Legal

Data Processing Agreement

Effective: June 2026 Last updated: June 2026

This Data Processing Agreement (DPA) governs the processing of personal data that a customer (the Data Controller) submits to VerifyFlow (the Data Processor) for email verification. By using VerifyFlow, the Customer agrees to this DPA.

Parties

Parties

  • Data Processor — Cygnus Digital Advertising Media Services OPC Pvt Ltd, operating VerifyFlow (veriflowb2b.com), Pune, Maharashtra, India
  • Data Controller — the customer using VerifyFlow services
01

Scope

This DPA applies when the Data Controller submits personal data (including email addresses of third parties) to VerifyFlow for processing. It forms part of, and is incorporated into, the VerifyFlow Terms of Service.

02

Nature and Purpose of Processing

  • Purpose — email address verification (syntax, DNS, and SMTP-level validation)
  • Categories of data — email addresses and verification results
  • Duration — as long as the customer maintains an active account, and no longer than 12 months from the verification date
03

Processor Obligations (VerifyFlow)

  • Process personal data only on the Controller's documented instructions
  • Ensure that persons processing the data are bound by confidentiality
  • Implement appropriate technical and organisational security measures
  • Assist the Controller in fulfilling data subject rights requests
  • Delete or return all personal data on termination
  • Make available all information necessary to demonstrate compliance
  • Notify the Controller within 72 hours of becoming aware of a personal data breach
04

Controller Obligations (Customer)

  • Have a lawful basis for submitting email addresses for processing
  • Comply with applicable data protection laws (GDPR, CCPA, CASL, and others)
  • Ensure data subjects have been informed about third-party processing where required
  • Not submit special category data or data relating to minors
05

Sub-processors

The Controller authorises VerifyFlow to engage the following categories of sub-processor:

  • Secure cloud authentication and database services — United States / European Union — Standard Contractual Clauses apply
  • Proprietary SMTP verification servers — operated under VerifyFlow's control
  • Razorpay Software Pvt Ltd — India — payment processing only (no email lists)
06

International Transfers

Personal data may be processed in India, the European Union, and the United States. Transfers outside the European Economic Area are covered by appropriate safeguards, including the Standard Contractual Clauses adopted by the European Commission with our cloud sub-processors.

07

Security Measures

  • All data in transit is encrypted via HTTPS/TLS
  • Data is encrypted at rest in our secure cloud database
  • Role-based access controls govern internal access
  • SMTP probing is conducted from dedicated infrastructure that is not shared with any email-sending service
08

Breach Notification

VerifyFlow will notify the Controller within 72 hours of discovering a personal data breach affecting Customer Data, and will provide the information reasonably necessary for the Controller to meet its own notification obligations.

09

Termination

On account deletion or service termination, all Customer Data will be permanently deleted within 30 days, except where retention is required by law.

10

Governing Law

This DPA is governed by the laws of India. For customers in the European Union, the EU Standard Contractual Clauses (Commission Decision 2021/914) are incorporated by reference. By using VerifyFlow, the Customer agrees to this Data Processing Agreement.

11

Contact

  • Email: support@veriflowb2b.com
  • Company: Cygnus Digital Advertising Media Services OPC Pvt Ltd
  • Location: Pune, Maharashtra, India