Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between MailSentry ("Processor", "we", "us") and the customer ("Controller", "you") who uses the MailSentry API and related services. This DPA applies to the extent that MailSentry processes Personal Data on your behalf as a data processor under the General Data Protection Regulation (EU) 2016/679 ("GDPR").

By using MailSentry, you accept this DPA. If you have a separate, signed DPA with us, that agreement takes precedence over this document where they conflict.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1). In the context of MailSentry, this primarily means email addresses.
• "Processing" means any operation performed on Personal Data, including validation, analysis, storage, and deletion.
• "Controller" means you, the customer who determines the purposes and means of processing Personal Data by submitting it to MailSentry.
• "Processor" means MailSentry, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means a third party engaged by MailSentry to assist in processing Personal Data.

3. Scope and Purpose of Processing

4. Processor Obligations

MailSentry shall:

• Process Personal Data only on documented instructions from the Controller (i.e., as necessary to provide the Service), unless required by applicable law.
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
• Implement and maintain appropriate technical and organizational security measures (see Section 7).
• Comply with the conditions for engaging Sub-processors (see Section 6).
• Assist the Controller in responding to data subject rights requests, to the extent technically feasible (see Section 9).
• Assist the Controller in ensuring compliance with breach notification, data protection impact assessments, and prior consultation obligations under GDPR Articles 32–36.
• At the Controller's choice, delete or return all Personal Data upon termination of the Service (see Section 10).
• Make available to the Controller all information necessary to demonstrate compliance with this DPA.

5. Controller Obligations

The Controller shall:

• Ensure that there is a valid lawful basis under GDPR Article 6 for submitting Personal Data to MailSentry (typically legitimate interest under Article 6(1)(f) or contract performance under Article 6(1)(b)).
• Ensure that data subjects have been informed about the processing in accordance with GDPR Articles 13 and 14, including disclosure of MailSentry as a processor in the Controller's own privacy policy.
• Not submit special category data (GDPR Article 9) or criminal conviction data (GDPR Article 10) to MailSentry, as the Service is not designed to process such data.

6. Sub-processors

The Controller authorizes MailSentry to engage the following Sub-processors to assist in providing the Service:

MailSentry will notify the Controller before adding or replacing Sub-processors by updating this page. The Controller may object to a new Sub-processor by contacting support@mailsentry.dev within 30 days of the update. If the objection cannot be resolved, the Controller may terminate the Service.

7. Security Measures

MailSentry implements the following technical and organizational measures to protect Personal Data:

• Encryption at rest: All databases use AES-256 encryption at rest via the underlying infrastructure (Supabase on AWS).
• Encryption in transit: All data transfer between Controller and Processor systems is over TLS 1.3.
• Access controls: Production database access is restricted to authorized personnel via role-based access control. API access requires authenticated API keys scoped to a single user account. Row-level security (RLS) policies ensure users can only access their own data.
• Hashing: Single-call validation logs use SHA-256 hashing of the input email for the validation log table. API keys are hashed using SHA-256 before storage. User passwords are hashed using bcrypt via Supabase Auth. Plaintext is retained only in the cases documented in Section 3.
• Backup and disaster recovery: Daily encrypted backups retained for 30 days via Supabase.
• Monitoring: Production access and modification events are logged.

8. Data Breach Notification

In the event of a Personal Data breach, MailSentry will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33. The notification will include:

• The nature of the breach, including the categories and approximate number of data subjects and records affected
• The likely consequences of the breach
• The measures taken or proposed to address and mitigate the breach
• The contact point for further information

MailSentry will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

9. Data Subject Rights

MailSentry will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, and objection) to the extent technically feasible. Single API validations are recorded as a SHA-256 hash in the validation log; deletion-cascade for this table is being implemented prior to public launch (see Section 10). The score cache, which retains plaintext emails for up to 30 days, is currently a global cache rather than per-user; application-level cleanup and per-user deletion cascade are being implemented prior to public launch (see Section 10). For bulk validation, email finder, and integration data, the Controller can access and delete their data directly from the MailSentry dashboard, or request assistance at support@mailsentry.dev.

Controllers can also use the "Download My Data" feature (Account Settings → Data & Privacy) to export all stored data in machine-readable JSON format, supporting GDPR Article 20 (data portability).

10. Data Deletion and Return

Upon the Controller's written request or upon termination of the Agreement, Processor will delete Personal Data as follows:

• Data export: The Controller may export all their data via the dashboard (Account Settings → Data & Privacy → Download My Data) before account deletion.
• Account deletion cascade: When the Controller deletes their account, the following are permanently deleted from production databases: bulk validation jobs and results, email finder searches, integration validation logs, integration sync state, API keys, usage logs, user settings, team invites, and the user account record.
• Validation log (SHA-256 hashed emails + metadata): Retained pending implementation of account-deletion cascade. While SHA-256 hashing reduces direct identifiability of the stored email values, hashed email data remains Personal Data under GDPR because re-identification by hashing a candidate address and matching is reasonably possible. Deletion-cascade for this table will be implemented prior to public launch.
• Score cache (plaintext emails, up to 30-day TTL): Currently retained globally rather than per-user. Plaintext entries age out via the 30-day TTL. Application-level TTL cleanup and account-deletion cascade for this table are being implemented prior to public launch.
• Bounce feedback (SHA-256 hashed emails): Same status and GDPR treatment as the validation log above — hashed email data is still Personal Data, and account-deletion cascade for this table will be implemented prior to public launch.
• Automatic purge: Usage analytics data older than 12 months is automatically deleted by a scheduled process, regardless of account status.
• Backups: Backups containing already-deleted production data are purged within 30 days per backup retention policy.

The Controller may request specific data export or deletion ahead of these timelines by contacting support@mailsentry.dev. Processor will respond within 30 days per GDPR Article 12.

11. Audit Rights

The Controller has the right to verify MailSentry's compliance with this DPA. Upon reasonable written request (no more than once per year), MailSentry will provide relevant information, documentation, or access necessary to demonstrate compliance. Audits shall be conducted with reasonable advance notice and in a manner that does not disrupt MailSentry's operations or compromise the security or confidentiality of other customers' data.

12. International Data Transfers

Personal Data may be processed in the United States and other countries where our Sub-processors operate. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries without an adequacy decision, MailSentry relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent transfer safeguards provided by each Sub-processor.

Details of each Sub-processor's transfer mechanism are available in their respective DPAs (Supabase, Vercel, Lemon Squeezy, and Resend each provide SCCs as part of their standard data processing terms).

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of GDPR to the extent that such limitation is not permitted under applicable law.

14. Term and Amendments

This DPA is effective as long as the Controller uses the Service. MailSentry may update this DPA to reflect changes in law, Sub-processors, or security practices. Material changes will be communicated via the Controller's registered email address. Continued use of the Service after notice constitutes acceptance of the updated DPA.

15. Contact

For questions about this DPA or to exercise any rights described herein, contact us at support@mailsentry.dev.