Data Processing Agreement

1. Definitions

Capitalised terms not defined in this DPA have the meaning given in the Agreement or, if not defined there, in the applicable Data Protection Law. The following additional definitions apply:

• “Customer Personal Data” means Personal Data that Postelist processes on the Customer’s behalf under the Agreement, comprising the email addresses, sending domains, IP addresses, and associated metadata that the Customer or its authorised users submit to the Service for verification, diagnostic, or blocklist-monitoring purposes, together with any related verdict, reason code, or audit metadata generated by the Service in respect of those inputs.
• “Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates, including the natural persons whose email addresses the Customer submits to the Service.
• “Personal Data Breach” has the meaning given in Article 4(12) of the EU/UK GDPR and includes any equivalent breach under other Data Protection Laws.
• “Restricted Transfer” means any transfer of Personal Data from a jurisdiction whose Data Protection Law restricts cross-border transfers to a jurisdiction not deemed to provide an adequate level of protection under that law.
• “Service-Improvement Processing” has the meaning given in Section 6.
• “Standard Contractual Clauses” or “SCCs” means (i) the EU Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (controller-to-processor); and (ii) the UK International Data Transfer Addendum issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 (the “UK IDTA”), in each case as updated or replaced from time to time.
• “Sub-processor” means any third party engaged by Postelist to process Customer Personal Data on the Customer’s behalf, including the entities listed in Annex 3.

2. Subject Matter, Duration, Nature, and Purpose

The subject matter of the processing is the verification, deliverability assessment, and operational diagnostics of email addresses, sending domains, and IPs that the Customer submits to the Service. The duration is the term of the Agreement plus the retention periods set out in this DPA and in the Privacy Policy. The nature of the processing comprises automated query, classification, transmission to mailbox providers and DNS-based blocklists, storage of inputs and outputs, security and anti-abuse monitoring, and Service-Improvement Processing as defined in Section 6. The purpose is to provide the Service to the Customer in accordance with the Customer’s documented instructions. The categories of Data Subjects and the types of Personal Data processed are described in Annex 1.

3. Roles of the Parties; Documented Instructions

The Customer is the Controller (or, under the PDPO, the Data User) of Customer Personal Data and Postelist is the Processor (or, under the PDPO, a Data Processor acting on the Customer’s behalf). Postelist will process Customer Personal Data only on the Customer’s documented instructions, which are set out in this DPA, the Agreement, the configuration the Customer selects in the dashboard or via the API, the Customer’s submission of an address, domain, or IP for processing, and any subsequent written instructions reasonably necessary to perform the Service.

Postelist will inform the Customer if, in its opinion, an instruction infringes applicable Data Protection Law, and will not be obliged to follow an instruction that, in its reasonable opinion, would cause it to violate applicable law. The Customer is responsible for the legality of its instructions and for the lawful basis on which it submits Customer Personal Data, including the provision of any privacy notices and the procurement of any consents required of it under Section 4 of the Agreement and Section 9 of the Privacy Policy.

4. Confidentiality of Personnel

Postelist will ensure that personnel authorised to process Customer Personal Data are bound by written confidentiality undertakings and have received appropriate training in the handling of Personal Data. Access to systems containing Customer Personal Data is granted on a need-to-know, least-privilege basis, is logged, and is periodically reviewed.

5. Security Measures

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to Data Subjects, Postelist has implemented and will maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Those measures are described in Annex 2 and include, at minimum, encryption of Customer Personal Data in transit, key-derivation hashing of credentials, segmented production networks, scoped API keys, role-based access controls, audit logging, regular patching, vulnerability management, and a documented incident-response process.

6. Service-Improvement Processing – Aggregated and Domain-Level Review

The Customer expressly authorises Postelist to process Customer Personal Data, in addition to performing the verification or check requested, for the limited purpose of operating, securing, monitoring, and improving the accuracy and quality of the Service (“Service-Improvement Processing”), subject at all times to the access controls in this Section.

