Data Processing Agreement

Last updated: 20 April 2026. This DPA is automatically incorporated into our Terms of Service for any customer who submits personal data to MailChecked. No counter-signature is required for it to be in force.

1. Parties and roles

This Data Processing Agreement ("DPA") is entered into between MailChecked ("Processor") and you, the customer ("Controller"), with respect to personal data submitted to the MailChecked service for the purpose of email validation.

2. Subject matter and duration

The subject matter is the processing of email addresses (and optionally associated metadata you upload, e.g. names in CSV columns) for the purpose of validation. Processing continues for the duration of your account and the retention periods specified in §7.

3. Nature and purpose of processing

MailChecked processes the personal data you submit solely to:

Perform email validation (syntax, MX, SMTP probing, classification).
Return results to you via the dashboard or API.
Make repeat checks free of charge via an anonymized cache.
Operate, secure, and improve the service.

4. Categories of data subjects and personal data

Data subjects: the individuals whose email addresses you submit.
Categories of data: email addresses; optional fields you choose to include in CSV uploads (e.g. first name, company); IP/timestamp metadata of your API calls (Controller-side; not the data subjects').

5. Obligations of the Processor

MailChecked will:

Process personal data only on documented instructions from the Controller, which are taken to consist of these Terms and any features you configure in the dashboard.
Ensure persons authorized to process the data are bound by confidentiality.
Implement appropriate technical and organizational measures (see §9).
Engage sub-processors only as listed in §8 and notify the Controller of changes.
Assist the Controller with data-subject requests and DPIAs to the extent reasonably required.
Notify the Controller without undue delay of any personal-data breach.
Delete or return personal data after the end of the retention period (§7) unless retention is required by law.
Make available all information necessary to demonstrate compliance, and allow audits as described in §10.

6. Obligations of the Controller

You warrant that you have a lawful basis (consent, contract, legitimate interest, etc.) to validate every email address you submit.
You will not submit special-category data (health, political opinions, etc.) — email addresses only.
You will respond to data-subject requests directed to you, with our reasonable assistance.

7. Retention and deletion

Bulk uploads: retained 30 days, then permanently deleted.
Per-validation result records (linked to your account): retained 12 months for billing audit.
Anonymized validation cache: indefinitely; entries are SHA-256 hashes with no link back to any account or controller.
On account deletion, all account-linked data is removed within 30 days, except records we're legally required to retain (e.g. invoices for 7 years).

8. Sub-processors

The following sub-processors are authorized as of the effective date:

Sub-processor	Purpose	Location
Stripe, Inc.	Billing and invoicing	USA / EU
Resend	Transactional email delivery	USA / EU
Cloudflare, Inc.	DNS, WAF, edge proxying	Global
Contabo GmbH	Hosting (servers, storage, network)	EU (Germany)
Functional Software, Inc. (Sentry)	Error monitoring (with PII scrubbing)	USA / EU

We'll notify you (via email or dashboard banner) at least 30 days before adding or replacing a sub-processor, giving you the opportunity to object.

9. Security measures

TLS 1.3 in transit; encryption at rest for the database and uploaded files.
Hashed credentials (Better Auth) and SHA-256-hashed API keys.
Network isolation — application services not directly exposed to the internet (Cloudflare Tunnel + WAF in front).
Role-based access controls; principle of least privilege.
Audit logging of administrative actions.
Automated dependency scanning and patching.
Backups with documented restore tests.

10. Audit rights

The Controller may, at its own cost and no more than once per year (except where mandated by a regulator or following a breach), request reasonable evidence of compliance. We'll respond to written audit questionnaires within 30 days. On-site audits are subject to mutually agreed scope and confidentiality.

11. International transfers

Where personal data is transferred to a sub-processor outside the EU/UK, the transfer is governed by the EU Standard Contractual Clauses (Module 3, processor-to-processor) or the UK International Data Transfer Addendum, as applicable.

12. Liability

Liability under this DPA is subject to the limitations in the Terms of Service.

13. Term and termination

This DPA is effective for as long as MailChecked processes personal data on your behalf. On termination, §7 applies to retention and deletion.

14. Counter-signed copies

If your procurement process requires a counter-signed copy, email privacy@mailchecked.com with your company details. We typically return within 5 business days.