Data Processing Agreement
Last updated: April 3, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Demografix ApS ("Processor", "Demografix") and the customer ("Controller", "you") and applies where Demografix processes personal data on your behalf in connection with the services operated at genderize.io, agify.io, and nationalize.io (the "Services").
This DPA is entered into automatically when you use the Services. No separate signature is required.
1. Definitions
- Personal Data, Processing, Data Controller, Data Processor, Data Subject, and Supervisory Authority have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR").
- Customer Data means any personal data that you submit to the Services for processing.
2. Scope and Roles
You are the Data Controller. You determine the purposes and means of processing the personal data you submit to the Services.
Demografix is the Data Processor. We process Customer Data solely to provide the Services to you, in accordance with your instructions as expressed through your use of the API.
Details of Processing
| Element | Description |
|---|---|
| Subject matter | Provision of name-based demographic prediction APIs |
| Duration | For the term of your subscription |
| Nature and purpose | Automated statistical analysis of names to return demographic predictions (gender, age, nationality) |
| Types of personal data | Names (first names, last names, or full names) submitted via the API |
| Categories of data subjects | Individuals whose names are submitted by the Controller |
3. Processor Obligations
Demografix shall:
- (a) Process Customer Data only in accordance with your documented instructions. Your use of the API constitutes your instructions. We will not process Customer Data for any other purpose.
- (b) Ensure that persons authorized to process Customer Data are bound by obligations of confidentiality.
- (c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7.
- (d) Not engage another processor without listing them in this DPA (see Section 5). We will notify you of any changes to our sub-processors by updating this DPA and the Privacy Policy.
- (e) Assist you, insofar as is possible, in responding to requests from data subjects exercising their rights under GDPR. For individual API requests, we do not store the names submitted — there is nothing to access, correct, or delete. For CSV uploads, processed results are automatically deleted within 24 hours; earlier deletion can be performed on request. For account data, we can fulfill data subject requests directly.
- (f) Assist you in ensuring compliance with your obligations under GDPR Articles 32–36 (security, breach notification, data protection impact assessments), taking into account the nature of processing and the information available to us.
- (g) At your choice, delete or return all Customer Data after the end of the provision of Services. Individual API request data is not stored. Any pending CSV results are deleted automatically within 24 hours or upon request.
- (h) Make available to you all information necessary to demonstrate compliance with the obligations in GDPR Article 28.
4. Controller Obligations
You shall:
- (a) Ensure that you have a lawful basis for submitting personal data to the Services, including any necessary consents or legitimate interest assessments.
- (b) Ensure that data subjects are informed about the processing, as required by GDPR Articles 13 and 14.
- (c) Be responsible for the accuracy of the personal data you submit and for your use of the predictions returned by the Services.
5. Sub-processors
Demografix uses the following sub-processors:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| DigitalOcean | Infrastructure and hosting | USA (New York) | EU-US Data Privacy Framework |
| Stripe | Payment processing | USA | EU-US Data Privacy Framework; Standard Contractual Clauses |
| Sentry | Error monitoring | USA | EU-US Data Privacy Framework |
We will notify you of any intended changes to this list by updating this DPA. If you object to a new sub-processor, you may terminate your subscription.
We impose data protection obligations on each sub-processor that are no less protective than those in this DPA.
6. International Transfers
Customer Data is processed on servers hosted by DigitalOcean in the United States (New York).
For transfers of personal data from the European Economic Area to the United States, we rely on the EU-US Data Privacy Framework, under which our sub-processors are certified or participating. Where applicable, Standard Contractual Clauses (EU Commission Decision 2021/914) provide additional safeguards.
If the EU-US Data Privacy Framework is invalidated, we will implement alternative transfer mechanisms as required by GDPR Chapter V.
7. Security Measures
Demografix implements the following technical and organizational measures:
- Minimal data retention: Names submitted via individual API requests are processed in real time and immediately discarded. They are not written to any database, log, or persistent storage. For CSV file uploads, the original file is processed in memory only. The processed results file is stored temporarily and automatically deleted after first download or after 24 hours, whichever comes first.
- Encryption in transit: All API communication is encrypted via HTTPS/TLS.
- Payment isolation: Payment data is handled entirely by Stripe and never reaches Demografix servers.
- Access controls: Server access is restricted to authorized personnel.
- Hashed credentials: Account passwords are stored using industry-standard hashing algorithms and cannot be read in plain text.
- Privacy-friendly analytics: Website analytics use Plausible, which collects no personal data and uses no cookies.
- Error monitoring: Sentry may transiently capture request data in the event of an application error. This data is used solely for debugging.
8. Data Breach Notification
In the event of a personal data breach affecting Customer Data, Demografix will:
(a) Notify you without undue delay and in any event within 72 hours of becoming aware of the breach.
(b) Provide you with sufficient information to meet your own breach notification obligations under GDPR Article 33, including:
- The nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences
- The measures taken or proposed to address the breach
The practical risk of a data breach involving Customer Data is limited: individual API requests are not stored, CSV results are retained for a maximum of 24 hours, and account data consists of email addresses and subscription information.
9. Audits
You have the right to audit our compliance with this DPA. Audits may be conducted by you or an independent auditor appointed by you, subject to:
- Reasonable advance notice (at least 30 days)
- Conducted during normal business hours
- No more than once per 12-month period, unless required by a supervisory authority
- Confidentiality obligations regarding any information accessed during the audit
We will cooperate with reasonable audit requests and provide information necessary to demonstrate compliance.
10. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.
11. Term and Termination
This DPA takes effect when you begin using the Services and terminates when your subscription ends.
Provisions of this DPA that by their nature should survive termination will remain in effect, including obligations relating to confidentiality, data breach notification, and the handling of any remaining account data.
12. Conflict
In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.
13. Contact
For questions about this DPA or to exercise your rights:
Demografix ApS
Eriksvej 30, 1 th.
Roskilde, Sjælland 4000
Denmark
Email: info@genderize.io
VAT: DK40697179