Domain-level and aggregate review.Postelist’s engineers and its automated systems do not, in the ordinary course, read the local-part of any individual Customer-submitted email address for diagnostic, accuracy-monitoring, or product-improvement purposes. Service-Improvement Processing is performed against aggregate signals, including without limitation: counts of verdicts grouped by domain, mailbox-provider type, MX hostname, time window, response code, and reason code; statistics describing the proportion of verdicts that are deliverable, undeliverable, uncertain, or marked catch-all; and patterns of provider responses that indicate a verifier issue. These signals are used to detect, investigate, and remediate defects (including catch-all false positives, oracle drift, and provider-API contract changes) and to refine classification heuristics. The Customer acknowledges that this level of review constitutes processing of Customer Personal Data within the meaning of Data Protection Laws because the underlying rows remain associated with the Customer’s account, but that the local-part of any specific address is not surfaced to a human reviewer during such routine diagnostic processing.

Targeted record access.Targeted access to one or more specific Customer-submitted addresses (including reading the local-part of an address) is permitted only where (i) the Customer has authorised the access in writing, including by submission of a support ticket that identifies the records in question; (ii) the access is strictly necessary to investigate a Personal Data Breach, a security incident, or a credible abuse complaint affecting the Customer’s account, the Service, a mailbox provider, or another party; (iii) the access is required to comply with valid legal process or applicable law; or (iv) the access is required to honour a Data Subject Request that the Customer has asked Postelist to assist with under Section 9. Targeted access events are logged and retained for at least twenty-four (24) months.

No marketing, no enrichment, no resale. Postelist will not use Customer Personal Data, in identifiable form, to send marketing communications, to enrich third-party datasets, to construct profiles of Data Subjects, or to provide services to any other Postelist customer. Postelist will not sell or rent Customer Personal Data to any third party.

Aggregated signals retained beyond the Customer’s account. Statistics, aggregates, accuracy benchmarks, and de-identified or anonymised signals derived from Service-Improvement Processing may be retained by Postelist indefinitely and may be used to operate, secure, and improve the Service, to publish accuracy benchmarks, and to train internal classification models, including after termination of the Agreement. To qualify, such signals must not, alone or in combination with information reasonably likely to be available to Postelist, identify any Data Subject.

The Customer’s authorisation of Service-Improvement Processing is a material consideration for Postelist’s provision of the Service at the prices charged. Where the Customer reasonably objects to Service-Improvement Processing on a specific basis recognised under Data Protection Law, the parties will discuss a proportionate alternative; failing agreement, either party may terminate the Agreement on thirty (30) days’ written notice.

7. Sub-processors

The Customer grants Postelist a general written authorisation to engage Sub-processors to assist in providing the Service. Postelist will impose contractual data-protection obligations on each Sub-processor that are no less protective than those in this DPA, including with respect to confidentiality, security, and international transfers, and will remain liable to the Customer for the acts and omissions of its Sub-processors as if they were Postelist’s own.

A current list of Sub-processors is set out in Annex 3 and is published at this page. Postelist will give the Customer at least thirty (30) days’ prior notice of the addition or replacement of a Sub-processor that materially affects the processing of Customer Personal Data, by updating Annex 3 and, where the Customer has subscribed to such notices, by email. The Customer may object to a proposed change on reasonable, documented data-protection grounds within that notice period; if the parties cannot agree on a remedy, the Customer’s sole remedy is to terminate the Agreement on written notice and receive a pro-rata refund of any prepaid fees attributable to the period after the termination date. Continued use of the Service after the notice period constitutes acceptance of the Sub-processor change.

Where Customer-submitted data is transmitted to a mailbox provider or to a DNS Block List operator solely to perform the verification or check the Customer has requested, the recipient of that transmission is acting in its own capacity (as a separate controller of, or as the public infrastructure responsible for, the relevant directory) and is not a Sub-processor for the purposes of this Section.

