ScrapingBee / VostokInc
Last Revision date: March 23, 2026
Processor / Provider: VostokInc, a French simplified joint-stock company (SAS), registered under SIREN 882 964 115 RCS Paris, with its registered office at 66 Avenue des Champs-Élysées, 75008 Paris, France, operating the ScrapingBee platform.
Controller / Customer: The entity or individual that has created a ScrapingBee account and accepted the Terms of Service, as identified in that account.
ACCEPTANCE: By activating a ScrapingBee account, placing an order, or using the Services, the Customer agrees to this Data Processing Agreement. If the Customer does not agree, it must not use the Services. This DPA forms part of, and is subject to, the ScrapingBee General Terms and Conditions of Service available at https://www.scrapingbee.com/terms-and-conditions/. In the event of any conflict between this DPA and the General Terms and Conditions of Service regarding the processing of Personal Data, this DPA shall prevail.
1. Definitions
The following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the General Terms and Conditions of Service or in applicable Data Protection Law.
- "Data Protection Law" means the GDPR (Regulation (EU) 2016/679), the French loi Informatique et Libertés No. 78-17 of 6 January 1978 as amended, the UK GDPR (where applicable), and any other national or supranational data-protection legislation applicable to the processing described in this DPA, as amended or replaced from time to time.
- "Personal Data", "Processing", "Data Subject", "Data Controller", "Data Processor", "Sub-processor", "Supervisory Authority", "Personal Data Breach", and "Special Categories of Personal Data" have the meanings given in the GDPR.
- "Services" means the web data-extraction, scraping API services, any related service, and any related features and integrations, provided by ScrapingBee under the Terms of Service, where ScrapingBee acts as the Data Processor.
- "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission on 4 June 2021 (Decision (EU) 2021/914).
- "CNIL" means the Commission Nationale de l'Informatique et des Libertés, the French data-protection supervisory authority.
- "DPA" means this Data Processing Agreement.
2. Scope and Roles
2.1 This DPA applies to all processing of Personal Data by ScrapingBee as a Data Processor acting on the Customer's behalf in connection with the Services.
2.2 The Customer is the Data Controller and ScrapingBee is the Data Processor within the meaning of the GDPR for the processing described in Exhibit 1. ScrapingBee shall process Personal Data solely on the Customer's documented instructions, except where otherwise required by Union or Member State law.
2.3 Where ScrapingBee processes Personal Data for its own purposes as a Data Controller (for example, managing the commercial relationship with the Customer), the terms of Section 8 apply.
2.4 The scope, nature, purpose, duration, categories of Personal Data, and categories of Data Subjects are set out in Exhibit 1 to this DPA.
3. Customer Obligations
3.1 The Customer is responsible for the lawfulness of its own processing activities and confirms that:
- It has, and shall maintain, a valid legal basis under Data Protection Law.
- It has provided all required privacy notices to Data Subjects.
- Where consent is the legal basis, it has obtained and can evidence valid Data Subject consent.
- It has completed any required Data Protection Impact Assessment before commencing processing.
- It will not instruct ScrapingBee to process Personal Data in a way that would violate applicable Data Protection Law.
3.2 The Customer acknowledges that when it submits scraping requests via the API, it may cause ScrapingBee's infrastructure to process Personal Data contained in scraped web content. The Customer is solely responsible for ensuring that such activities comply with Data Protection Law.
3.3 The Customer shall indemnify ScrapingBee against any liability, fines, penalties, or costs arising from the Customer's failure to comply with this Section 3 or with applicable Data Protection Law.
4. ScrapingBee's Obligations as Data Processor
4.1 Processing Instructions
ScrapingBee shall process Personal Data only on the Customer's documented instructions, as set out in this DPA, Exhibit 1, and the Terms of Service, unless required by Union or Member State law. In such a case, ScrapingBee will inform the Customer of that legal requirement before processing, unless the law prohibits disclosure on grounds of public interest. ScrapingBee shall promptly notify the Customer if it believes the instruction infringes Data Protection Law.
4.2 Confidentiality of Processing
ScrapingBee shall ensure that all personnel authorized to process Personal Data are subject to binding confidentiality obligations (whether contractual, professional, or statutory), and that access to Personal Data is limited to those who need it to perform the Services.
