IPRoyal Data Processing Agreement
Last updated December 2025 | Version 2.0
This Data Processing Agreement ( “Data Processing Agreement” or the “DPA” ) is entered into by IPRoyal Services FZE LLC, acting as the data processor (the “Data Processor” ), and the natural or legal person that enters into this DPA as the data controller (the “Data Controller” ). The Data Processor and the Data Controller are collectively referred to as the “Parties” and individually as a “Party.”
The Data Processor provides multiple IP address proxy infrastructure solutions (the “Services” ), which the Data Controller wishes to obtain and use under the Terms of Service (the “Agreement” ), of which this Data Processing Agreement forms a part. In the course of providing the Services, the Data Processor will process Personal Data on behalf of and for the benefit of the Data Controller.
Accordingly, the Parties agree as follows:
1. KEY TERMS
1.1. For the purposes of this Data Processing Agreement, including its annexes, the capitalized terms set forth herein shall have the meanings defined below, unless the context requires otherwise:
| Applicable Data Protection Laws | shall mean any applicable law relating to Personal Data protection valid at the given time. |
| Data Controller | means the individual or entity that has accepted the Agreement and determines the purposes and means of processing Personal Data. |
| Data Processor | refers to IPRoyal Services FZE LLC, which processes Personal Data on behalf of the Data Controller pursuant to this Data Processing Agreement. |
| Personal Data | shall mean any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be directly or indirectly identified by reference to an identifier such as a name, address, social security number, subscription number, IP address, location data, an online identifier, traffic data or message content or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
| Sub-processor | shall mean a third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller under the Agreement. |
1.2. Any terms not expressly defined in this Data Processing Agreement shall be interpreted in accordance with the meanings assigned to them in the Agreement.
2. ROLES AND RESPONSIBILITIES OF THE PARTIES
2.1. The Data Controller shall perform its responsibilities as a data controller in full compliance with Applicable Data Protection Laws, including those relating to the handling of Personal Data and the provision of lawful instructions to the Data Processor.
2.2. The Data Controller represents and warrants, and shall ensure on an ongoing basis, that it has all lawful bases, consents, and rights required under Applicable Data Protection Laws to transfer, disclose, or otherwise make Personal Data available to the Data Processor, and to permit its processing in accordance with the Agreement and this Data Processing Agreement.
2.3. The Data Processor shall not be responsible for determining the lawfulness of the Data Controller’s instructions. Where the Data Processor reasonably considers an instruction to be unlawful, it shall promptly inform the Data Controller.
2.4. The Data Processor shall refrain from knowingly engaging in any activity that would directly cause the Data Controller to be in breach of Applicable Data Protection Laws.
2.5. Without prejudice to the general obligations set out above, the Data Controller acknowledges and agrees that it is responsible for: (i) complying with all necessary transparency and lawfulness requirements under Applicable Data Protection Laws in relation to the collection and use of Personal Data in connection with its use of the Data Processor’s Services; (ii) the accuracy, quality, integrity, and legality of the Personal Data and the manner in which it is collected; and (iii) ensuring that instructions issued to the Data Processor regarding the processing of Personal Data are lawful and comply with Applicable Data Protection Laws.
2.6. The Data Controller shall promptly notify the Data Processor if it becomes unable to comply with its obligations under this Section.
3. DATA PROCESSING SCOPE AND INSTRUCTIONS
3.1. The Data Processor shall process Personal Data only in accordance with the documented instructions of the Data Controller, including with respect to any transfers of Personal Data to third countries or international organizations. Any such transfer shall only take place in compliance with Applicable Data Protection Laws. For example, where Personal Data of data subjects in the EEA or the United Kingdom is transferred outside those jurisdictions, the Data Processor shall ensure that such transfers are made in accordance with Chapter V GDPR and the equivalent UK data protection laws, using appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, or any other lawful transfer mechanism recognized under Applicable Data Protection Laws.