8. Personal Data Breach

Postelist will notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Customer Personal Data, by email to the address registered to the Customer’s account or by such other means as the parties have agreed. The notification will include, to the extent reasonably available at the time and on a rolling basis as more information emerges, the nature of the breach, the categories and approximate number of records and Data Subjects affected, the likely consequences, the measures taken or proposed to address the breach, and a contact for further information. Postelist will reasonably co-operate with the Customer’s investigation of and response to the breach. Postelist’s notification or response is not, and will not be construed as, an acknowledgement by Postelist of fault or liability.

9. Assistance with Data Subject Requests

Postelist will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer’s obligation to respond to requests by Data Subjects exercising rights under Data Protection Laws (each, a “Data Subject Request”). If Postelist receives a Data Subject Request directly from a Data Subject in respect of Customer Personal Data, Postelist will, without responding to the substance of the request, refer the Data Subject to the Customer and notify the Customer that the request has been received. The Customer remains responsible for evaluating, responding to, and substantively resolving Data Subject Requests.

Postelist will also, taking into account the nature of the processing and the information available to it, reasonably assist the Customer with data-protection impact assessments and prior consultations with supervisory authorities under Articles 35 and 36 of the EU/UK GDPR (or equivalent provisions of other Data Protection Laws). Postelist may charge a reasonable fee, scaled to the actual administrative cost incurred, for assistance that materially exceeds the Customer’s reasonable expectations or that is requested with disproportionate frequency.

10. International Data Transfers

Postelist operates infrastructure and engages Sub-processors in multiple jurisdictions. Where the performance of the Service requires a Restricted Transfer of Customer Personal Data, the parties agree that:

• EU GDPR transfers.The EU SCCs (Module Two, controller-to-processor) are incorporated into and form part of this DPA by reference. The Customer is the “data exporter”, Postelist is the “data importer”, and the SCCs apply with the following selections: Clause 7 (docking) is included; Clause 9(a) Option 2 (general written authorisation) applies with the notice period in Section 7; Clause 11(a) (independent dispute resolution) Option is not selected; Clause 17 (governing law) elects the law of the Republic of Ireland; Clause 18(b) (forum) elects the courts of Ireland; and the descriptions required by Annexes I, II, and III of the SCCs are populated by Annex 1, Annex 2, and Annex 3 of this DPA respectively.
• UK GDPR transfers.The UK IDTA, in the form approved by the UK Information Commissioner, is incorporated into and forms part of this DPA by reference. Tables 1, 2, and 3 of the UK IDTA are populated by, and read in conjunction with, the corresponding Annexes of this DPA.
• PDPO transfers.Where the PDPO would, if and when section 33 of the PDPO is brought into force or where the relevant data is otherwise subject to cross-border transfer constraints, restrict an outbound transfer, Postelist will rely on the recipient’s contractual commitment in this DPA and, to the extent applicable, on the recommended model contractual clauses issued by the Hong Kong Office of the Privacy Commissioner for Personal Data.
• Other regimes. For transfers subject to other Data Protection Laws restricting cross-border transfer, the parties will reasonably co-operate to put in place such mechanism as is required to make the transfer lawful, including approved standard or model clauses, certifications, or binding corporate rules.

In the event of a conflict between the SCCs (or the UK IDTA) and any other provision of this DPA or the Agreement, the SCCs (or the UK IDTA) prevail to the extent of the conflict and only with respect to the Restricted Transfers they govern.

11. Audit and Inspection

Postelist will make available to the Customer all information necessary to demonstrate compliance with this DPA, including the obligations laid down in Article 28 of the EU/UK GDPR. The parties agree the following two-tier audit process, which is intended to give the Customer meaningful means of verifying Postelist’s compliance while protecting Postelist’s operations and the confidentiality of other customers’ data.