4.3 Technical and Organizational Security Measures
ScrapingBee shall implement and maintain the technical and organizational security measures ("TOMs") described in Exhibit 3. These measures shall be reviewed to ensure a level of security appropriate to the risk of the processing, as required by Article 32 GDPR.
4.4 Sub-processors
4.4.1 General authorisation. The Customer grants ScrapingBee general written authorisation to engage the Sub-processors listed in Exhibit 2. ScrapingBee shall enter into a written sub-processing agreement with each Sub-processor imposing data-protection obligations equivalent to those in this DPA.
4.4.2 Changes to Sub-processors. ScrapingBee will give the Customer not less than thirty (30) calendar days prior notice before adding or replacing a Sub-processor. Notice will be given by: (i) updating Exhibit 2 on the published DPA page at https://www.scrapingbee.com/data-processing-agreement/, and (ii) sending an email notification to the Customer's registered account email address. Customers who wish to receive notifications of Sub-processor changes may opt in by emailing contact@scrapingbee.com.
4.4.3 Right to object. If, within fifteen (15) calendar days of ScrapingBee posting the Sub-processor update as outlined in 4.4.2, Customer does not notify ScrapingBee in writing of any objections to the replacement and/or appointment, it will be deemed that Customer has consented to the appointment. The Customer may object to a new or replacement Sub-processor on reasonable grounds relating to data protection by emailing contact@scrapingbee.com. ScrapingBee will work in good faith to resolve the objection. If the objection cannot be resolved, the Customer may, as its sole remedy, terminate the affected portion of the Services on written notice to ScrapingBee.
4.4.4 ScrapingBee's liability for Sub-processors. ScrapingBee remains fully liable to the Customer for the performance of each Sub-processor's data-protection obligations to the same extent as if ScrapingBee were performing the processing directly.
4.5 Assistance with Data Subject Rights
Considering the nature of the processing, ScrapingBee shall provide reasonable technical and organizational assistance to help the Customer respond to Data Subjects' requests to exercise their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, and objection). Upon receiving a Data Subject request relating to the Customer's data, ScrapingBee shall:
- Forward the request to the Customer's registered contact address within ten (10) business days;
- Not respond to the Data Subject directly, unless expressly instructed by the Customer; and
- Provide reasonable cooperation, including information about the categories and location of Personal Data held, to enable the Customer to respond within the applicable statutory deadline.
4.6 Assistance with Compliance Obligations
ScrapingBee shall provide reasonable assistance to the Customer in discharging the Customer's obligations under Articles 32 to 36 GDPR (security, breach notification, Data Protection Impact Assessments, and prior consultation with Supervisory Authorities), considering the nature of the processing and information available to ScrapingBee. Requests under this section should be submitted to contact@scrapingbee.com. Standard assistance is provided at no additional charge; requests that require extraordinary effort will be quoted in advance.
4.7 Personal Data Breach Notification
ScrapingBee shall notify the Customer within forty-eight (48) hours of becoming aware of a Personal Data Breach affecting data processed under this DPA. This 48-hour window is designed to ensure the Customer can meet its own 72-hour obligation to notify the relevant Supervisory Authority under Article 33 GDPR. The notification shall include, to the extent then known:
- The nature of the breach, including categories and approximate number of affected Data Subjects and Personal Data records;
- The name and contact details of ScrapingBee's data-protection contact;
- The likely consequences of the breach; and
- Measures taken or proposed to address the breach and mitigate its effects.
Where not all information is available at the time of the initial notification, ScrapingBee may provide it in phases without undue delay. Breach notifications will be sent to the Customer's registered account email address. Customers are encouraged to ensure that this address is actively monitored.
4.8 Audit Rights
4.8.1 ScrapingBee shall make available all information reasonably necessary to demonstrate compliance with this DPA and shall permit audits and inspections by the Customer or an independent third-party auditor appointed by the Customer, subject to the following:
- Audits are limited to once per calendar year, unless a Personal Data Breach or Supervisory Authority investigation provides reasonable cause for an additional audit;
- The Customer shall give at least sixty (60) calendar days' prior written notice to contact@scrapingbee.com, except in cases of urgency;
- Third-party auditors must be subject to confidentiality obligations and must not be a direct competitor of ScrapingBee; and
- Audits should be conducted during normal business hours with minimal disruption to operations.
