Skip to content

DATA PROCESSING AGREEMENT

SpamClean by SpamKill Inc.

Last Updated: October 14, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between SpamKill Inc. ("Processor," "we," "us," or "our") and the customer ("Controller," "you," or "your") for the use of SpamClean services (the "Agreement").

This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Applicable Data Protection Law.

1. DEFINITIONS

1.1 The following terms have the meanings set forth below:

  • • "Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including (where applicable) EU Data Protection Law and Non-EU Data Protection Law.

  • • "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.

  • • "Data Subject" means an identified or identifiable natural person about whom Personal Data relates.

  • • "EU Data Protection Law" means (i) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); and (iii) the Swiss Federal Act on Data Protection.

  • • "Non-EU Data Protection Law" means the California Consumer Privacy Act ("CCPA"), the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA"), and any other data protection laws applicable to the Processing of Personal Data under the Agreement.

  • • "Personal Data" means any information relating to an identified or identifiable natural person that is Processed by Processor on behalf of Controller in connection with the Services, including but not limited to names, email addresses, and engagement history.

  • • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, deletion, or destruction.

  • • "Processor" means SpamKill Inc., the entity that Processes Personal Data on behalf of the Controller.

  • • "Services" means the SpamClean email validation and list cleaning service provided by Processor to Controller.

  • • "Sub-processor" means any entity engaged by Processor to Process Personal Data in connection with the Services.

2. SCOPE AND ROLES

2.1 Processor Role

Processor agrees to Process Personal Data only as a Processor acting on behalf of and on the documented instructions of Controller for the purposes described in this DPA.

2.2 Controller Role

Controller is the Controller of Personal Data and is responsible for compliance with Applicable Data Protection Law regarding the collection, use, and disclosure of Personal Data. Controller shall ensure it has all necessary rights, consents, and lawful bases to provide Personal Data to Processor for Processing in accordance with this DPA.

2.3 Service Description

SpamClean provides email list validation and cleaning services whereby Controller connects their Customer Relationship Management system ("CRM") to the Services. Processor analyzes the provided contact data to identify invalid, risky, or problematic email addresses and applies appropriate tags or labels to contacts within Controller's CRM.

3. PERSONAL DATA PROCESSING

3.1 Categories of Personal Data

Processor shall Process the following categories of Personal Data on behalf of Controller:

  • • Full names (first and last)

  • • Email addresses

  • • Engagement history (date of latest engagement) - to be implemented in future releases

3.2 Categories of Data Subjects

Personal Data relates to the following categories of Data Subjects:

  • • Controller's contacts, leads, and customers stored in their CRM system

3.3 Nature and Purpose of Processing

The nature and purpose of Processing Personal Data are as follows:

  • • Email validation and verification

  • • Identification of invalid, risky, spam trap, or problematic email addresses

  • • Application of tags and labels to contacts within Controller's CRM

  • • Customer support and troubleshooting

  • • Service improvement and quality assurance

3.4 Duration of Processing

Processor shall Process Personal Data for the duration of the Agreement and as follows:

  • Free scans: Personal Data is temporarily copied for analysis purposes and deleted immediately upon completion of the scan

  • Paid scans: Personal Data is retained for up to thirty (30) days following the scan to enable discrepancy resolution and customer support, unless earlier deletion is requested by Controller

  • Post-termination: Upon termination of the Agreement, Processor shall delete or return all Personal Data within thirty (30) days, as directed by Controller in accordance with Section 9

4. PROCESSOR OBLIGATIONS

4.1 Processing Instructions

Processor shall:

  • (a) Process Personal Data only on the documented instructions of Controller, unless required to do so by Applicable Data Protection Law. In such case, Processor shall inform Controller of that legal requirement before Processing, unless prohibited by law;

  • (b) Ensure that persons authorized to Process Personal Data are subject to confidentiality obligations;

  • (c) Not Process Personal Data for any purpose other than those specified in this DPA and the Agreement;

  • (d) Immediately inform Controller if, in Processor's opinion, an instruction from Controller infringes Applicable Data Protection Law.