11.1 Information requests (no notice period).In the first instance, the Customer’s right to verify Postelist’s compliance with this DPA is satisfied by Postelist providing, on reasonable written request and without charge: (a) this DPA; (b) the Privacy Policyand related policies published at postelist.com; (c) descriptions of the technical and organisational measures in Annex 2; (d) the current Sub-processor list in Annex 3; and (e) any third-party assurance reports, certifications, penetration-test summaries, or audit summaries that Postelist holds from time to time, including without limitation SOC 2 reports and ISO/IEC 27001 certifications, in each case redacted as reasonably necessary to protect Postelist’s and other customers’ confidential information. Postelist will respond to such requests promptly and in any event within thirty (30) days.

11.2 On-site audits (six months’ notice).If, after receiving and reviewing the materials in Section 11.1, the Customer reasonably requires further information to satisfy a specific data-protection compliance question that cannot be answered through those materials, the Customer may, at its own cost, conduct an on-site audit of Postelist’s data-protection controls relevant to the Service. Such an on-site audit shall be conducted:

• on not less than six (6) months’ prior written notice to legal@postelist.com;
• no more than once in any twelve (12) month period;
• during normal business hours and in a manner that does not unreasonably interfere with Postelist’s operations;
• pursuant to an audit plan agreed in good faith by the parties at least thirty (30) days before the audit commences, defining scope, methodology, duration, and personnel;
• by an independent auditor that is not a competitor of Postelist and that has signed a confidentiality undertaking with Postelist on terms no less protective than those between Postelist and its personnel;
• at the Customer’s sole cost, including reasonable time and expenses incurred by Postelist personnel in supporting the audit (charged at Postelist’s then-current professional-services rates);
• limited to information and systems relevant to the processing of the Customer’s Customer Personal Data, and not extending to (i) information of other Postelist customers; (ii) source code, model weights, classification heuristics, probe methodology, or any other confidential intellectual property of Postelist; (iii) personnel records; or (iv) shared multi-tenant infrastructure beyond evidence of segmentation controls.

11.3 Expedited audits.The notice and frequency limitations in Section 11.2 do not apply, and the audit will instead proceed on such notice as is reasonable in the circumstances, where (i) an audit is required by a competent supervisory authority and Postelist receives a copy of the authority’s instruction; (ii) a Personal Data Breach affecting the Customer’s Customer Personal Data has occurred and Postelist has not provided reasonable assurance of its remediation through Section 11.1 within thirty (30) days of the breach notification under Section 8; or (iii) Postelist has materially failed to comply with this DPA and has not cured that failure within thirty (30) days of written notice of the failure. In each such case the audit remains subject to the scope limitations and confidentiality obligations of Section 11.2 and is conducted at the Customer’s cost save where the audit confirms a material non-compliance attributable to Postelist, in which case Postelist will reimburse the Customer’s reasonable audit costs.

11.4 Reports. Postelist may, at its sole election, satisfy any audit request under this Section by providing the relevant third-party assurance report or industry certification it holds at the time of the request, where the report or certification reasonably addresses the matters the Customer wishes to verify.

12. Retention; Return or Deletion

Customer-submitted addresses and per-record verdict and reason metadata are retained for up to twenty-four (24) months from the date of submission, after which addresses are deleted or irreversibly hashed in accordance with the Privacy Policy. Aggregate signals derived from Service-Improvement Processing may be retained as set out in Section 6.

On termination or expiry of the Agreement, Postelist will, at the Customer’s written election made within thirty (30) days of termination, return or delete all Customer Personal Data in its possession or control, save to the extent that Data Protection Law or other applicable law requires Postelist to retain it (for example, anti-abuse logs, billing records, or evidence reasonably required to respond to claims), in which case Postelist will continue to protect it in accordance with this DPA until deletion is permitted. If the Customer makes no election within that period, Postelist may delete the Customer Personal Data.