4.8.2 ScrapingBee may satisfy this obligation by providing an up-to-date SOC 2 Type II report, ISO 27001 certificate, or equivalent third-party assurance report, where such reports adequately address the Customer's compliance requirements.
4.9 Return and Deletion of Personal Data
Upon termination or expiry of the Terms of Service, or upon the Customer's written request, ScrapingBee shall:
- Return a complete copy of all Personal Data processed under this DPA in a commonly used, machine-readable format; and/or
- Securely delete or destroy all Personal Data and existing copies held by ScrapingBee and its Sub-processors.
The return or deletion will be completed within thirty (30) calendar days, after which ScrapingBee will provide a written certification of deletion, if requested by the Customer. ScrapingBee may retain Personal Data beyond this period only where required by Union or Member State law.
4.10 Cooperation with Supervisory Authorities
ScrapingBee shall cooperate with the CNIL and other competent Supervisory Authorities as required by applicable Data Protection Law, and shall promptly notify the Customer of any inquiry, investigation, or enforcement action initiated by a Supervisory Authority that relates to the processing of Personal Data under this DPA.
5. International Data Transfers
5.1 ScrapingBee shall not transfer Personal Data originating in the EEA (or, where applicable, the UK) to a country outside the EEA ("Third Country"), and shall not authorize Sub-processors to do so, unless an appropriate transfer mechanism under Chapter V GDPR is in place.
5.2 For transfers to Sub-processors established in Third Countries (including the United States), ScrapingBee relies on the SCCs, Module 2 (Controller-to-Processor). By accepting this DPA, the Customer authorizes ScrapingBee to enter into such SCCs with Sub-processors on the Customer's behalf, solely for the purpose of ensuring compliance with GDPR Chapter V. A copy of the applicable SCCs is available on request at contact@scrapingbee.com.
5.3 For transfers of UK Personal Data, ScrapingBee relies on the UK International Data Transfer Addendum (IDTA) to the EU SCCs, issued by the UK Information Commissioner's Office, where required by UK GDPR.
5.4 If an adequacy decision, SCC, or other transfer mechanism on which ScrapingBee relies is invalidated or substantially amended, ScrapingBee shall notify the Customer promptly and the parties shall cooperate in good faith to implement an alternative lawful transfer mechanism without undue delay.
6. Service Improvement and Anonymized Technical Data
6.1 ScrapingBee may collect, retain, and use aggregated and anonymized technical and performance data derived from operating the Services — such as response-time metrics, error rates, infrastructure load, and API usage patterns ("Aggregate Service Data") — for the purposes of monitoring service health, diagnosing technical issues, and improving the ScrapingBee platform.
6.2 For the avoidance of doubt, ScrapingBee shall not process Personal Data for any purpose other than providing the Services in accordance with the Customer's documented instructions.
7. Processing of Customer Contact Data
7.1 ScrapingBee acts as an independent Data Controller for the processing of Personal Data of the Customer's operational and commercial contacts ("Contacts") for the purposes of managing the commercial relationship: invoicing, account management, support, and compliance verification.
7.2 Personal Data processed: surname, first name, professional email address, professional telephone number, position held.
7.3 Legal bases:
- Performance of the contract between the Customer and ScrapingBee (Article 6(1)(b) GDPR) — account management and invoicing;
- ScrapingBee's legitimate interests (Article 6(1)(f) GDPR) — maintaining a lawful commercial relationship and verifying counterparty compliance.
7.4 Retention: for the duration of the commercial relationship plus the applicable statutory limitation period (five (5) years under French law).
7.5 Contacts' rights: Contacts have the right to access, rectify, erase, restrict, object to, and receive a copy of their Personal Data. Rights may be exercised by contacting ScrapingBee at contact@scrapingbee.com or by post at VostokInc, 66 Avenue des Champs-Élysées, 75008 Paris, France. Contacts also have the right to lodge a complaint with the CNIL at www.cnil.fr.
