This Data Processing Agreement ("DPA") forms part of the agreement between BounceZero Ltd ("Processor", "we", "us") and the customer ("Controller", "you") who uses the BounceZero email validation platform. It governs the processing of personal data carried out by us on your behalf, in accordance with the UK General Data Protection Regulation ("UK GDPR"), the EU General Data Protection Regulation ("EU GDPR"), and the Data Protection Act 2018 ("DPA 2018").
1. Definitions
In this DPA, the following terms have the meanings set out below:
- Personal Data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) UK/EU GDPR.
- Processing — any operation performed on Personal Data, including storage, retrieval, analysis, or deletion.
- Controller — the customer who determines the purposes and means of Processing (you).
- Processor — BounceZero Ltd, which processes Personal Data on behalf of the Controller (us).
- Sub-processor — any third party engaged by the Processor to assist in Processing.
- Data Subject — the natural person to whom the Personal Data relates.
- Security Incident — any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Scope and Role
When you submit email addresses to BounceZero for verification, you act as the Controller and we act as the Processor. The subject matter, nature, and purpose of Processing are:
- Subject matter: email addresses and associated metadata submitted via the API, dashboard, or bulk upload.
- Nature: syntactic validation, DNS/MX lookup, SMTP probe, catch-all detection, deliverability scoring, and fraud/abuse checks.
- Purpose: to determine whether a given email address is deliverable, valid, or risky, as instructed by the Controller.
- Duration: for the term of your subscription or account, and as required by our retention policy (Section 8).
- Categories of Data Subjects: individuals whose email addresses appear in the Controller's lists.
- Types of Personal Data: email addresses; derived domain, MX, and SMTP metadata; IP addresses used in validation probes.
We do not process Personal Data for any purpose other than performing the verification services you instruct us to perform.
3. Processor Obligations
We shall:
- Process Personal Data only on your documented instructions and not for our own purposes, unless required by applicable law.
- Ensure that personnel authorised to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures (see Section 5).
- Not engage Sub-processors without your prior general written consent (granted by accepting these terms — see Section 4).
- Assist you in fulfilling your obligations to respond to Data Subject rights requests (see Section 6).
- Notify you of any Security Incident without undue delay (see Section 7).
- Delete or return all Personal Data upon termination of the services, at your choice, subject to legal retention requirements (see Section 8).
- Make available all information necessary to demonstrate compliance with this DPA and co-operate with audits conducted by you or your authorised auditor, on reasonable prior written notice.
4. Sub-processors
By accepting this DPA, you grant general written authorisation for us to engage Sub-processors. Current Sub-processors used in email validation include:
| Sub-processor | Purpose | Location |
|---|---|---|
| OVH SAS | Cloud infrastructure & server hosting | France / EU |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | USA (SCCs) |
| Upstash / Redis | Caching & job queue | EU |
| BrightData Ltd | Residential proxy for SMTP probing | Israel (adequacy) |
| Google LLC (Firebase) | Email notification delivery | USA (SCCs) |
| Stripe, Inc. | Payment processing (billing data only) | USA (SCCs) |
We will inform you of any intended changes to Sub-processors by updating this DPA at least 14 days in advance. You have the right to object to new Sub-processors within that period. If you object and we cannot accommodate your objection, you may terminate your account without penalty.
5. Security Measures
We maintain the following technical and organisational measures to protect Personal Data:
- Encryption: all data in transit is encrypted via TLS 1.2+; database backups are encrypted at rest.
- Access control: role-based access to production systems; MFA required for administrative access.
- Network security: firewalled VPS; Nginx with strict security headers; UFW rules limiting inbound ports.
- Monitoring: real-time alerting for anomalous activity; structured logging with 7-day retention.
- Pseudonymisation: API keys and webhook secrets are stored as hashed values.
- Data minimisation: only email addresses and derived metadata necessary for validation are stored; no plaintext passwords are retained.
- Vulnerability management: regular dependency updates; security audits performed periodically.
6. Data Subject Rights
We will assist you in responding to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible. If a Data Subject contacts us directly regarding their Personal Data that you submitted, we will forward the request to you without undue delay.
You are responsible for ensuring you have a lawful basis under UK/EU GDPR for submitting email addresses to BounceZero for verification.
7. Security Breach Notification
In the event of a Security Incident affecting Personal Data you have submitted, we will notify you by email to your registered account address without undue delay and, where feasible, within 72 hours of becoming aware of the incident. The notification will include:
- The nature of the incident and the categories of Personal Data affected.
- The likely consequences of the incident.
- The measures taken or proposed to address the incident.
8. Data Retention and Deletion
Submitted email addresses and their validation results are retained for as long as your account is active, plus up to 90 days after account termination. Upon your written request, or upon account deletion, we will securely erase all Personal Data you submitted, except where retention is required by law or legitimate business interest (e.g., fraud prevention records).
Anonymised aggregate statistics (e.g., domain-level bounce rates) that cannot be linked to any individual may be retained indefinitely.
9. International Data Transfers
Where Personal Data is transferred outside the UK or EEA (e.g., to US-based Sub-processors), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA) as the lawful transfer mechanism. A copy of the applicable SCCs or IDTA is available on request at privacy@bouncezero.io.
10. Liability
Each party's liability under this DPA is subject to and governed by the limitations set out in the BounceZero Terms and Conditions. Nothing in this DPA excludes or limits either party's liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded by law.
11. Contact and Complaints
For data protection enquiries or to exercise your rights under this DPA, contact our Data Protection contact at:
BounceZero Ltd66 Paul Street, London, EC2A 4NA, United Kingdom
Email: privacy@bouncezero.io
You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or, for EU residents, with your local supervisory authority.