Data Processing Agreement
Last updated: February 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Mailcaff (Gianni Pisa, KvK: 96633794) ("Processor", "we", "us") and the customer using the Service ("Controller", "you"). This DPA applies where we process personal data on your behalf in connection with the email verification and email finding services provided through the Mailcaff API and dashboard.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data, as defined in GDPR Article 4(2).
- "Data Subject" means the individual whose Personal Data is being processed.
- "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
2. Scope and Purpose of Processing
We process Personal Data solely for the purpose of providing the Service to you:
- Email verification: We receive email addresses you submit via the API or dashboard, verify their deliverability, and return the results. Email addresses are processed in real time and cached temporarily to improve performance.
- Email finding: We receive names and domain information, generate candidate email addresses, verify them, and return found addresses.
- Usage logging: We log API requests (including email addresses checked) for billing, debugging, and abuse prevention.
2.1 Categories of Personal Data
- Email addresses submitted for verification or generated through the finder service
- Names and domain information submitted for the email finder service
2.2 Categories of Data Subjects
- Contacts, leads, or individuals whose email addresses the Controller submits for verification or finding
3. Controller Obligations
You represent and warrant that:
- You have a lawful basis (under GDPR Article 6) for processing the Personal Data you submit to the Service.
- You have provided any required notices and obtained any required consents for the transfer and processing of Personal Data through the Service.
- You will not submit special category data (as defined in GDPR Article 9) to the Service.
- Your use of the Service complies with the Acceptable Use Policy.
4. Processor Obligations
We shall:
- Process Personal Data only on your documented instructions and only for the purposes described in this DPA.
- Ensure that all personnel authorized to process Personal Data are bound by obligations of confidentiality.
- Implement appropriate technical and organizational security measures (see Section 6).
- Not engage any Sub-processor without prior notification (see Section 5).
- Assist you in responding to Data Subject requests (access, erasure, portability, etc.).
- Delete or return all Personal Data upon termination of the Service, unless legal obligations require retention.
- Make available all information necessary to demonstrate compliance with GDPR Article 28 obligations.
5. Sub-processors
We use the following Sub-processors to provide the Service. By agreeing to this DPA, you authorize us to engage these Sub-processors:
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Vultr | Cloud infrastructure / VPS hosting | Netherlands (Amsterdam) | All service data (encrypted at rest) |
| Reacher (self-hosted) | SMTP verification engine | Netherlands (same VPS) | Email addresses for verification |
| Stripe | Payment processing | USA (EU data in EU) | Customer name, email, payment info |
| Resend | Transactional email delivery | USA | Customer email (for account emails only) |
We will notify you of any intended changes to Sub-processors by updating this page. If you object to a new Sub-processor, you may terminate the Service by cancelling your subscription within 30 days of the notification.
6. Security Measures
We implement the following technical and organizational measures to protect Personal Data:
- Encryption in transit: All connections to the API and dashboard use TLS 1.2+.
- Encryption at rest: Database stored on encrypted VPS storage.
- Access control: SSH key-based server access. No shared passwords. Admin panel secured with bcrypt-hashed credentials.
- Password security: Customer passwords are hashed with bcrypt and never stored in plain text.
- API key security: API keys are stored as SHA-256 hashes. Full keys are shown only once at creation.
- Data minimization: We only process data necessary to provide the Service. No tracking cookies or third-party analytics.
- Automatic data cleanup: Verification cache entries expire and are automatically deleted. Usage logs are retained for a maximum of 90 days.
- Network security: Firewall rules restrict server access. Rate limiting prevents abuse.
7. Data Retention
- Verification cache: Results cached for up to 7 days (safe/invalid) or 24 hours (catch-all/unknown). Entries older than 30 days are automatically purged.
- Usage logs: API request logs (including email addresses checked) are retained for a maximum of 90 days, then automatically deleted.
- Account data: Retained while your account is active. Permanently deleted within 30 days of account deletion.
- Bulk job results: Stored for 30 days after completion, then deleted.
8. Data Subject Rights
If a Data Subject contacts us directly to exercise their rights (access, erasure, rectification, portability, restriction, or objection), we will promptly notify you and cooperate with you to fulfill the request within the timelines required by GDPR.
You can manage your own account data through the dashboard:
- Data export: Dashboard → Settings → Export My Data (JSON format)
- Account deletion: Dashboard → Settings → Delete Account (permanent, immediate)
9. Data Breach Notification
In the event of a Personal Data breach (as defined in GDPR Article 4(12)), we will:
- Notify you within 72 hours of becoming aware of the breach, via the email address associated with your account.
- Provide details including: the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
- Cooperate with you in investigating and mitigating the breach, and in fulfilling your obligations to notify supervisory authorities and Data Subjects under GDPR Articles 33 and 34.
- Document all breaches, including facts, effects, and corrective actions taken, in accordance with GDPR Article 33(5).
10. International Transfers
Our primary infrastructure is located in the Netherlands (EU). Where Personal Data is transferred outside the EEA (e.g., to Stripe or Resend in the USA), such transfers are protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) as adopted by the European Commission, or the recipient's participation in recognized data protection frameworks.
11. Audits
Upon reasonable written request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. You may conduct an audit (or appoint a qualified third-party auditor) no more than once per year, with at least 30 days' written notice, during normal business hours.
12. Term and Termination
This DPA is effective for as long as you use the Service. Upon termination of the Service (by either party), we will delete all Personal Data processed on your behalf within 30 days, unless legal obligations require otherwise. You may request an export of your data before termination.
13. Governing Law
This DPA is governed by the laws of the Netherlands. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of the Netherlands.
14. Contact
For questions about this DPA or to exercise data protection rights:
Email: support@mailcaff.com
Website: mailcaff.com