3.2. The Data Controller’s instructions regarding the scope of processing are as follows:
| Subject Matter | The Data Processor’s provision of Services to the Data Controller. |
| Purpose and Nature of the Processing | Processing of Personal Data shall take place only as required for the performance of the Services and in compliance with the Agreement. |
| Categories of Data Subjects | Individuals whose Personal Data the Data Controller processes through the Services and any related services. |
| Categories of Personal Data | Personal Data of individuals processed by the Data Controller through the Services. |
| Duration of Processing | For the duration of the Agreement and the Data Controller’s use of the Services, and until all Personal Data is deleted or returned in accordance with Section 7, unless retention is required by Applicable Data Protection Laws. |
| Subject Matter, Nature, and Duration of Processing by Sub-processors | Sub-processors are engaged by the Data Processor solely for the purpose of assisting in the provision of the Services. The Personal Data is processed by Sub-processors only for as long as necessary to provide the Services, or as otherwise required under Applicable Data Protection Laws. |
3.3. The Data Processor shall not process Personal Data for any purpose other than as set out in this Data Processing Agreement and the Agreement, or in any manner that does not comply with Applicable Data Protection Laws.
3.4. The Data Controller entitles the Data Processor to enter into agreements with Sub-processors on the Data Controller’s behalf for the performance of its obligations under this Data Processing Agreement. The Data Processor presents the current list of Sub-processors in Annex III to this Data Processing Agreement.
3.5. The Data Processor shall: (i) ensure that any Sub-processor is contractually bound in writing to provide at least the same level of protection for Personal Data as is required by this Data Processing Agreement, and implements and maintains appropriate technical and organizational measures to ensure that the processing of Personal Data meets the requirements of Applicable Data Protection Laws; and (ii) remain fully responsible and liable to the Data Controller for the acts and omissions of any Sub-processor to the same extent as if such acts and omissions were those of the Data Processor.
3.6. By entering into this Data Processing Agreement and by starting to use the Services, the Data Controller acknowledges that it has familiarised itself with the Sub-processor list set out in Annex III and hereby authorizes the engagement of those Sub-processors. The Data Controller also grants a general authorisation for the engagement of any future Sub-processors that the Data Processor may appoint for the same or substantially similar processing purposes. The Data Processor maintains an up-to-date list of authorised Sub-processors in Annex III, which may be updated from time to time without individual notice to the Data Controller. The current list will be made available upon request, and the Data Controller may, on reasonable grounds relating to the protection of Personal Data, raise a reasoned written objection to any new Sub-processor by contacting [email protected] . In the event of a valid objection, the Data Processor will use reasonable efforts to make available a commercially reasonable change in the Services to avoid processing of Personal Data by the objected-to Sub-processor. If the Data Processor is unable to make such change within thirty (30) days, the Data Controller may, as its sole and exclusive remedy, terminate the affected Services, provided that partial provision of the Services is feasible both technically and organisationally. If partial provision is not feasible, the Data Controller may terminate the Agreement and this Data Processing Agreement in full. In such case, all fees due before the termination date shall remain payable and any fees already paid are non-refundable. The Data Controller shall have no further claims against the Data Processor arising from (i) the past use of authorized Sub-processors prior to the date of objection, or (ii) termination of the affected Services in accordance with this Section. The Parties shall in good faith discuss potential alternatives prior to termination.
4. DATA SECURITY AND CONFIDENTIALITY
4.1. The Data Processor shall implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, alteration, unauthorized disclosure, or unauthorized access, as well as against any other form of unlawful processing. In determining such measures, the Data Processor shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, together with the level of risk to the rights and freedoms of individuals. Such measures shall ensure a level of security appropriate to the risk and may include, as appropriate, the pseudonymisation and encryption of Personal Data, the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to Personal Data in a timely manner in the event of an incident, and a process for regularly testing, assessing and evaluating the effectiveness of such measures.