4.2 Confidentiality

Processor shall ensure that all personnel who have access to Personal Data are bound by confidentiality obligations and have received appropriate training on data protection and the handling of Personal Data.

4.3 No Sale of Personal Data

Processor shall not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Data to any third party for monetary or other valuable consideration. Processor does not and will not sell Personal Data.

5. SECURITY MEASURES

5.1 Technical and Organizational Measures

Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, damage, alteration, or disclosure. These measures include:

  • (a) Encryption in transit: All data transmission between Controller's systems and Processor's systems is encrypted using HTTPS/TLS protocols;

  • (b) Encryption at rest: CRM authentication credentials (API keys, OAuth tokens) are encrypted at rest using industry-standard encryption algorithms. Contact data (names and email addresses) are stored in secure databases with access controls but are not encrypted at rest;

  • (c) Access controls: Access to Personal Data is restricted to authorized employees of SpamKill Inc. based on role-based access controls:

    • • Senior developers: Access for troubleshooting and system maintenance

    • • Support team: Limited access only when Controller raises a support ticket or query

    • • All access is logged and monitored;

  • (d) Authentication: Multi-factor authentication (MFA) is required for all employee access to systems containing Personal Data;

  • (e) Access logging and monitoring: Processor maintains access logs and monitors systems for unauthorized access attempts or anomalous activity;

  • (f) Regular backups: Processor performs regular backups of data to ensure business continuity and disaster recovery;

  • (g) Infrastructure security: Personal Data is hosted on Amazon Web Services (AWS) infrastructure located in the United States, which maintains industry-leading security certifications including SOC 2, ISO 27001, and others.

5.2 Security Updates

Processor shall regularly review and update security measures to address evolving threats and maintain compliance with industry best practices and Applicable Data Protection Law.

5.3 Security Documentation

Upon reasonable request and subject to confidentiality obligations, Processor shall provide Controller with information reasonably necessary to demonstrate compliance with the security obligations set forth in this Section 5.

6. SUB-PROCESSORS

6.1 Authorization to Use Sub-processors

Controller hereby provides general authorization for Processor to engage Sub-processors to Process Personal Data, provided that Processor complies with the requirements of this Section 6.

6.2 Current Sub-processors

Processor currently engages the following categories of Sub-processors:

  • (a) Infrastructure and hosting providers: Amazon Web Services (AWS), United States - for cloud hosting and database services;

  • (b) Payment processing: Stripe, Inc. - for payment processing and billing (processes Controller billing information but not contact Personal Data);

  • (c) Email validation and verification services: Processor engages third-party email validation, verification, and deliverability assessment services to analyze a limited percentage of email addresses. These Sub-processors Process only names and email addresses for validation purposes. The specific providers are considered confidential business information.

6.3 Sub-processor List

The sub-processors listed in Section 6.2 represent the primary categories of Sub-processors engaged by Processor. Additional Sub-processors may be utilized for specific validation and verification services. A complete list of all Sub-processors, including the names of email validation service providers, is available upon written request to privacy@spamkill.co. Such list will be provided within two (2) business days of the request.

6.4 Sub-processor Obligations

Processor shall:

  • (a) Enter into a written agreement with each Sub-processor imposing data protection obligations substantially similar to those set forth in this DPA;

  • (b) Ensure that Sub-processors Process Personal Data only in accordance with Controller's instructions and this DPA;

  • (c) Remain fully liable to Controller for the performance of any Sub-processor's obligations.

6.5 Changes to Sub-processors

Processor shall provide Controller with at least thirty (30) days' prior written notice (via email to the address associated with Controller's account) of the addition or replacement of any Sub-processor. Controller may object to the use of a new Sub-processor on reasonable data protection grounds by notifying Processor in writing within fourteen (14) days of receiving notice. If Controller objects, the parties shall work together in good faith to find a commercially reasonable solution. If no such solution is found, Controller may terminate the affected Services without penalty.

