GDPR Addendum

Controller: The customer (you) who determines the purposes and means of processing end-user IP addresses through the ipOptic API.

Processor: ipOptic, acting on your documented instructions to enrich IP addresses with geolocation, proxy/VPN, and fraud-risk data.

For the ipOptic web tool (ipoptic.io used by end-visitors directly), ipOptic acts as an independent controller for the limited browser-session processing described in the Privacy Policy.

• Subject matter: IP address enrichment and risk scoring.
• Duration: the term of the customer's service agreement.
• Nature: automated lookup and scoring; no manual profiling of individuals.
• Purpose: fraud prevention, security monitoring, geo-compliance.
• Types of personal data: public IPv4/IPv6 addresses submitted via the API.
• Categories of data subjects: end-users of the customer's platform whose IP addresses are submitted for enrichment.

ipOptic processes personal data only on documented instructions from the customer, as set out in the API documentation and these Terms. If ipOptic is required by EU or Member State law to process personal data otherwise, it will notify the customer unless prohibited by law.

ipOptic ensures that persons authorised to process personal data are under an appropriate obligation of confidentiality, whether contractual or statutory.

ipOptic implements technical and organisational measures appropriate to the risk, including:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256).
• Access controls and least-privilege principles for internal systems.
• Pseudonymisation of API logs after 30 days.
• Regular security testing and vulnerability management.
• Incident response procedures with 72-hour breach notification capability.

ipOptic uses sub-processors to deliver the Service. We will notify customers of additions or replacements to our sub-processor list with at least 14 days' notice, giving customers the opportunity to object. Current sub-processor categories include:

• Cloud infrastructure and hosting providers (data centres in EU/US).
• Payment processors (Stripe — US, with SCCs in place).
• Transactional email providers.
• Security and monitoring tooling.

A current list of named sub-processors is available at privacy@ipoptic.io on request.

Where personal data is transferred to countries outside the EEA that lack an adequacy decision, ipOptic relies on Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) or equivalent UK mechanisms. Transfer impact assessments are available for enterprise customers on request.

ipOptic will assist customers in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible. Requests from data subjects should be directed to the customer as controller. ipOptic will respond to customer enquiries within 5 business days.

ipOptic will provide reasonable assistance to customers conducting DPIAs under Article 35 GDPR, including relevant information about the technical and organisational measures in place.

Upon termination of the service agreement, ipOptic will delete or return all personal data within 30 days, at the customer's election. API request logs containing IP addresses will be deleted within 30 days of the request being logged in the normal course.

Customers may, with 30 days' written notice and at their own expense, audit ipOptic's compliance with this DPA no more than once per year. ipOptic may satisfy audit requests by providing a current SOC 2 or ISO 27001 report from a qualified third-party auditor in lieu of an on-site audit.

Data Protection contact: privacy@ipoptic.io. For enterprise DPA execution, contact your account manager or privacy@ipoptic.io.