Data Processing Agreement

1. Parties & Roles

This Data Processing Agreement ("DPA") is between you ("Controller") and Mailthentic ("Processor"). It supplements the Mailthentic Terms of Use and applies whenever Mailthentic processes personal data on your behalf.

The Controller determines the purposes and means of processing the personal data. The Processor processes that data only on the Controller's documented instructions.

2. Subject Matter, Duration, Nature & Purpose

• Subject matter — verification of email addresses uploaded by the Controller.
• Duration — the period during which the Controller maintains an active Mailthentic account, plus the retention windows in Section 8.
• Nature — automated DNS lookup, SMTP probing, and classification of email addresses; storage of verification results and SMTP transcripts; aggregate reputation analytics.
• Purpose — to determine deliverability and detect risks (catch-all, disposable, role) for emails the Controller plans to send.
• Categories of personal data — email addresses, domain names, and metadata about the Controller's contacts.
• Categories of data subjects — the Controller's customers, prospects, employees, or other contacts whose addresses the Controller chooses to verify.

3. Processor's Obligations

Mailthentic shall:

• Process personal data only on the Controller's documented instructions, including with regard to international transfers.
• Ensure that personnel authorised to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organisational measures (Section 6).
• Engage subprocessors only as set out in Section 5.
• Assist the Controller in responding to data subject requests (Section 7).
• Notify the Controller of personal data breaches without undue delay (Section 9).
• Delete or return all personal data on termination (Section 10).
• Make available the information required to demonstrate compliance and submit to audits (Section 11).

4. Controller's Obligations

The Controller is responsible for:

• The lawful basis for processing each personal data set uploaded for verification.
• Providing required notices to data subjects under Articles 13–14 of the GDPR.
• Honouring data subject rights for personal data the Controller has caused Mailthentic to process.
• Ensuring uploaded lists do not exceed the special-category limits in our Terms of Use.

5. Subprocessors

The Controller authorises Mailthentic to engage the subprocessors listed at mailthentic.com/subprocessors. Mailthentic will give at least 30 days' notice before adding a new subprocessor; the Controller may object on reasonable grounds.

Each subprocessor is bound by data-protection terms substantially equivalent to those in this DPA.

6. Security Measures

Mailthentic implements technical and organisational measures including:

• TLS 1.2+ for all data in transit; encrypted database storage at rest.
• Access controls with least-privilege role assignment and mandatory MFA for production access.
• Network segmentation between the verification worker and the application/billing tier.
• Audit logging of administrative actions and authentication events.
• Periodic backup with documented restore procedures.
• Independent vulnerability scanning and remediation tracking.

7. Assistance with Data Subject Requests

Mailthentic provides the following routes for data subject rights:

• Right of access (Art. 15) — full account export at Profile → Export My Data.
• Right to rectification (Art. 16) — profile edits available in account settings.
• Right to data portability (Art. 20) — same JSON export, machine-readable.
• Right to erasure (Art. 17) — request-based. Email privacy@mailthentic.com; we will action the request within 30 days.

For any other request, contact privacy@mailthentic.com; we will respond within 30 days.

8. Retention & Deletion

Personal data is retained as follows:

• Verification results — retained for the life of the account to feed accuracy analytics, domain reputation, and product improvement; deleted on request under Section 7.
• SMTP transcripts — automatically purged from the row 90 days after creation. The row itself is retained.
• Account data — for the life of the account; deactivated immediately when the Controller signs out from the Deactivate Account flow, with full erasure available on request.
• Aggregated reputation data — domain-level statistics with no addressable individual identifier may be retained indefinitely.
• Billing & tax records — retained as required by applicable law (typically 7 years).

9. Personal Data Breach Notification

Mailthentic will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Controller data. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.

10. Return or Deletion on Termination

On termination of the underlying service agreement, Mailthentic will, at the Controller's choice, delete or return all personal data and delete existing copies, unless retention is required by applicable law.

11. Audits

Mailthentic will make available to the Controller, on reasonable request, the information necessary to demonstrate compliance with this DPA and will submit to audits — including by an independent auditor mandated by the Controller — no more than once per year, conducted with reasonable notice and in a manner that does not unreasonably disrupt Mailthentic's operations.

12. International Transfers

Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, Mailthentic relies on appropriate safeguards including the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK Addendum, supplemented by the technical measures in Section 6.

13. Liability & Conflicts

In the event of a conflict between this DPA and the underlying Terms of Use, this DPA prevails for matters relating to the processing of personal data. Liability under this DPA is governed by the limitations in the Terms of Use.

Contact

Privacy and data protection inquiries: privacy@mailthentic.com.