7. DATA SUBJECT RIGHTS

7.1 Assistance with Data Subject Requests

Processor shall, to the extent legally permitted and taking into account the nature of the Processing, provide reasonable assistance to Controller in responding to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Law, including:

  • • Right of access

  • • Right to rectification

  • • Right to erasure ("right to be forgotten")

  • • Right to restriction of Processing

  • • Right to data portability

  • • Right to object to Processing

7.2 Data Subject Request Process

If Processor receives a request directly from a Data Subject, Processor shall:

  • (a) Promptly redirect the Data Subject to submit the request to Controller;

  • (b) Notify Controller of the request within two (2) business days;

  • (c) Not respond to the request except on the documented instructions of Controller or as required by Applicable Data Protection Law.

7.3 Deletion of Personal Data

Upon Controller's written request (via email or through the Services' self-service portal), Processor shall delete all Personal Data relating to Controller within two (2) business days, except where retention is required by Applicable Data Protection Law.

7.4 Data Portability Limitations

Processor does not currently provide functionality for exporting or returning Personal Data in a structured, machine-readable format. Controller acknowledges that the primary method for data removal is deletion in accordance with Section 7.3. If Controller requires access to specific Personal Data, Controller may contact Processor's support team, and the parties shall cooperate to facilitate such access to the extent technically feasible.

8. PERSONAL DATA BREACHES

8.1 Notification of Personal Data Breach

In the event of a Personal Data Breach, Processor shall:

  • (a) Notify Controller without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of the Personal Data Breach;

  • (b) Provide Controller with sufficient information to enable Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Applicable Data Protection Law.

For purposes of this DPA, a "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

8.2 Breach Notification Content

The notification shall, to the extent possible, include:

  • (a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;

  • (b) The likely consequences of the Personal Data Breach;

  • (c) A description of the measures taken or proposed to be taken to address the Personal Data Breach and mitigate its potential adverse effects;

  • (d) The name and contact details of Processor's data protection point of contact.

8.3 Cooperation and Investigation

Processor shall:

  • (a) Cooperate with Controller and take such reasonable commercial steps as directed by Controller to assist in the investigation, mitigation, and remediation of the Personal Data Breach;

  • (b) Preserve all relevant records and evidence relating to the Personal Data Breach;

  • (c) Provide regular updates to Controller regarding investigation and remediation efforts.

8.4 No Delay in Notification

Processor shall not unreasonably delay notification to Controller pending completion of an investigation or remediation efforts. Initial notification may be provided with available information, followed by supplemental information as it becomes available.

9. RETURN AND DELETION OF PERSONAL DATA

9.1 Post-Termination Obligations

Upon termination or expiration of the Agreement, or upon Controller's written request, Processor shall, at Controller's election:

  • (a) Delete all Personal Data in Processor's possession or control, including all copies; or

  • (b) Return all Personal Data to Controller in a format reasonably requested by Controller, to the extent technically feasible, and then delete all remaining copies.

9.2 Timeframe

Processor shall complete the deletion or return of Personal Data within thirty (30) days of termination or Controller's request, unless Applicable Data Protection Law requires continued storage.

9.3 Certification of Deletion

Upon Controller's request, Processor shall provide written certification that all Personal Data has been deleted or returned in accordance with this Section 9.

9.4 Exceptions

Processor may retain Personal Data to the extent and for such period as required by Applicable Data Protection Law, provided that Processor shall ensure the confidentiality of such Personal Data and shall Process such Personal Data only as necessary for the purpose(s) specified in the applicable law requiring its retention.

10. AUDITS AND INSPECTIONS

10.1 Audit Rights

Subject to this Section 10, Controller may, upon reasonable written notice and no more than once per year, audit Processor's compliance with its obligations under this DPA, either by:

  • (a) Reviewing available third-party audit reports, certifications, or documentation demonstrating Processor's compliance with this DPA; or

  • (b) Conducting an on-site audit during Processor's normal business hours, at Controller's expense, provided that:

    • • Such audit does not unreasonably interfere with Processor's business operations;

    • • Controller provides at least thirty (30) days' prior written notice;

    • • Controller and its auditors execute Processor's standard confidentiality agreement;

    • • Controller conducts the audit in a manner that does not compromise the security or confidentiality of other customers' data.

