Data Processing Agreement
Last updated: December 30, 2025
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Kawaa ("Processor", "we", "us") and the customer ("Controller", "you") using our email verification services.
This DPA applies where and only to the extent that we process personal data on your behalf in the course of providing our email verification services, and such personal data is subject to data protection laws including the EU General Data Protection Regulation (GDPR), UK GDPR, or California Consumer Privacy Act (CCPA).
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on personal data, including collection, storage, use, and deletion.
- "Data Subject" means the individual to whom personal data relates.
- "Sub-processor" means any third party engaged by us to process personal data on your behalf.
3. Scope of Processing
3.1 Nature and Purpose
We process email addresses submitted by you for the purpose of email verification. This includes:
- Syntax validation of email addresses
- DNS and MX record verification
- SMTP mailbox verification
- Risk scoring and disposable email detection
3.2 Types of Personal Data
Email addresses submitted for verification.
3.3 Categories of Data Subjects
Individuals whose email addresses are submitted for verification by you.
4. Processor Obligations
We shall:
- Process personal data only on your documented instructions
- Ensure persons authorized to process personal data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject requests
- Delete or return personal data upon termination of services, at your choice
- Make available information necessary to demonstrate compliance with this DPA
- Notify you without undue delay of any personal data breach
5. Security Measures
We implement the following security measures to protect personal data:
- Encryption of data in transit using TLS 1.2+
- Encryption of data at rest using AES-256
- Access controls and authentication requirements
- Regular security assessments and monitoring
- Secure infrastructure hosted on AWS with SOC 2 compliance
- Automated data deletion after retention period
6. Sub-processors
You authorize us to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | United States |
| Stripe | Payment processing | United States |
We will notify you of any intended changes to sub-processors, giving you the opportunity to object.
7. Data Retention
We retain verification results in cache for up to 24 hours to improve performance. Email addresses are not stored beyond what is necessary to provide the verification service and maintain audit logs.
Upon termination of services or upon your request, we will delete personal data within 30 days, except where retention is required by law.
8. International Transfers
Our services are hosted in the United States. Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplementary measures as required by applicable law
9. Data Subject Rights
We will assist you in responding to requests from data subjects to exercise their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection.
10. Audit Rights
Upon reasonable notice, we will make available information necessary to demonstrate compliance with this DPA and allow for audits conducted by you or an independent auditor.
11. Contact
For questions about this DPA or to exercise your rights, please contact us at privacy@kawaa.com