GeoQ
Free API key

Legal

Data Processing Agreement

Last updated: 6 June 2026

This is a plain-language legal document written for clarity. It does not constitute legal advice. Defined terms are used consistently across our legal pages.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", the controller) and GeoQ ("Processor") and applies where we process personal data on your behalf in providing the Service. A countersigned copy is available to Growth and Scale customers on request.

1. Roles

For IP addresses you submit to the API for lookup, you are the controller and GeoQ is the processor. For data we determine the means and purposes of (e.g. our own security logging), GeoQ acts as controller under our Privacy Policy.

2. Subject-matter, duration, nature and purpose

  • Subject-matter: provision of IP intelligence lookups via the Service.
  • Duration: for the term of your subscription.
  • Nature and purpose: stateless analysis of submitted IP addresses to return abuse signals, geolocation, network data and a risk score.
  • Types of personal data: IP addresses (treated as personal data).
  • Categories of data subjects: end-users and visitors of the Customer's services whose IPs are submitted.

3. Processor obligations (Art. 28 GDPR)

GeoQ will:

  • process personal data only on documented instructions from the Customer (the API calls you make), and as described in the Terms and Privacy Policy;
  • ensure persons authorised to process the data are bound by confidentiality;
  • implement appropriate technical and organisational security measures (clause 5);
  • respect the conditions for engaging subprocessors (clause 4);
  • assist the Customer, taking into account the nature of processing, in responding to data-subject requests and in meeting its obligations under Arts. 32–36;
  • delete or return personal data at the end of the provision of services, save as required by law — noting that lookups are stateless and operational logs are truncated/hashed and deleted within 30 days;
  • make available information necessary to demonstrate compliance and allow for reasonable audits.

4. Subprocessors

The Customer provides general authorisation for GeoQ to engage subprocessors listed on our Subprocessors page (currently Amazon Web Services and Stripe). GeoQ imposes data-protection terms on each subprocessor and remains liable for their performance. We will give reasonable notice of new subprocessors and an opportunity to object.

5. Security measures

  • Encryption of personal data in transit.
  • Data minimisation: stateless lookups; truncated/hashed IPs in logs; ≤ 30-day retention.
  • Access controls, least privilege and key management.
  • Hosting in AWS eu-west-1 (Ireland).
  • Monitoring and a documented incident-response process.

6. International transfers

Where personal data is transferred outside the UK/EEA, GeoQ relies on appropriate safeguards, including the Standard Contractual Clauses, incorporated by reference.

7. Personal data breach

GeoQ will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and will provide information reasonably necessary for the Customer to meet its notification obligations.

8. Data-subject rights

Given the stateless, minimised nature of processing, GeoQ does not retain identifiable lookup data to action individual requests against; GeoQ will nonetheless assist the Customer with reasonable measures to respond to data-subject requests relating to processing under this DPA.

9. Liability

Each party's liability under this DPA is subject to the limitations and cap in the Terms of Service.

10. Contact

To request a signed DPA or raise data-protection questions: support@geoq.io.