10.2 Audit Process

Any audit shall be conducted in accordance with the following:

  • (a) Processor shall provide reasonable cooperation and assistance;

  • (b) The scope of the audit shall be limited to verification of Processor's compliance with this DPA;

  • (c) Controller shall provide Processor with a copy of any audit reports, which shall be treated as Processor's Confidential Information;

  • (d) If an audit reveals non-compliance, Processor shall take commercially reasonable steps to remediate any identified issues within a reasonable timeframe.

10.3 Costs

Controller shall bear all costs associated with any audit, unless the audit reveals material non-compliance by Processor with this DPA, in which case Processor shall reimburse Controller's reasonable audit costs.

11. INTERNATIONAL DATA TRANSFERS

11.1 Data Location

Personal Data is Processed and stored on servers located in the United States. Controller acknowledges and agrees to the Processing and storage of Personal Data in the United States.

11.2 Transfers Subject to EU Data Protection Law

Where the transfer of Personal Data from Controller to Processor is subject to EU Data Protection Law, the parties agree that:

  • (a) The Standard Contractual Clauses for the transfer of personal data to processors established in third countries (controller-to-processor transfers) approved by the European Commission Decision 2021/914 dated 4 June 2021 ("Standard Contractual Clauses" or "SCCs") are incorporated into and form part of this DPA and shall apply to such transfers; and

  • (b) The parties agree to comply with the SCCs, which are deemed to be executed by the parties as of the effective date of this DPA.

11.3 Supplementary Measures

The parties acknowledge that, in accordance with applicable guidance from supervisory authorities, supplementary technical and organizational measures may be necessary to ensure that the level of protection afforded by the SCCs is not undermined. The security measures described in Section 5 constitute such supplementary measures.

11.4 Standard Contractual Clauses - Module Details

For the purposes of the Standard Contractual Clauses:

  • Module: Module Two (Controller to Processor) applies

  • Annexes: The information set forth in this DPA satisfies the requirements of the Annexes to the SCCs

  • Governing law (Clause 17): The laws of Ireland shall apply

  • Choice of forum (Clause 18): The courts of Ireland shall have jurisdiction

  • Optional provisions:

    • • Clause 9(a) (Prior authorization of Sub-processors): Option 2 (General authorization) applies

    • • Clause 11(a) (Redress): The optional requirement does NOT apply

    • • Clause 17 (Mediation): The optional mediation provision does NOT apply

    • • Clause 18(b) (Choice of forum and jurisdiction): The parties agree to the courts of Ireland

11.5 Conflicting Provisions

In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail to the extent required by Applicable Data Protection Law.

12. LIABILITY AND INDEMNIFICATION

12.1 Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA shall limit or exclude either party's liability for:

  • (a) Fraud or fraudulent misrepresentation;

  • (b) Gross negligence or willful misconduct;

  • (c) Any liability that cannot be limited or excluded by Applicable Data Protection Law.

12.2 Processor Liability to Data Subjects

Processor shall be liable to Data Subjects in accordance with Applicable Data Protection Law for any damages arising from Processing that violates such law and where Processor has not complied with obligations under Applicable Data Protection Law specifically directed at Processors or where Processor has acted outside or contrary to lawful instructions from Controller.

12.3 Data Protection Authority Orders

If a supervisory authority or other regulatory authority issues an order or directive requiring changes to Processor's Processing activities or this DPA, Processor shall promptly notify Controller and cooperate with Controller to ensure compliance.

13. TERM AND TERMINATION

13.1 Term

This DPA shall commence on the effective date of the Agreement and shall remain in effect until the termination or expiration of the Agreement, unless earlier terminated in accordance with this Section 13.

13.2 Termination

Either party may terminate this DPA:

  • (a) If the other party materially breaches this DPA and fails to remedy such breach within thirty (30) days of receiving written notice;

  • (b) Upon termination of the Agreement;

  • (c) As otherwise permitted by the Agreement.