13. Liability

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, which apply to this DPA as if set out herein in full. Nothing in this DPA varies, displaces, or expands the liability allocated under the Agreement, save to the extent (and only to the extent) that mandatory provisions of Data Protection Law require otherwise, in which case those provisions prevail solely with respect to the matter in question.

14. CCPA / CPRA Specific Terms

With respect to Customer Personal Data that constitutes “personal information” of California residents under the CCPA, Postelist acts as a “Service Provider” and not as a third party. Accordingly, Postelist will not (i) sell or share such personal information, (ii) retain, use, or disclose such personal information for any purpose other than the business purpose of providing the Service to the Customer or as otherwise permitted by the CCPA, including the limited Service-Improvement Processing expressly authorised by the Customer in Section 6, (iii) retain, use, or disclose such personal information outside of the direct business relationship between Postelist and the Customer, or (iv) combine such personal information with personal information received from another source, except as expressly permitted by the CCPA. Postelist certifies that it understands the foregoing restrictions and will comply with them.

15. Term, Conflict, and Miscellaneous

This DPA is effective from the date the Customer first submits Customer Personal Data to the Service or the date of the Agreement, whichever is earlier, and will remain in force for so long as Postelist processes Customer Personal Data on the Customer’s behalf and through the post-termination period required by Section 12. Provisions intended by their nature to survive termination (including Sections 5, 6, 8, 10, 12, 13, 14, and 15) survive accordingly.

In the event of any conflict between this DPA and the Agreement with respect to processing of Personal Data, this DPA prevails. In the event of any conflict between this DPA and the Privacy Policy, this DPA prevails to the extent the conflict relates to Postelist’s obligations as a Processor.

Section 14 of the Agreement (Governing Law & Dispute Resolution) applies to this DPA, save that the laws and forum specified in the SCCs and UK IDTA (as incorporated by Section 10) prevail with respect to disputes about Restricted Transfers governed by them.

Annex 1 — Description of Processing

A. Categories of Data Subjects.Natural persons whose email addresses, IP addresses, or domain associations the Customer submits to the Service. These persons are typically the Customer’s contacts, prospects, subscribers, leads, employees, or end users.

B. Types of Personal Data. (i) Email addresses; (ii) sending domains; (iii) IP addresses; (iv) verdicts (deliverable, undeliverable, uncertain, catch-all, or equivalent); (v) reason codes and machine-readable error codes returned by mailbox providers or DNSBL operators; (vi) timestamps and submission metadata; (vii) provider classification labels (Microsoft, Google, Apple iCloud, Yahoo, NetEase, Proton, generic, etc.).

C. Special Categories.The Service is not designed to process special categories of personal data within the meaning of Article 9 EU/UK GDPR. The Customer warrants in Section 5 of the Agreement that it will not submit such categories except where it has an explicit, documented lawful basis to do so.

D. Frequency of Processing. Continuous, on-demand, in response to Customer submissions and configured monitors.

E. Nature of Processing.Automated query and classification; transmission to mailbox providers and DNSBL operators; storage of inputs and outputs; security and anti-abuse monitoring; aggregate diagnostic and Service-Improvement Processing as described in Section 6; targeted record access only as permitted by Section 6.

F. Purposes of Processing.Provision of email verification, mail infrastructure diagnostics, and DNSBL monitoring services to the Customer in accordance with the Customer’s instructions; security and anti-abuse; accuracy monitoring and improvement; legal and regulatory compliance.

G. Duration of Processing.For the term of the Agreement plus the retention periods in Section 12 and the Privacy Policy.

H. Identity of Competent Supervisory Authority.For EU GDPR purposes, the supervisory authority of the Customer’s establishment, or where the Customer has no EU establishment, the supervisory authority of any EU Data Subject affected by the processing. For UK GDPR purposes, the UK Information Commissioner’s Office. For PDPO purposes, the Hong Kong Office of the Privacy Commissioner for Personal Data.

