Data Processing Agreement
Last updated: June 17, 2026
This Data Processing Agreement ("DPA") is entered into between DataLayer ("Processor") and you or the entity you represent ("Controller"). This DPA applies when DataLayer processes personal data on your behalf through our API services.
1. Scope of Processing
DataLayer processes data solely for the purpose of delivering API responses to your requests. The types of data processed include:
- Tax Verification API: CNIC numbers, NTN numbers, passport numbers, and registration numbers submitted for FBR verification
- Financial Deals API: No personal data processed — returns public bank deal information
- Merchant & Card APIs: No personal data processed — returns publicly available merchant and card product data
2. Processing Obligations
DataLayer agrees to:
- Process personal data only on documented instructions from the Controller
- Ensure that persons authorized to process personal data have committed to confidentiality
- Implement appropriate technical and organizational security measures
- Not engage sub-processors without prior written consent of the Controller
- Assist the Controller in responding to data subject rights requests
- Delete or return all personal data upon termination of the service agreement
3. Security Measures
DataLayer maintains the following security measures:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- API key hashing (keys are never stored in plaintext)
- Role-based access controls with principle of least privilege
- Regular security assessments and vulnerability scanning
- Audit logging of all data access and processing activities
- Automated intrusion detection and monitoring
4. Data Breach Notification
In the event of a personal data breach, DataLayer will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, approximate number of records, likely consequences, and measures taken to address the breach.
5. Sub-Processors
DataLayer currently uses the following sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database & Authentication | US / EU |
| Vercel | Application Hosting | Global CDN |
| Resend | Email Delivery | US |
We will notify you before adding or replacing sub-processors and give you the opportunity to object.
6. Data Subject Rights
DataLayer will assist the Controller in fulfilling its obligations to respond to data subject requests for access, rectification, erasure, restriction, portability, and objection. We will promptly notify the Controller if we receive a request directly from a data subject.
7. Data Retention & Deletion
Tax verification request data (identifiers submitted via API) is cached for 24 hours for performance purposes and then automatically purged. No permanent copies of verification request data are retained beyond the cache period.
Upon termination of the service agreement, all personal data will be deleted within 30 days unless retention is required by applicable law.
8. Governing Law
This DPA is governed by the laws of Pakistan and supplements the Terms of Service. In case of conflict between this DPA and the Terms, this DPA shall prevail with respect to data processing matters.
Contact
For DPA-related inquiries or to request a signed copy, contact legal@datalayer.pk.