4.2. Access to Personal Data by the Data Processor shall be limited to employees who need it to perform their work under this Data Processing Agreement. The Data Processor shall ensure that any person acting under its authority who has access to Personal Data is subject to an appropriate statutory or contractual duty of confidentiality, and respects confidentiality obligations no less stringent than those imposed on the Data Processor under this Data Processing Agreement.
4.3. The Data Processor shall not disclose or otherwise make available any Personal Data or information regarding the processing of Personal Data to any third party without the Data Controller’s prior written consent, except (i) to Sub-processors engaged in accordance with this Data Processing Agreement, or (ii) where disclosure is required by Applicable Data Protection Laws. In the latter case, the Data Processor shall (to the extent permitted by Applicable Data Protection Laws) promptly notify the Data Controller of such legal requirement before disclosing the Personal Data.
4.4. The Data Processor shall notify the Data Controller without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (a ‘Personal Data Breach’). Such notification shall include all information reasonably available to the Data Processor and required under Applicable Data Protection Laws to assist the Data Controller in meeting its obligations, and shall describe the measures taken or proposed by the Data Processor and/or any Sub-processor, as applicable, to address the Personal Data Breach and mitigate its possible adverse consequences.
5. ASSISTANCE AND COOPERATION
5.1. The Data Processor shall, to the extent reasonably possible given the nature of the processing and the information available to it, assist the Data Controller in fulfilling its obligations under Applicable Data Protection Laws. Such assistance may include, in particular: (i) implementing and supporting data security measures and breach notifications; (ii) contributing to data protection impact assessments and prior consultations with supervisory authorities; and (iii) facilitating responses to data subjects exercising their rights under Applicable Data Protection Laws. These obligations apply only to the extent they arise from processing activities carried out under this Data Processing Agreement.
5.2. If a data subject, supervisory or governmental authority, or any other third party makes a request to the Data Processor regarding the processing of Personal Data under this Agreement, the Data Processor shall, without undue delay, forward such request to the Data Controller.
5.3. The Data Controller shall be entitled, in its capacity as data controller and to a reasonable extent agreed between the Parties, to verify that the Data Processor is able to comply with its obligations under this Data Processing Agreement. For this purpose, the Data Processor shall make available to the Data Controller only such information as is reasonably necessary to demonstrate compliance with this Data Processing Agreement and Applicable Data Protection Laws.
5.4. The Data Processor shall allow for and reasonably contribute to audits or inspections conducted by the Data Controller, or by an independent auditor mandated by the Data Controller, provided such auditor is bound by confidentiality obligations acceptable to the Data Processor. Any such audit shall relate solely to the processing activities carried out under this Data Processing Agreement and Applicable Data Protection Laws. Audits shall be subject to reasonable advance written notice, conducted during normal business hours, and carried out in a manner that does not unreasonably disrupt the Data Processor’s business operations. Unless otherwise required by Applicable Data Protection Laws, audits may be conducted no more than once in any twelve-month period. The Data Controller shall bear all costs of the audit, including reasonable costs and fees for the time the Data Processor spends facilitating the audit.
6. ALLOCATION OF LIABILITY AND COSTS
6.1. The Data Processor shall be liable solely to the extent and in the manner expressly determined by the competent supervisory authority under the Applicable Data Protection Laws. Nothing in this Agreement shall extend the Data Processor’s liability beyond what is expressly required by such authority in accordance with Applicable Data Protection Laws.
6.2. The Data Processor shall have the right to reimbursement of all reasonable expenses, costs, and fees incurred as a result of: (i) requests for cooperation that are unfounded, excessive, or that place an unreasonable or disproportionate burden on the Data Processor; and/or (ii) instructions from the Data Controller that are inaccurate, incomplete, unlawful, or otherwise not compliant with this Data Processing Agreement.
7. GENERAL PROVISIONS
7.1. This Data Processing Agreement shall remain in effect for as long as the Data Processor processes Personal Data on behalf of the Data Controller under the Agreement, and in any event for the duration of the Services provided to the Data Controller, or as otherwise required under Applicable Data Protection Laws.
