Data Processing Agreement

• Controller — the entity (you, the customer) that determines the purposes and means of processing Personal Data.
• Processor — [LEGAL ENTITY NAME], operating Mailsurity at mailsurity.com, acting on the Controller's behalf.
• Personal Data — any information relating to an identified or identifiable natural person that is processed under this DPA.
• Sub-processor — a third party engaged by the Processor to process Personal Data in connection with the Service.
• Data Protection Laws — all laws applicable to the processing of Personal Data under this DPA, including the EU GDPR, UK GDPR, and applicable U.S. state privacy laws.

For the Personal Data the Controller submits through the Service, the Controller is the controller and Mailsurity is the processor. Each party will comply with its obligations under Data Protection Laws. The details of the processing (subject matter, duration, nature and purpose, types of Personal Data, and categories of data subjects) are set out in Annex 1.

The Processor will process Personal Data only to provide and support the Service — namely, to evaluate whether the email addresses, domains, and (where applicable) related metadata submitted by the Controller are disposable — and otherwise only on the Controller's documented instructions, including those given through the dashboard and API.

If the Processor is required by law to process Personal Data beyond those instructions, it will (unless legally prohibited) inform the Controller before doing so.

The Processor will:

• process Personal Data only as described in Section 3;
• ensure that personnel authorized to process Personal Data are bound by confidentiality;
• implement appropriate technical and organizational measures (see Annex 3);
• assist the Controller, taking into account the nature of the processing, with data-subject requests and with its security, breach, and impact-assessment obligations; and
• delete or return Personal Data at the end of the Service, as set out in Section 10.

Prohibited data. The Service is not designed to receive special categories of Personal Data (for example, data revealing health, racial or ethnic origin, religious beliefs, or biometric data). The Controller must not submit such data. If the Processor becomes aware that special-category data has been submitted, it will delete it promptly.

The Processor will keep Personal Data confidential and will not disclose it except to personnel and Sub-processors who need it to provide the Service and who are subject to confidentiality obligations, or where required by law.

The Processor maintains technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These include encryption in transit (TLS), encryption at rest provided by our database and storage providers, scoped API keys, and access controls. A summary is set out in Annex 3; further detail is available on request.

The Controller provides general authorization for the Processor to engage Sub-processors to provide the Service. The current Sub-processors are listed in Annex 2. The Processor imposes data-protection terms on each Sub-processor that are no less protective than this DPA, and remains responsible for their performance.

The Processor will give the Controller notice of any intended change involving the addition or replacement of a Sub-processor. The Controller may object on reasonable data-protection grounds within 7 days of notice; the parties will then work in good faith to resolve the objection.

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects to exercise their rights (access, rectification, erasure, restriction, portability, and objection). Where a data subject contacts the Processor directly, the Processor will forward the request to the Controller and will not respond except on the Controller's instructions or as required by law.

The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Controller's Personal Data. The notification will describe, to the extent known, the nature of the breach, its likely consequences, and the measures taken or proposed to address it.

• API request logs are retained for [90 days] and then deleted or anonymized.
• Bulk-check input files are deleted after 7 days and result files after 30 days.
• On the Controller's request, or on termination of the Service, the Processor will delete or return the Controller's Personal Data — removing it from live systems within [30 days] and from backups within [90 days] — except where retention is required by law.

Where the Processor transfers Personal Data originating in the EEA, UK, or Switzerland to a country without an adequacy decision, such transfers are governed by the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor), which are incorporated into this DPA by reference and completed using the information in the Annexes. The UK Addendum and the Swiss amendments apply as relevant.

On reasonable request, the Processor will make available information necessary to demonstrate compliance with this DPA and will complete reasonable security questionnaires. Enterprise customers may negotiate additional audit arrangements, subject to reasonable notice, confidentiality, and frequency limits.

The Processor will provide the Controller with information reasonably required for the Controller's Data Protection Impact Assessments (DPIAs) and any prior consultations with supervisory authorities, to the extent such information relates to the Processor's processing under this DPA.

Each party's liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Where those limits apply, the Processor's aggregate liability will not exceed the fees paid for the Service in the 12 months preceding the event giving rise to the claim, except to the extent such limitation is not permitted by Data Protection Laws (including for data-subject claims under European Data Protection Laws).

This DPA takes effect when the Controller begins using the Service and remains in force for as long as the Processor processes Personal Data on the Controller's behalf. Obligations that by their nature should survive termination — including confidentiality and deletion — will survive.

In the event of a conflict, the following order of precedence applies: (1) Data Protection Laws; (2) the Standard Contractual Clauses; (3) this DPA; and (4) the Terms of Service.

To raise a data-protection matter or to request a countersigned copy of this DPA, contact [LEGAL ENTITY NAME] at support@mailsurity.com ([REGISTERED BUSINESS ADDRESS]).

• Subject matter: the Processor's provision of the disposable-email detection Service to the Controller.
• Duration: for the term of the Controller's use of the Service, plus the retention periods in Section 10.
• Nature & purpose: evaluating submitted email addresses/domains to classify them as disposable or legitimate, and related logging for billing, analytics, and abuse prevention.
• Types of Personal Data: email addresses and their domains submitted for checking; account contact details (name, email, organization); and request metadata (IP address, timestamps).
• Categories of data subjects: the Controller's personnel and end users whose email addresses are submitted to the Service.

The Processor engages the following Sub-processors. Specific corporate entities, regions, and any future additions are confirmed on request.

The Processor maintains measures including, at a minimum:

• encryption of Personal Data in transit (TLS) and at rest;
• role-based access controls and the principle of least privilege for personnel and systems;
• scoped, revocable API keys for programmatic access, with per-team isolation;
• network and application security controls, including rate limiting and abuse prevention;
• logging and monitoring to detect and investigate security events;
• regular backups and a documented data-retention and deletion schedule (Section 10); and
• confidentiality obligations and security awareness for personnel with access to Personal Data.