1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Kawaa ("Processor") and the Customer ("Controller") for the provision of email verification services.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data.
"Data Subject" means the individual whose Personal Data is processed.
"Sub-processor" means any third party engaged by the Processor to process Personal Data.

3. Scope and Purpose

The Processor processes email addresses submitted by the Controller solely for the purpose of providing email verification services. Processing includes validation checks, risk analysis, and result storage.

4. Controller Obligations

The Controller warrants that:

It has a lawful basis for processing the email addresses submitted
It has provided appropriate notice to Data Subjects
It will not submit sensitive personal data (health, religion, political opinions, etc.)
It will comply with all applicable data protection laws

5. Processor Obligations

The Processor agrees to:

Process Personal Data only on documented instructions from the Controller
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist the Controller in responding to Data Subject requests
Delete or return Personal Data upon termination
Make available information necessary to demonstrate compliance

6. Security Measures

The Processor implements the following security measures:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Access controls and authentication
Regular security assessments
Incident response procedures
Employee security training
Physical security of data centers (AWS)

7. Sub-processors

The Controller authorizes the following sub-processors:

Amazon Web Services (AWS) - Cloud infrastructure (US)
Stripe - Payment processing (US)
Contabo - SMTP verification infrastructure (Germany)

The Processor will notify the Controller of any intended changes to sub-processors, allowing reasonable time for objections.

8. International Transfers

Personal Data may be transferred to the United States. The Processor relies on Standard Contractual Clauses (SCCs) for such transfers and ensures sub-processors provide equivalent protections.

9. Data Subject Rights

The Processor will assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, including access, rectification, erasure, and portability.

10. Data Breach Notification

The Processor will notify the Controller without undue delay (within 72 hours where feasible) upon becoming aware of a Personal Data breach. Notification will include the nature of the breach, affected data, and remedial measures taken.

11. Audit Rights

The Controller may request evidence of compliance with this DPA. The Processor will make available security certifications, audit reports, or other documentation upon reasonable request.

12. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, the Processor will delete all Personal Data within 30 days unless retention is required by law.

13. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.

14. Contact

For DPA-related inquiries, contact our Data Protection team at: dpo@kawaa.com