7.2. Upon termination of the Services, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data and certify in writing that deletion has been completed, unless retention is required by Applicable Data Protection Laws.
7.3. This Data Processing Agreement shall be an integral part of the Agreement. Any matter not expressly governed by this Data Processing Agreement shall be governed by the Agreement. In the event of any conflict or contradiction between the terms of this DPA and the Agreement, the provisions of the DPA shall prevail.
ANNEX I The SCCs and European Transfers Agreement
EEA Transfers. In relation to the Personal Data processed under this Data Processing Agreement that is subject to the GDPR: (i) the Data Controller is the “data exporter” and the Data Processor is the “data importer”; (ii) the Standard Contractual Clauses approved by the European Commission (Module Two – Controller to Processor) are incorporated by reference into this DPA and are an integral part of this DPA; (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and the time period for prior notice of Sub-processor changes shall be the period specified by the Data Processor in the relevant notification, which shall allow the Data Controller a reasonable opportunity to object; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the Parties agree that the governing law and forum for disputes for the SCCs will be Lithuania; (vii) the Annexes of the SCCs will be deemed completed with the information set out in Section 3.2. of the DPA; and (viii) if and to the extent the SCCs conflict with any provision of this DPA the SCCs will prevail to the extent of such conflict.
UK Transfers. In relation to the Personal Data that is subject to the UK GDPR, the SCCs will apply in accordance with sub-section (a) and the following modifications: (i) the SCCs will be modified and interpreted in accordance with the UK SCCs, which will be incorporated by reference and form an integral part of the DPA; (ii) Tables 1, 2 and 3 of the UK SCCs will be deemed completed with the information set out in Section 3.2. of the DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the SCCs and the UK SCCs will be resolved in accordance with Section 10 and Section 11 of the UK SCCs.
ANNEX II CCPA/CPRA Addendum
This CCPA/CPRA Addendum (“Addendum”) forms part of the Data Processing Agreement (“DPA”) between the Data Controller (the “Business”) and the Data Processor (the “Service Provider”) (together, the “Parties”).
1. Scope and Applicability
1.1. This Addendum shall only apply and bind the Parties if and to the extent the Business engages the Service Provider to process Personal Information on behalf of the Business, as those terms are defined under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together, the “CCPA”).
1.2. This Addendum applies to the collection, retention, use, and disclosure of Personal Information by the Service Provider solely for the purpose of providing the Services to the Business pursuant to the Agreement or to perform a Business purpose, as defined in the CCPA.
1.3. The Service Provider’s collection, retention, use, or disclosure of Personal Information for its own purposes independent of providing the Services to the Business is outside the scope of this Addendum.
2. Restrictions on Processing
2.1. The Service Provider shall not: (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than for the specific business purpose of providing the Services to the Business as described in the Agreement and this DPA, or as otherwise permitted by the CCPA; (c) retain, use, or disclose Personal Information outside of the direct business relationship between the Parties; or (d) combine Personal Information received from the Business with Personal Information received from another source, except as permitted by the CCPA.
2.2. The Parties acknowledge and agree that the exchange of Personal Information between them does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement, the DPA, or this Addendum.
2.3. The Service Provider shall comply with all applicable obligations under the CCPA.
2.4. Without prejudice to the Service Provider’s obligations as set forth in this DPA or any other rights or obligations of either Party under the Agreement, the Service Provider will notify the Business if, in the Service Provider’s opinion, it is unable to meet its obligations under the CCPA, unless such notice is prohibited by Applicable Data Protection Laws. The Service Provider acknowledges the Business’s right, upon notice, to take reasonable and appropriate steps to stop and remediate the Service Provider’s unauthorized use of Personal Information.
3. Consumer Rights Assistance
3.1. If the Service Provider, directly or indirectly, receives a request submitted by a Consumer to exercise a right under the CCPA in relation to that Consumer’s Personal Information, it shall promptly provide a copy of the request to the Business.
