Data Processing Addendum
Last updated · May 2026
This DPA forms part of your ZenVerifier Terms of Service and applies when we process personal data on your behalf. It’s structured to satisfy the requirements of GDPR Art. 28 and equivalent provisions in UK GDPR, the California Consumer Privacy Act (CCPA), and similar regimes. If you need a counter-signed copy on your paper, email legal@zenverifier.com.
Roles
You are the data controller of any personal data in lists you upload (the email addresses of your contacts, plus any other fields in the CSV). ZenVerifier is the data processor for that data — we process it solely to deliver the verification service and according to your documented instructions (i.e. the act of uploading).
Subject matter, duration, nature, and purpose
- Subject matter: processing of contact email addresses to determine deliverability.
- Duration: for the duration of your subscription, plus the retention windows in our Privacy Policy.
- Nature: automated processing including DNS lookup, SMTP probing via our verification provider, classification, and storage of results.
- Purpose: to provide email-list verification as described in the service documentation.
- Categories of data: email addresses; optionally first/last name, company name, or other CSV columns you choose to include.
- Categories of data subjects: the recipients on the lists you upload.
Sub-processors
We use the following sub-processors to deliver the service. Each operates under its own DPA with us; the link goes to their privacy/security pages.
| Sub-processor | Purpose | Region |
|---|---|---|
| Email verification provider | Email verification engine (GDPR-compliant, EU-region) | EU |
| Stripe | Payment processing, billing | US, EU |
| Clerk | Authentication, session management | US |
| Resend | Transactional email delivery | US |
| Vercel | Application hosting, edge network, Postgres database, blob storage | US, EU |
We’ll notify active subscribers by email at least 30 days before adding or replacing a sub-processor. You can object to any new sub-processor, in which case you may terminate the affected service for a pro-rated refund of unused subscription time.
International transfers
When personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision (notably the US), we rely on Standard Contractual Clauses with the receiving sub-processor and apply supplementary measures (encryption in transit, encryption at rest, principle of least privilege).
Security measures
See our Security page for the specifics. Summary: encryption in transit (TLS 1.2+) and at rest, role-based access control, audit logging, principle of least privilege, separation of duties, regular security review.
Data subject rights
You handle requests from your data subjects directly. If you receive an access, deletion, portability, or objection request relating to data we process for you, we’ll provide reasonable assistance to fulfil it within the timeframes the law requires. Use privacy@zenverifier.com for assistance.
Breach notification
If we become aware of a personal data breach affecting your data, we’ll notify you without undue delay and in any case within 48 hours. Our notice will include the nature of the breach, categories of data affected, likely consequences, and the measures we’ve taken or propose to take.
Audit
Once per year, on reasonable notice and during business hours, you may request a written audit of our data processing practices. We’ll respond by providing relevant security attestations (SOC 2 once available, ISO 27001 once available, sub-processor security questionnaires) plus written answers to specific questions. We don’t allow on-site audits because of the impact on shared infrastructure.
Return and deletion
On termination or your request, we delete or return your personal data within 30 days, retaining only what we’re legally required to keep (billing records, anti-fraud logs).
Contact
Questions about this DPA or to request a counter-signed copy: legal@zenverifier.com.