7.6 It is the Customer's responsibility to inform its Contacts of the processing described in this Section 7.
7.7 Further information on ScrapingBee's processing as Data Controller is available in the ScrapingBee Privacy Policy at https://www.scrapingbee.com/privacy-policy/.
8. Liability
8.1 Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
8.2 ScrapingBee shall not be liable for damage resulting from: (a) the Customer's instructions; (b) the Customer's failure to comply with Data Protection Law; or (c) any unlawful use of the Services by the Customer or its users.
9. Terms and Updates
9.1 This DPA enters into force when the Customer first accepts the General Terms and Conditions of Service and remains in force for the duration of the Terms of Service.
9.2 ScrapingBee may update this DPA from time to time to reflect changes in Data Protection Law, Supervisory Authority guidance, Service, or otherwise. ScrapingBee will provide not less than thirty (30) days prior notice of material changes by: (i) posting the updated DPA at https://www.scrapingbee.com/data-processing-agreement/ with a revised effective date; and (ii) notifying the Customer by email to their registered account address. Continued use of the Services after the updated DPA's effective date constitutes acceptance.
9.3 Upon termination or expiry of the Terms of Service, this DPA terminates automatically, subject to ScrapingBee's obligations under Section 4.9 (Return and Deletion).
9.4 Sections 4.9, 7, 8, 10, and 11, together with Section 9.4, survive termination or expiry.
10. Governing Law and Jurisdiction
This DPA is governed by the same law, and any dispute arising from it shall be subject to the same jurisdiction, as specified in the Terms of Service, without prejudice to any mandatory provisions of applicable Data Protection Law.
11. General Provisions
Entire agreement. This DPA, together with the General Terms and Conditions of Service and any applicable SCCs, constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes all prior arrangements on this subject.
Severability. If any provision of this DPA is invalid or unenforceable, the remaining provisions continue in full force.
Contact. Questions relating to this DPA should be directed to contact@scrapingbee.com.
No waiver. Failure to enforce any provision of this DPA shall not constitute a waiver of the right to enforce it in the future.
EXHIBIT 1
Description of Processing Activities
| Element | Details |
|---|---|
| Subject-matter | Provision of web data-extraction and scraping API services, and associated support services. |
| Duration | For the term of the provision of the Service, provided by ScrapingBee under the General Terms and Conditions of Service, where ScrapingBee acts as the Data Processor. |
| Nature | Collection, storage, retrieval, transmission, structuring, use, and deletion of Personal Data in connection with the execution of API requests submitted by the Customer. |
| Purpose | Providing the Services as instructed by the Customer; enabling the Customer to collect publicly available web data at scale; log management, billing, live support, and transactional communications. |
| Types of Personal Data | (a) API and account data: API keys, IP addresses, request metadata, usage logs; (b) Scraped-content data: any Personal Data contained in web pages scraped via the API, the scope of which is determined solely by the Customer; (c) Support data: name, email, content of support tickets and chat messages. |
| Categories of Data Subjects | (a) The Customer's authorized users; (b) Individuals whose Personal Data may appear in web pages scraped at the Customer's instruction (determined solely by the Customer); (c) The Customer's employees and other contacts. |
| Processing Locations | Primarily – EU. All cross-border transfers are governed by EU SCCs as set out in Exhibit 2. |
| Special Categories | ScrapingBee does not intentionally process Special Categories of Personal Data on behalf of the Customer. |
EXHIBIT 2
Approved Sub-processors
Last updated: March 23, 2026
Subscribe to change notifications: contact@scrapingbee.com
| Sub-processor | Country | Service | Personal Data Processed | Transfer Mechanism |
|---|---|---|---|---|
| Google Cloud Platform | Paris (main), multi-DC EU for backup | Cloud Hosting | Name, email, log data, API request metadata | EEA, no transfer mechanism required |
| Datapacket | Netherlands, France, Czech Republic (EU) | Dedicated Servers | Log data, API request metadata | EEA, no transfer mechanism required |
| Crisp IM SAS | France (EU) | Live Chat & Support | Name, email, chat messages | EEA, no transfer mechanism required |
| Customer.io | USA | Transactional & Marketing Email | Name, professional email | EU SCCs 2021, Module 2 (C-to-P) |
| Datadog, Inc. | USA | Log Management & Monitoring | IP addresses, API request logs, error metadata | EU SCCs 2021, Module 2 (C-to-P) |
| Chargebee, Inc. | USA | Subscription & Billing | Name, email, billing address, subscription data | EU SCCs 2021, Module 2 (C-to-P) |
| Stripe, Inc. | USA | Payment Processing | Name, email, payment card data (PCI-DSS) | EU SCCs 2021, Module 2 (C-to-P) |
EXHIBIT 3
Technical and Organizational Security Measures
ScrapingBee ensures an adequate level of security for Personal Data (hereinafter – the "Data") as required by applicable data protection laws. ScrapingBee protects Data from destruction, alteration, unauthorized disclosure, or unauthorized access, and safeguards it against any other unauthorized methods of processing. These measures apply where appropriate to the nature, scope, context, and purposes of processing.