3.2. The Service Provider shall provide reasonable assistance to the Business in facilitating compliance with verified Consumer rights requests.
3.3. Upon written instruction from the Business and within a commercially reasonable time, the Service Provider shall delete the Personal Information, unless retention is required by Applicable Data Protection Laws.
4. Verification and Audits
4.1 Upon reasonable written request, the Data Processor shall make available to the Data Controller information necessary to demonstrate compliance with this Addendum.
4.2 Alternatively, the Data Processor may provide a written certification confirming that it understands and complies with its obligations under the CCPA.
5. Miscellaneous
5.1. This Addendum prevails over any conflicting terms of the Agreement or the DPA but does not otherwise modify them.
5.2. All capitalised terms not otherwise defined in this Addendum shall have the meanings given to them in the CCPA or in the DPA.
ANNEX III Sub-processor List
In order to provide its Services, the Data Processor engages certain third-party service providers (“Sub-processors”). These Sub-processors may process Personal Data on behalf of the Data Controller in connection with the Services. This Annex sets out the current Sub-processors engaged by the Data Processor.
Current Sub-processors ( as of December 5, 2025 ):
| Category | Sub-processor | Purpose of Processing | Location |
|---|---|---|---|
| Payment Processing & Billing | 1. Bitlocus LT, UAB 2. Decentralized UAB (CoinGate) 3. Paddle.com Market Ltd. 4. Stripe, Inc. 5. Airwallex (Hong Kong) Limited (AliPay) 6. Spectro Finance Limited |
1. Payment processing 2. Payment processing / cryptocurrency gateway 3. Payment processing and billing 4. Payment processing 5. Payment processing 6. Payment processing / cryptocurrency gateway |
1. Lithuania / EU 2. Lithuania / EU 3. United Kingdom 4. United States 5. Hong Kong / China 6. British Virgin Islands |
| Identity Verification & Fraud Prevention | 1. iDenfy (iDenfy UAB) 2. Intuition Machines, Inc. (hCaptcha) |
1. Identity verification services 2. Fraud prevention and CAPTCHA services |
1. Lithuania / EU 2. United States |
| Customer Support & Communication | 1. Intercom, Inc. 2. Discord Inc., Discord Netherlands B.V. 3. Twilio, Inc. |
1. Live chat and customer support platform 2. Live chat and customer support platform 3. Communications platform (SMS, calls, messaging) |
1. United States 2. Global (US/EU) 3. United States |
| Marketing, Advertising & Affiliate Platforms | 1. Meta Platforms, Inc. (Facebook) 2. Google LLC 3. Impact Tech, Inc. 4. Iterable, Inc. 5. LinkedIn Corporation 6. X Corporation (formerly Twitter, Inc.) 7. Baidu, Inc. 8. Quora, Inc. |
1. Marketing, analytics, and diagnostics 2. Marketing, analytics, and diagnostics 3. Affiliate marketing platform 4. Marketing automation and customer engagement 5. Marketing and analytics 6. Marketing and analytics 7. Marketing and analytics 8. Marketing and analytics |
1. United States 2. Global (US/EU) 3. United States 4. United States 5. United States 6. United States 7. China 8. United States |
| Analytics & Diagnostics | 1. Microsoft Corporation (Clarity). 2. Hotjar Ltd. |
1. Application analytics and diagnostics 2. Application analytics and diagnostics |
1. United States 2. Malta/EU |
| CRM & Customer Management | 1. Salesforce, Inc. 2. Trustpilot A/S 3. Usercentrics A/S (Cookiebot) |
1. Customer relationship management (CRM) 2. Customer feedback collection and reviews 3. Cookie consent management |
1. United States 2. Denmark / EU 3. Denmark / EU |
| Security & Compliance | Sprinto, Inc. | Security compliance automation | EU |
| Integrations & Workflow Automation | Zapier, Inc. | Workflow automation and integrations | United States |