Data Processing Agreement
Last updated: March 28, 2026
1. Definitions
- "Controller" refers to you, the developer, who determines the purposes and means of processing personal data obtained via Sloxly APIs.
- "Processor" refers to Sloxly, which processes personal data on your behalf through API services.
- "Data Subject" refers to Sloxly users whose data is accessed via OAuth or API endpoints.
2. Scope of Processing
When users authorize your application via OAuth, Sloxly processes the following data on your behalf:
| Data Category | Examples | Retention |
|---|---|---|
| Identity Data | Name, email, avatar URL | Until user revokes access |
| Authorization Data | Auth codes, access tokens | 5 min (codes), 1 hour (tokens) |
| Activity Logs | API requests, timestamps | 90 days |
3. Your Obligations as Controller
- Maintain a lawful basis for processing user data (e.g., consent via the OAuth consent screen).
- Provide users with a privacy policy explaining how you use their Sloxly data.
- Implement appropriate security measures to protect accessed data.
- Notify Sloxly within 72 hours of any data breach involving data obtained via our APIs.
- Delete user data within 48 hours when a user revokes your application's access.
4. Our Obligations as Processor
- Process data only as instructed through documented API endpoints.
- Maintain technical and organizational security measures.
- Not sub-process data without prior authorization.
- Assist you with data subject access requests when technically feasible.
- Delete or return all personal data upon termination of the developer account.
5. International Transfers
Our servers are located in India. If you transfer data outside India, you are responsible for ensuring adequate data protection safeguards.
6. Audit Rights
You may request documentation of our security measures. On-site audits are available for enterprise-tier developers upon request.