Data processing agreement

This DPA applies whenever you submit personal data — like email addresses of your customers — to the Trumailo service for verification. It supplements our Terms of Service.

• Controller: you (our customer).
• Processor: Trumailo.
• Sub-processors: our hosting and billing providers listed below.

We process the personal data you submit (email addresses) solely to perform email verification on your behalf: format checks, DNS / MX lookups, SMTP probes, disposable-list checks, and return of verdict + signals.

• Data: email addresses (raw, in-memory only) and the resulting verdicts. We store SHA-256 hashes of the addresses, never the plaintext.
• Subjects: the natural persons your email addresses correspond to.

• Process personal data only on your documented instructions (API calls = instructions).
• Ensure staff with access are bound by confidentiality.
• Implement appropriate technical & organisational security measures (see /security).
• Assist you with data-subject requests, DPIAs, and breach notifications.
• Not engage new sub-processors without giving you 30 days' notice and an objection window.

• Establish a lawful basis to share personal data with us (legitimate interest, consent, contract).
• Honour your own privacy notices to data subjects.
• Don't submit special-category data — we're not built for it.

We use the following sub-processors:

• Paddle.com Market Ltd — payment processing, invoicing (UK, EU, US).
• Our cloud hosting provider — compute, database, object storage.

The current list is mirrored at this page. We'll update it before adding any new sub-processor and notify you by email at least 30 days in advance.

Where data is transferred outside the UK / EEA we rely on the EU Standard Contractual Clauses (Module 2: controller-to-processor) and the UK International Data Transfer Addendum where applicable. EU-only residency is available on Enterprise plans.

We'll provide reasonable assistance to help you respond to access, rectification, erasure, restriction, portability, and objection requests. Forward requests to privacy@trumailo.com.

We will notify you without undue delay (and in any case within 72 hours of becoming aware) of any personal data breach affecting your data, with the facts available, mitigation steps, and contact for further information.

On reasonable notice (typically 30 days), and no more than once per year except in response to a breach, we'll make available the information needed to demonstrate compliance, including completed security questionnaires and where applicable, SOC2 or ISO 27001 reports.

On termination of our service, we will return or delete personal data within 30 days unless law requires retention. Backup copies are purged within a further 60 days.

This DPA is effective for as long as you have an active Trumailo account or we otherwise process personal data on your behalf.

DPO / privacy contact: privacy@trumailo.com.