Taking into account the level of development of technical capabilities, implementation costs, and the nature, scope, context, and objectives of data processing, as well as the risks to the rights and freedoms of individuals, ScrapingBee has implemented appropriate technical and organizational measures to ensure a level of security proportionate to those risks. The table below sets out those measures, where applicable.
| # | Control Domain | Measure |
|---|---|---|
| 3.1 | Accountability and Governance | Designated accountable personnel are appointed to oversee data security and compliance with legal requirements. |
| 3.2 | Audit and Compliance Checks | Regular assessments of the effectiveness of technical and organizational measures are conducted to verify and continuously improve data security. |
| 3.3 | Business Continuity Plan | Availability and access to Data are restored in a timely manner in the event of a physical or technical incident. Redundancy and capacity planning are maintained for all critical services. |
| 3.4 | Confidentiality Agreements | Non-disclosure and confidentiality agreements are in place with all service providers who maintain or service equipment used to store Data. |
| 3.5 | Control of Access Rights | Access to Data is controlled through a technical authorization system that restricts permissions to individuals whose work functions require access. Password standards (minimum length, complexity or passphrases, lockouts) and session timeouts are enforced. Usernames and passwords are confidential and non-transferable; formal procedures govern the allocation and revocation of access rights. |
| 3.6 | Data Backup and Recovery | Backup and recovery processes are in place to ensure Data can be recovered and retrieved from backups reliably and within agreed timeframes. |
| 3.7 | Data Destruction | Secure data-destruction processes are in place to ensure Data is irreversibly destroyed when the media containing it is no longer required. |
| 3.8 | Data Encryption | Data is pseudonymized and encrypted both at rest and in transit using strong cryptographic protocols to ensure confidentiality and integrity. |
| 3.9 | Data Protection Policies | Policies on data handling, processing, and retention are established and enforced to guide employees in data-protection best practices. |
| 3.10 | Employee Training and Awareness | Regular security-awareness training is conducted to educate employees on data security, phishing, social engineering, and best practices. |
| 3.11 | Logging and Monitoring | Logins to databases containing Data can be retrospectively reviewed. ScrapingBee monitors databases and provides access logs and reports upon request. |
| 3.12 | Network Security | Firewalls, intrusion detection/prevention systems (IDS/IPS), and VPNs are used to secure network boundaries and protect against unauthorized access. |
| 3.13 | Physical Access Protection | Unattended premises containing computer equipment and personal information are locked to protect Data from unauthorized use, exposure, or theft. |
| 3.14 | Risk Management Programme | Regular risk assessments are performed, risk registers are maintained and updated, and risk-mitigation strategies are applied as part of a continuous risk-management programme. |
| 3.15 | Secure Communication | External data transmissions are protected by technical measures that enable access logging and ensure encryption of data in transmission channels outside systems controlled by ScrapingBee. |
| 3.16 | Security of Processing | The continued confidentiality, integrity, availability, and resilience of processing systems and services is maintained and regularly tested. |
| 3.17 | Third-Party Vendor Management | Vendors and service providers on ScrapingBee's premises are supervised. Media containing Data is removed from the premises if on-site maintenance cannot be performed. |
This list of technical and organizational data security measures is not exhaustive. ScrapingBee reserves the right to implement additional measures to adapt to emerging threats and evolving best practices.