjects: End users undergoing verification, platform operators using the service

4. Processor Obligations

LoomAPI agrees to:

  • Process personal data only in accordance with Controller's documented instructions
  • Implement appropriate technical and organizational measures to ensure security of processing
  • Not engage another processor without Controller's prior written authorization
  • Assist Controller in responding to data subject requests
  • Notify Controller without undue delay of any personal data breach
  • Make available to Controller all information necessary to demonstrate compliance
  • Return or delete personal data upon termination of services, unless retention is required by law

5. Controller Obligations

You, as Controller, agree to:

  • Ensure you have lawful basis for processing personal data
  • Provide clear instructions for processing
  • Comply with applicable data protection laws
  • Respond to data subject requests in a timely manner
  • Notify LoomAPI of any changes that may affect processing

6. Security Measures

LoomAPI implements the following security measures:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and vulnerability testing
  • Monitoring and logging of system access
  • Incident response procedures
  • Regular backups and disaster recovery procedures

7. Sub-processors

LoomAPI may engage sub-processors to provide the service. Current sub-processors include:

  • Stripe: Payment processing and billing (US-based, GDPR compliant)
  • Verification Providers (e.g., Veriff): Identity verification services (data flows through but is not stored by LoomAPI)
  • Hosting Providers: Cloud infrastructure for service operation

We will notify you of any changes to sub-processors. You may object to new sub-processors, but such objection may result in service limitations.

8. Data Subject Rights

LoomAPI will assist you in responding to data subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing

We will respond to your requests for assistance within 30 days, or as required by applicable law.

9. Data Retention

Personal data is retained only as long as necessary for the purposes set forth in this DPA, or as required by applicable law. Verification metadata may be retained for compliance and audit purposes. Raw verification evidence and PII are not retained beyond the verification session.

10. International Transfers

Personal data may be transferred to countries outside the European Economic Area (EEA). Such transfers are subject to appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Other appropriate safeguards as required by GDPR

11. Data Breach Notification

In the event of a personal data breach, LoomAPI will notify you without undue delay, and in any event within 72 hours of becoming aware of the breach, where feasible. The notification will include details of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.

12. Audit Rights

You have the right to audit LoomAPI's compliance with this DPA, subject to reasonable notice and confidentiality obligations. Audits will be conducted during normal business hours and in a manner that does not unreasonably disrupt LoomAPI's operations.

13. Contact

For questions about this DPA or data processing matters: