Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Terms of Service (“Agreement”) between Review My Emails (“Processor,” “we,” “us”) and the customer (“Controller,” “you”) and governs the processing of personal data in connection with our email list cleaning services.

This DPA incorporates the requirements of the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Definitions

Terms not defined herein have the meanings given in the GDPR or, where applicable, other Data Protection Laws.

  • “Customer Data” means any personal data that we process on your behalf in connection with the Services.
  • “Data Protection Laws” means the GDPR, UK GDPR, CCPA, and any other applicable data protection legislation.
  • “Processing” means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
  • “Sub-processor” means any third party engaged by us to process Customer Data.
  • “Data Subject” means the individual whose personal data is being processed.

2. Scope and Roles

2.1 Controller and Processor

For the purposes of this DPA:

  • You act as the Controller of Customer Data.
  • We act as the Processor of Customer Data on your behalf.

2.2 Processing Details

Subject MatterEmail list validation and cleaning services
DurationFor the duration of the Agreement plus any retention periods specified in our Privacy Policy
Nature and PurposeTo verify email addresses, identify risky contacts, and provide cleaned list files
Types of Personal DataEmail addresses, and any additional data fields you include in uploaded lists (names, metadata)
Categories of Data SubjectsYour customers, subscribers, contacts, or other individuals whose email addresses are in your lists

3. Controller Obligations

You represent and warrant that:

  • You have obtained all necessary consents and legal bases for processing the Customer Data.
  • Customer Data was collected in compliance with applicable Data Protection Laws.
  • You have the right to transfer Customer Data to us for processing.
  • Your instructions comply with Data Protection Laws.
  • You will not upload sensitive personal data (Article 9 GDPR categories) unless we have explicitly agreed.

4. Processor Obligations

We commit to:

  • Lawful Processing: Process Customer Data only on your documented instructions, unless required by law.
  • Confidentiality: Ensure all personnel processing Customer Data are bound by confidentiality obligations.
  • Security: Implement appropriate technical and organizational measures to protect Customer Data.
  • Sub-processing: Not engage sub-processors without your prior authorization (see Section 6).
  • Assistance: Assist you in responding to data subject requests and meeting your compliance obligations.
  • Deletion: Delete or return Customer Data upon termination of the Agreement, unless retention is required by law.
  • Audit: Make available information necessary to demonstrate compliance with this DPA.

5. Security Measures

We implement the following security measures:

Technical Measures

  • TLS 1.3 encryption for data in transit.
  • AES-256 encryption for data at rest.
  • Regular security assessments and penetration testing.
  • Access controls and authentication requirements.
  • Automated monitoring and intrusion detection.
  • Regular backups and disaster recovery procedures.

Organizational Measures

  • Employee background checks and confidentiality agreements.
  • Security awareness training.
  • Incident response procedures.
  • Vendor security assessments.

6. Sub-processors

You authorize us to engage the following sub-processors:

Sub-processorPurpose
MongoDB, Inc.Database hosting and storage (US/EU)
Stripe, Inc.Payment processing
Vercel Inc.Application hosting
Google LLCFile storage and delivery (Google Drive)
Sendinblue (Brevo)Transactional email delivery
Bouncer (UseBouncer)Email address verification

We will notify you of any intended changes to sub-processors at least 30 days in advance. You may object to a new sub-processor by terminating the Agreement.

7. International Data Transfers

When Customer Data is transferred outside the European Economic Area (EEA), UK, or Switzerland, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We incorporate the EU Commission’s 2021 SCCs into agreements with sub-processors.
  • Data Privacy Framework: Where applicable, we rely on certifications under the EU-US Data Privacy Framework.
  • Adequacy Decisions: We may transfer data to countries with EU adequacy decisions.

Upon request, we will provide copies of relevant data transfer mechanisms.

8. Data Subject Rights

We will assist you in responding to data subject requests, including:

  • Access requests.
  • Rectification requests.
  • Erasure requests (“right to be forgotten”).
  • Data portability requests.
  • Objection to processing.
  • Restriction of processing.

If we receive a request directly from a data subject, we will promptly notify you unless prohibited by law.

9. Data Breach Notification

In the event of a personal data breach affecting Customer Data, we will:

  • Notify you without undue delay and within 72 hours of becoming aware of the breach.
  • Provide information about the nature of the breach, categories of data affected, and likely consequences.
  • Describe measures taken or proposed to address the breach.
  • Cooperate with you in investigating and mitigating the breach.
  • Assist you in meeting your notification obligations to supervisory authorities and data subjects.

10. Data Protection Impact Assessments

Upon request, we will provide reasonable assistance to help you conduct Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, where required by Data Protection Laws.

11. Audit Rights

Upon reasonable notice, you may audit our compliance with this DPA. We will:

  • Provide access to relevant documentation and records.
  • Allow audits or inspections by you or an independent auditor.
  • Cooperate with supervisory authority audits.

Audits shall be conducted during business hours, with reasonable notice, and subject to confidentiality obligations.

12. Term and Termination

This DPA remains in effect for the duration of the Agreement. Upon termination:

  • We will delete Customer Data within 30 days, unless retention is required by law.
  • Upon request, we will certify deletion in writing.
  • Provisions that by their nature should survive will remain in effect.

13. Liability

Liability under this DPA is subject to the limitations set forth in the Agreement. Each party is liable for damages caused by its breach of Data Protection Laws or this DPA.

Need a Signed DPA?

Enterprise customers requiring a countersigned DPA can request one by contacting our legal team at legal@reviewmyemails.com.

14. Contact Information

For questions about this DPA or data protection matters:

Last updated: June 12, 2026. We try to keep changes minor and announce big ones in our newsletter so you can see what changed and when.