Data Processing Agreement

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the Mailsfinder Terms of Service between:

• Data Controller: The customer entity accessing the Mailsfinder platform
• Data Processor: Mailsfinder

This DPA applies wherever Mailsfinder processes personal data on behalf of the Controller in connection with the provision of the email finding and verification services.

2. Nature and Purpose of Processing

Mailsfinder processes personal data to provide the following services:

• Finding professional email addresses based on name and domain inputs
• Verifying the deliverability and validity of email addresses
• Providing API access to email finding and verification capabilities
• Storing processing results for customer retrieval

3. Types of Personal Data Processed

The categories of personal data processed include:

• Professional email addresses
• Full names of professionals
• Job titles and company affiliations
• Company domain names and associated data

This data relates to employees, contractors, and business contacts of the Controller's target accounts. Special categories of data (as defined in GDPR Article 9) are not processed.

4. Duration of Processing

Processing shall continue for the duration of the active Mailsfinder subscription. Upon termination, Mailsfinder will cease processing and delete or return all personal data within 30 days, subject to any legal retention obligations.

5. Controller Obligations

The Controller warrants that it:

• Has a lawful basis for instructing Mailsfinder to process the personal data
• Will ensure data subjects have been informed about the processing where required
• Will obtain any necessary consents before submitting data for processing
• Will implement appropriate technical and organizational security measures
• Will notify Mailsfinder promptly of any changes to applicable law that may affect processing

6. Processor Obligations

Mailsfinder agrees to:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorized to process data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in fulfilling data subject rights requests
• Notify the Controller of any personal data breach within 48 hours of becoming aware
• Delete or return all personal data upon termination of services
• Maintain records of processing activities as required by Article 30

7. Sub-Processors

The Controller provides general authorization for Mailsfinder to engage sub-processors listed in our GDPR compliance page. Mailsfinder will:

• Notify the Controller of any intended changes to sub-processors with at least 10 days notice
• Impose data protection obligations on sub-processors equivalent to those in this DPA
• Remain liable to the Controller for the performance of sub-processors

8. Security Measures

Mailsfinder implements the following technical and organizational measures:

• Encryption of personal data in transit using TLS 1.3
• Encryption of personal data at rest using AES-256
• Access controls and least-privilege principles for all staff
• Regular security training for personnel
• Annual penetration testing by qualified third parties
• Incident response and breach notification procedures

9. Data Subject Rights Assistance

Mailsfinder will assist the Controller in responding to data subject rights requests by:

• Providing data subject request forms and handling procedures
• Responding to Controller requests within 5 business days
• Providing all necessary information to enable the Controller to respond within GDPR timeframes

10. Audit Rights

The Controller may audit Mailsfinder's compliance with this DPA no more than once per year upon 30 days written notice. Audits shall be conducted during normal business hours, at the Controller's expense, and shall not unreasonably interfere with Mailsfinder's operations.

Mailsfinder may satisfy audit requests by providing current third-party security certifications (ISO 27001, SOC 2) in lieu of on-site audits.