Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the ValidKit Terms of Service and applies when ValidKit processes Personal Data on behalf of Customer.

This DPA complies with the EU General Data Protection Regulation (GDPR) Article 28 requirements for data processors.

1. Definitions

• Controller: The Customer (you), who determines the purpose and means of processing Personal Data
• Processor: ValidKit Inc., who processes Personal Data on behalf of the Controller
• Personal Data: Email addresses submitted for validation via the ValidKit API
• Processing: Validation operations performed by ValidKit API (format validation, DNS checks, disposable email detection, etc.)
• Sub-processors: Third-party services used by ValidKit to provide the Service
• Data Subject: The individual whose email address is being validated

2. Scope and Roles

Customer Role (Data Controller)

As the Data Controller, Customer determines:

• The purpose of email validation (e.g., preventing fraud, improving data quality)
• Which email addresses to submit for validation
• Legal basis for processing under GDPR (e.g., legitimate interest, contract performance)

ValidKit Role (Data Processor)

As the Data Processor, ValidKit will:

• Process email addresses only as instructed by Customer via API requests
• Implement appropriate technical and organizational security measures
• Assist Customer in meeting GDPR compliance obligations
• Not use Personal Data for any purpose other than providing the Service

3. Data Processing Instructions

ValidKit will only process Personal Data:

• As documented in the API reference at docs.validkit.com
• As necessary to provide the email validation Service
• As instructed by Customer via API requests
• In compliance with applicable data protection laws (GDPR, CCPA, etc.)

If ValidKit believes an instruction violates GDPR or other applicable laws, ValidKit will immediately inform Customer.

4. Confidentiality

ValidKit ensures that all personnel with access to Personal Data:

• Are subject to confidentiality obligations (contractual or statutory)
• Receive appropriate training on data protection and security
• Access Personal Data only on a need-to-know basis
• Are bound by ValidKit's security policies and procedures

5. Security Measures

ValidKit implements the following technical and organizational security measures to protect Personal Data:

Technical Measures

• Encryption: TLS 1.3 for all data in transit
• Access Control: API key authentication with bcrypt hashing
• Data Minimization: Email addresses processed in-memory only, not stored permanently
• Logging Protection: Email addresses hashed (SHA-256) before logging
• Cache: 30-day maximum retention for cached validation results
• Rate Limiting: Multi-layer rate limiting to prevent abuse

Organizational Measures

• Access Management: Role-based access control, principle of least privilege
• Security Training: Regular security awareness training for all personnel
• Incident Response: Documented breach notification procedures
• Monitoring: Real-time security monitoring and alerting

For more details, see our Security page.

6. Sub-Processors

ValidKit uses the following sub-processors to provide the Service:

Sub-Processor Changes

ValidKit will notify Customer at least 30 days before adding or replacing sub-processors. Customer may object to changes within 30 days of notification. If Customer objects, ValidKit will work with Customer to address concerns or allow contract termination without penalty.

7. Data Subject Rights

ValidKit will assist Customer in responding to Data Subject requests under GDPR:

Rights Supported

• Right to Access: Export data via API or email request
• Right to Erasure: Delete data via API or email to [email protected]
• Right to Portability: JSON export available via API
• Right to Rectification: Update account data via Dashboard

How to Exercise Rights

• API: DELETE /api/v1/privacy/delete-my-data
• Email: [email protected]
• Response Time: Within 30 days of request

For more details, see our GDPR Compliance page.

8. Data Deletion and Return

Upon termination of the Service or Customer request:

Deletion Timeline

• Validation Results Cache: Automatically deleted after 30 days
• Account Data: Deleted within 30 days of account closure
• Application Logs: Deleted within 30 days (hashed emails only)
• Billing Records: Retained for 7 years per tax law requirements

Data Return

Before deletion, Customer may export data via:

• API: GET /api/v1/privacy/export
• Dashboard: Account Settings → Export Data
• Email request: [email protected]

Deletion Certification

Upon request, ValidKit will provide written certification that all Personal Data has been deleted from production systems and backups.

9. Audits and Compliance

Audit Rights

Customer may audit ValidKit's compliance with this DPA once annually, subject to:

• 30 days advance written notice
• Reasonable business hours
• Non-disclosure agreement for confidential information
• Customer bears all audit costs unless material non-compliance found

Compliance Reports

ValidKit provides:

• SOC 2 Reports: Target Q2 2026 (currently in progress)
• Security Documentation: Available at /security
• Sub-Processor Certifications: Available upon request for Enterprise customers

10. Data Breach Notification

In the event of a Personal Data breach affecting Customer data:

Notification Timeline

• Initial Notification: Within 72 hours of discovery
• Notification Method: Email to Customer's registered email address
• Follow-up: Updates provided as investigation progresses

Breach Information Provided

ValidKit will provide:

• Nature of the breach and categories of data affected
• Approximate number of Data Subjects and data records affected
• Contact point for more information
• Likely consequences of the breach
• Measures taken or proposed to address the breach

Customer Responsibilities

Customer is responsible for:

• Notifying affected Data Subjects if required by law
• Notifying relevant supervisory authorities (e.g., ICO, CNIL)
• Determining if breach notification is required under applicable law

11. International Data Transfers

Processing Location

Primary data processing occurs in the United States (Vercel US East region).

EU Data Transfers

For transfers of Personal Data from the EU/EEA to the United States:

• Transfer Mechanism: Standard Contractual Clauses (SCCs) adopted by EU Commission Decision 2021/914
• SCC Module: Controller-to-Processor (Module 2)
• SCC Copy: Available upon request via [email protected]
• Supplementary Measures: Encryption in transit (TLS 1.3), data minimization, hashed logging

UK Data Transfers

UK Addendum to Standard Contractual Clauses available upon request for UK customers.

12. Liability and Indemnification

Each party is liable for its own GDPR compliance obligations:

• Customer Liability: Determining legal basis for processing, obtaining necessary consents, providing privacy notices
• ValidKit Liability: Implementing appropriate security measures, assisting with data subject requests, breach notification

Indemnification

ValidKit will indemnify Customer for GDPR fines or penalties resulting from ValidKit's breach of this DPA, subject to limitations in the Terms of Service.

13. Term and Termination

This DPA:

• Begins on the effective date of the Terms of Service
• Remains in effect while ValidKit processes Personal Data on Customer's behalf
• Survives termination for data deletion obligations, confidentiality, and liability provisions

14. Governing Law

This DPA is governed by:

• General Terms: Laws of California, United States
• GDPR Provisions: EU data protection law where applicable
• Conflict: GDPR provisions prevail for EU/EEA customers

15. Contact Information

Questions about this DPA or need a countersigned copy?

• Email: [email protected]
• Privacy Requests: [email protected]
• Enterprise Customers: Countersigned DPA available upon request