Data Processing Agreement
This DPA applies whenever you use VerifyMaill to process personal data and forms part of our Terms of Service. If you need a counter-signed copy for your records, just ask.
1. Parties & Definitions
This Data Processing Agreement ("DPA") is entered into between you, the customer ("Controller"), and 47labz, the company that operates VerifyMaill ("Processor", "VerifyMaill"), and is incorporated into the Terms of Service (the "Agreement"). It applies to the extent VerifyMaill processes Personal Data on the Controller's behalf.
- Personal Data, processing, controller, processor, sub-processor, data subject
- have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and, where applicable, the UK GDPR and other applicable data-protection law ("Data Protection Law").
- Customer Data
- the email addresses and related data the Controller submits to the Service for verification.
If this DPA conflicts with the rest of the Agreement on data protection, this DPA prevails.
2. Subject Matter & Duration
The subject matter is VerifyMaill's processing of Customer Data to provide the Service. Processing continues for the term of the Agreement and until Customer Data is deleted in accordance with Section 13.
3. Nature & Purpose of Processing
VerifyMaill processes Customer Data only to verify, validate, score and report on the deliverability of the email addresses the Controller submits, and to provide related features, support and security, that is, to provide the Service and follow the Controller's documented instructions (including those given through the Service). VerifyMaill will not process Customer Data for any other purpose, and will not sell it or use it to build profiles or for advertising.
4. Categories of Data & Data Subjects
Data subjects: the individuals whose email addresses the Controller submits, typically the Controller's contacts, leads, subscribers or users.
Categories of Personal Data: email addresses and any associated fields the Controller chooses to submit (for example a name or identifier), plus the verification results we generate about them.
The Controller must not submit special-category data (such as health, racial or biometric data) or data of children, as the Service is not designed for it.
5. Our Obligations as Processor
VerifyMaill will:
- process Customer Data only on the Controller's documented instructions, including for transfers, unless required to act by law (in which case we'll tell you, unless the law forbids it);
- ensure people authorised to process Customer Data are bound by confidentiality;
- implement the technical and organisational security measures in Section 9;
- respect the conditions for engaging sub-processors in Section 7;
- assist the Controller, taking into account the nature of processing, in responding to data-subject requests (Section 10) and in meeting its obligations on security, breach notification and data-protection impact assessments;
- notify the Controller without undue delay of a personal-data breach (Section 11); and
- at the Controller's choice, delete or return Customer Data at the end of the Agreement (Section 13).
6. Your Obligations as Controller
- You confirm you have a lawful basis to process the Customer Data and to instruct us to verify it.
- You are responsible for the accuracy, content and legality of the Customer Data and for the notices and consents required of a controller.
- Your instructions to us must comply with Data Protection Law.
7. Sub-Processors
The Controller gives general authorisation for VerifyMaill to engage the sub-processors listed below to process Customer Data. Each sub-processor is bound by a written contract imposing data-protection obligations at least as protective as those in this DPA, and VerifyMaill remains responsible for their performance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, compute and database storage | Global (region-dependent) |
| Cloudflare | Content delivery, DNS and DDoS / security protection | Global |
| Polar | Merchant of Record: checkout, billing and tax | United States / EU |
| Stripe | Payment and card processing (via our Merchant of Record) | United States |
We will give the Controller notice before adding or replacing a sub-processor (for example by email or an in-product notice). The Controller may object on reasonable data-protection grounds within 30 days; if we can't resolve the objection, the Controller may stop using the affected part of the Service and, if that's not workable, terminate the affected subscription.
8. International Data Transfers
Where processing involves transferring Personal Data of EEA or UK data subjects to a country without an adequacy decision, the parties rely on the European Commission's Standard Contractual Clauses (and the UK Addendum), which are incorporated into this DPA by reference, together with any additional safeguards required. VerifyMaill operates from India.
9. Security Measures (Annex)
VerifyMaill maintains technical and organisational measures appropriate to the risk, including:
- Encryption: TLS for data in transit and AES-256 for data at rest;
- Access control: least-privilege, role-based access; unique credentials; access limited to staff who need it;
- Network & application security: monitored infrastructure and secure development practices;
- Resilience: measures to maintain availability and to restore access after an incident;
- Data minimisation & deletion: permanent deletion on request, with no soft-delete; and
- Review: periodic review of these measures as the Service evolves.
10. Data Subject Requests
If we receive a request from a data subject about Customer Data, we will not respond directly (except to confirm it should go to the Controller) and will, taking into account the nature of the processing, assist the Controller in responding, including through the deletion and export tools in the Service.
11. Breach Notification
VerifyMaill will notify the Controller without undue delay after becoming aware of a personal-data breach affecting Customer Data, and will provide the information the Controller reasonably needs to meet its own notification obligations, along with the steps we are taking to address the breach.
12. Audit Rights
VerifyMaill will make available the information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates. To keep this practical, audits take place on reasonable prior notice, no more than once a year (unless required by a regulator or following a breach), during business hours, subject to confidentiality, and without disrupting our operations or other customers' data. We may satisfy audit requests by providing relevant documentation where that reasonably addresses the request.
13. Return & Deletion of Data
The Controller can delete Customer Data at any time through the Service, and deletion is permanent. On expiry or termination of the Agreement, VerifyMaill will, at the Controller's choice, delete or return Customer Data and delete existing copies within 30 days, except to the extent the law requires us to retain it (in which case we keep it confidential and stop active processing).
14. Contact
To raise a data-processing matter or request a signed copy of this DPA, contact team@verifymaill.com.