13.3 Effect of Termination

Upon termination of this DPA:

  • (a) Processor shall cease all Processing of Personal Data, except as necessary to comply with Section 9 (Return and Deletion of Personal Data);

  • (b) Each party shall return or destroy all Confidential Information of the other party, subject to Section 9;

  • (c) The obligations set forth in Sections 4.2 (Confidentiality), 9 (Return and Deletion of Personal Data), 10 (Audits and Inspections), 12 (Liability and Indemnification), and 14 (General Provisions) shall survive termination.

14. GENERAL PROVISIONS

14.1 Relationship to Agreement

This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA shall prevail.

14.2 Amendments

Processor reserves the right to amend this DPA from time to time to reflect:

  • (a) Changes in Applicable Data Protection Law;

  • (b) Guidance or directions from supervisory authorities;

  • (c) Changes to Processor's data processing practices;

  • (d) Industry best practices.

Processor shall provide Controller with at least thirty (30) days' prior written notice of any material amendments. Controller's continued use of the Services after the effective date of the amendments constitutes acceptance of the amended DPA. If Controller objects to the amendments, Controller may terminate the Agreement in accordance with its terms.

14.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be replaced with a valid provision that most closely approximates the intent and economic effect of the invalid provision.

14.4 Notices

All notices under this DPA shall be provided in accordance with the notice provisions set forth in the Agreement. Notices relating to this DPA shall be sent to:

For Controller: The email address associated with Controller's account

For Processor:
SpamKill Inc.
555 W Hastings St #1200
Vancouver, BC V6B 4N6
Canada
Email: privacy@spamkill.co

14.5 Governing Law

This DPA shall be governed by and construed in accordance with the laws specified in the Agreement, except where the Standard Contractual Clauses apply, in which case the governing law provisions of the SCCs shall apply.

14.6 Order of Precedence

In the event of any conflict or inconsistency between the provisions of this DPA and the Agreement (other than the Standard Contractual Clauses), the following order of precedence shall apply:

  1. Standard Contractual Clauses (where applicable)

  2. This DPA

  3. The Agreement

14.7 Third-Party Beneficiaries

Data Subjects are third-party beneficiaries of Sections 4 (Processor Obligations), 5 (Security Measures), 7 (Data Subject Rights), 8 (Personal Data Breaches), and 11.2 (Transfers Subject to EU Data Protection Law) of this DPA.

15. CONTACT INFORMATION

For questions regarding this DPA or data protection matters:

Data Protection Contact:
SpamKill Inc.
Email: privacy@spamkill.co
Address: 555 W Hastings St #1200, Vancouver, BC V6B 4N6, Canada

ANNEX I - STANDARD CONTRACTUAL CLAUSES DETAILS

A. LIST OF PARTIES

Data exporter(s):

  • • Name: Controller (as identified in the Agreement)

  • • Address: As provided in Controller's account

  • • Contact person's name, position, and contact details: As provided in Controller's account

  • • Activities relevant to the data transferred: Use of SpamClean email validation services

  • • Role: Controller

Data importer(s):

  • • Name: SpamKill Inc.

  • • Address: 555 W Hastings St #1200, Vancouver, BC V6B 4N6, Canada

  • • Contact person's name, position, and contact details: privacy@spamkill.co

  • • Activities relevant to the data transferred: Email validation and list cleaning services

  • • Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects: Controller's contacts, leads, and customers

Categories of personal data:

  • • Names (first and last)

  • • Email addresses

  • • Engagement history (future implementation)

Sensitive data: None

Frequency of transfer: Continuous during the term of the Agreement, as initiated by Controller

Nature of processing: Email validation, verification, and quality assessment; application of tags/labels to contacts in Controller's CRM

Purpose of processing: To identify invalid, risky, or problematic email addresses in Controller's contact database

Retention period: Up to 30 days for paid scans; immediate deletion for free scans; 30 days post-termination

Sub-processors:

  • • Cloud hosting and infrastructure providers

  • • Email validation and verification service providers

  • • Payment processors (for billing information only)

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses.

BY USING THE SERVICES, CONTROLLER ACKNOWLEDGES THAT IT HAS READ, UNDERSTOOD, AND AGREES TO BE BOUND BY THIS DATA PROCESSING AGREEMENT.

End of Data Processing Agreement