Annex 2 — Technical and Organisational Measures

Postelist implements and maintains the following technical and organisational measures to ensure a level of security appropriate to the risks of processing. Postelist may update these measures from time to time, provided that the level of protection is not materially diminished.

A. Encryption and Pseudonymisation.All Customer Personal Data is transmitted over TLS 1.2+ between the Customer and the Service and between the Service and Sub-processors. Authentication credentials are stored using industry-standard key-derivation hashing. Where appropriate, Customer Personal Data is hashed or otherwise pseudonymised in Service-Improvement Processing pipelines.

B. Access Control and Segregation.Production access is granted on a least-privilege, need-to-know basis. Personnel access to systems containing Customer Personal Data requires unique authentication, multi-factor authentication where supported, and is logged. Engineering tooling used for Service-Improvement Processing is configured to surface aggregate signals (counts, ratios, group-by outputs) and not the local-part of any individual address; surfacing the local-part of an address requires use of a separate, individually authenticated and audited code path subject to the limits in Section 6.

C. Network Segmentation. Production networks are segregated from corporate networks. Public-facing services are fronted by reverse proxies and rate-limited. Database access is restricted to application service accounts and tightly scoped break-glass operator accounts.

D. Logging and Monitoring.Application, security, and access logs are centrally collected, retained in accordance with the Privacy Policy, and monitored for anomalies. Targeted-access events under Section 6 are recorded with the actor, the records accessed, and the documented justification.

E. Vulnerability Management. Operating systems, runtimes, and third-party libraries are patched on a regular cadence. Critical vulnerabilities are remediated on an expedited basis. Postelist monitors security advisories for components used in the Service.

F. Incident Response.Postelist maintains a documented incident-response process covering detection, triage, containment, eradication, recovery, communication (including the breach-notification process in Section 8), and post-incident review.

G. Change Management. Production changes are reviewed before release and are reversible. Material changes to data-handling code paths are reviewed by a person other than the author.

H. Personnel Training. Personnel receive training on data protection, security, and the use of operator tooling on hire and on a recurring basis.

I. Resilience. Production infrastructure is configured with automated process supervision, log-rotation, and basic backup and recovery procedures. Postelist tests the recovery process on a periodic basis.

J. Sub-processor Oversight. Postelist conducts a documented data-protection assessment of each Sub-processor before engagement and on a recurring basis.

K. Physical Security.Customer Personal Data is processed in data centres operated by Postelist’s infrastructure Sub-processors and inherits the physical-security controls of those facilities, including controlled access, surveillance, and environmental controls.

Annex 3 — Sub-processors

The Sub-processors below process Customer Personal Data in connection with the Service. The list is current as of the “Last updated” date at the top of this page. Postelist will update this list and notify the Customer of changes in accordance with Section 7.

• Cloud infrastructure provider(s)– hosting of compute, storage, and networking for the Service. Processing locations: jurisdictions selected by Postelist for performance and resilience, including the Asia-Pacific region.
• Payment processor– processing of Customer billing data and payment instruments. Submitted addresses, domains, and IPs are not shared with the payment processor.
• Transactional email provider(s)– delivery of operational and account communications to the Customer’s registered email address. Submitted Customer Personal Data is not shared with this Sub-processor.
• Identity provider(s)– authentication and federated sign-in for Customer users (where Customer elects to use single sign-on).
• Customer-support platform– storage of correspondence with the Customer’s account contacts. Processing is limited to the contact metadata of those contacts and the content of their communications with Postelist.

Mailbox providers and DNS Block List operators that receive Customer-submitted data solely to perform the verification or check the Customer has requested are not Sub-processors for the purposes of this DPA, as set out in Section 7.

Contact

Questions about this DPA, requests to enter into a counter-signed copy where the Customer requires one in addition to the click-accepted version, and notices under Section 7 should be sent to legal@postelist.com. Privacy enquiries and Data Subject Requests should be sent to privacy@postelist.com. Security notifications should be sent to security@postelist.com.