Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between MailSentry ("Processor", "we", "us") and the customer ("Controller", "you") who uses the MailSentry API and related services. This DPA applies to the extent that MailSentry processes Personal Data on your behalf as a data processor under the General Data Protection Regulation (EU) 2016/679 ("GDPR").

By using MailSentry, you accept this DPA. If you have a separate, signed DPA with us, that agreement takes precedence over this document where they conflict.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1). In the context of MailSentry, this primarily means email addresses.
• "Processing" means any operation performed on Personal Data, including validation, analysis, storage, and deletion.
• "Controller" means you, the customer who determines the purposes and means of processing Personal Data by submitting it to MailSentry.
• "Processor" means MailSentry, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means a third party engaged by MailSentry to assist in processing Personal Data.

3. Scope and Purpose of Processing

4. Processor Obligations

MailSentry shall:

• Process Personal Data only on documented instructions from the Controller (i.e., as necessary to provide the Service), unless required by applicable law.
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
• Implement and maintain appropriate technical and organizational security measures (see Section 7).
• Comply with the conditions for engaging Sub-processors (see Section 6).
• Assist the Controller in responding to data subject rights requests, to the extent technically feasible (see Section 9).
• Assist the Controller in ensuring compliance with breach notification, data protection impact assessments, and prior consultation obligations under GDPR Articles 32–36.
• At the Controller's choice, delete or return all Personal Data upon termination of the Service (see Section 10).
• Make available to the Controller all information necessary to demonstrate compliance with this DPA.

5. Controller Obligations

The Controller shall:

• Ensure that there is a valid lawful basis under GDPR Article 6 for submitting Personal Data to MailSentry (typically legitimate interest under Article 6(1)(f) or contract performance under Article 6(1)(b)).
• Ensure that data subjects have been informed about the processing in accordance with GDPR Articles 13 and 14, including disclosure of MailSentry as a processor in the Controller's own privacy policy.
• Not submit special category data (GDPR Article 9) or criminal conviction data (GDPR Article 10) to MailSentry, as the Service is not designed to process such data.

6. Sub-processors

The Controller authorizes MailSentry to engage the following Sub-processors to assist in providing the Service:

MailSentry will notify the Controller before adding or replacing Sub-processors by updating this page. The Controller may object to a new Sub-processor by contacting support@mailsentry.dev within 30 days of the update. If the objection cannot be resolved, the Controller may terminate the Service.

7. Security Measures

MailSentry implements the following technical and organizational measures to protect Personal Data:

• Encryption in transit: All API traffic and web requests are encrypted via HTTPS/TLS.
• Encryption at rest: Database storage is encrypted at rest via the infrastructure provider (Supabase/AWS).
• API key security: API keys are hashed using SHA-256 before storage. Plaintext keys are never stored or logged.
• Password security: User passwords are hashed using bcrypt via Supabase Auth.
• Access control: Row-level security (RLS) policies ensure users can only access their own data. Administrative access is limited to the minimum necessary.
• Transient processing: For single API validations, email addresses are processed in memory only and never written to persistent storage.
• Minimal data retention: Usage analytics are automatically purged after 12 months. Feature-specific data (bulk results, finder results) is retained only as long as the Controller's account is active.

8. Data Breach Notification

In the event of a Personal Data breach, MailSentry will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33. The notification will include:

• The nature of the breach, including the categories and approximate number of data subjects and records affected
• The likely consequences of the breach
• The measures taken or proposed to address and mitigate the breach
• The contact point for further information

MailSentry will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

9. Data Subject Rights

MailSentry will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, and objection) to the extent technically feasible. For single API validations, no email data is retained, so no action is required. For bulk validation, email finder, and integration data, the Controller can access and delete their data directly from the MailSentry dashboard, or request assistance at support@mailsentry.dev.

Controllers can also use the "Download My Data" feature (Account Settings → Data & Privacy) to export all stored data in machine-readable JSON format, supporting GDPR Article 20 (data portability).

10. Data Deletion and Return

Upon termination of the Service or at the Controller's request:

• Data export: The Controller may export all their data via the dashboard before account deletion.
• Account deletion: When the Controller deletes their account (Dashboard → Account Settings → Delete Account), all Personal Data — including API keys, usage logs, bulk validation results, finder results, integration data, team invites, and account information — is permanently deleted.
• Automatic purge: Usage analytics data older than 12 months is automatically deleted by a scheduled process, regardless of account status.

11. Audit Rights

The Controller has the right to verify MailSentry's compliance with this DPA. Upon reasonable written request (no more than once per year), MailSentry will provide relevant information, documentation, or access necessary to demonstrate compliance. Audits shall be conducted with reasonable advance notice and in a manner that does not disrupt MailSentry's operations or compromise the security or confidentiality of other customers' data.

12. International Data Transfers

Personal Data may be processed in the United States and other countries where our Sub-processors operate. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries without an adequacy decision, MailSentry relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent transfer safeguards provided by each Sub-processor.

Details of each Sub-processor's transfer mechanism are available in their respective DPAs (Supabase, Vercel, Lemon Squeezy, and Resend each provide SCCs as part of their standard data processing terms).

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of GDPR to the extent that such limitation is not permitted under applicable law.

14. Term and Amendments

This DPA is effective as long as the Controller uses the Service. MailSentry may update this DPA to reflect changes in law, Sub-processors, or security practices. Material changes will be communicated via the Controller's registered email address. Continued use of the Service after notice constitutes acceptance of the updated DPA.

15. Contact

For questions about this DPA or to exercise any rights described herein, contact us at support@mailsentry.dev.