Surewyse
Log in Get started

GDPR & Data Processing

Last updated: May 1, 2026

This page describes how Surewyse complies with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP). It also constitutes our Data Processing Addendum (“DPA”) for customers who submit personal data of EU/UK/EEA data subjects to the Service.

1. Roles

When you use the Service to verify email addresses, you are the data controller and Surewyse is the data processor for the addresses you submit (“Submitted Data”). For your own account information — e.g. your billing address, login events, and account email — we are the controller (see our Privacy Policy).

2. Subject matter, duration, nature, and purpose of processing

  • Subject matter: validation of the deliverability of email addresses you submit.
  • Duration: for the term of your subscription, plus the deletion windows in the Privacy Policy.
  • Nature and purpose: running syntax, MX, disposable, role, SMTP, and catch-all checks; storing results in your account history; making them available via the dashboard, exports, and API.
  • Type of personal data: email addresses and the technical signals returned by the verifier.
  • Categories of data subjects: any natural person whose email address you choose to verify.

3. Controller instructions

We process Submitted Data only on documented instructions from you. Your instructions are: (a) these Terms, (b) the documented features of the Service, (c) your in-product configuration, and (d) any further written instructions you give us. We will inform you if, in our opinion, an instruction infringes the GDPR or other applicable data-protection law.

4. Confidentiality and personnel

Personnel authorized to process Submitted Data are bound by confidentiality obligations and trained on data protection. Access to production data is limited to engineers and on-call staff with a need to know.

5. Security measures (Article 32)

We implement appropriate technical and organizational measures, including:

  • Encryption of Submitted Data in transit (TLS 1.2+).
  • Bcrypt password hashing; hashed API keys at rest.
  • CSRF protection on all state-changing endpoints; prepared statements for database access.
  • Sessions with HttpOnly + SameSite=Lax cookies, regenerated on auth-state change.
  • The verifier microservice authenticates incoming PHP requests with a shared internal key and is bound to a private network in production.
  • Access controls, least privilege, audit logging.
  • Backup and restoration testing.
  • Vulnerability management and patching.

6. Sub-processors

You authorize us to engage the sub-processors listed in our Privacy Policy. We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA. We will notify you (via email or in-product banner) of any intended changes to sub-processors at least 30 days in advance, giving you the opportunity to object on reasonable data-protection grounds. If we cannot accommodate your objection, you may terminate the affected portion of the Service for convenience.

7. International transfers

Where Submitted Data is transferred outside the EEA, UK, or Switzerland to a country that does not have an adequacy decision, we rely on (a) the Standard Contractual Clauses (Module 2 or 3, as applicable) adopted by the European Commission on 4 June 2021, (b) the UK International Data Transfer Addendum to the SCCs, and/or (c) the equivalent Swiss mechanism. A copy of the SCCs in force is available on request.

8. Data subject rights

The Service includes self-service tools for you, as controller, to respond to data-subject requests:

  • Access & portability: export your verification history from the dashboard.
  • Erasure: delete individual records or your entire account from your settings.
  • Rectification & restriction: contact privacy@surewyse.com.

Where a data subject contacts us directly about Submitted Data, we will not respond on the merits but will refer them to you, the controller, and notify you within 5 business days.

9. Personal data breach notification

We will notify you without undue delay (and in any case within 72 hours of becoming aware) of a personal-data breach affecting Submitted Data. The notification will include the nature of the breach, categories and approximate number of records affected, likely consequences, and the measures taken or proposed.

10. Data Protection Impact Assessments

We will provide reasonable assistance to you in carrying out DPIAs and consulting with supervisory authorities, taking into account the nature of processing and the information available to us.

11. Audits

On reasonable prior written notice (and not more than once per year, except where required by a supervisory authority), we will make available to you information necessary to demonstrate compliance with this DPA, including third-party audit reports under non-disclosure where available. On-site audits, if required, will be at your expense and conducted in a manner that does not disrupt the Service or compromise the confidentiality of other customers’ data.

12. Return or deletion of Submitted Data

On termination of the Service, we will, at your choice, delete or return Submitted Data within 30 days, unless retention is required by law. Backups are deleted on a rolling 30-day cycle.

13. Your representations as controller

You represent and warrant that you have a lawful basis under Articles 6 and (where applicable) 9 of the GDPR to submit each address to the Service for verification, including providing any required notices to data subjects. You are responsible for ensuring that the addresses you verify were lawfully obtained and that verification is compatible with the purposes for which the addresses were collected.

14. Liability

Each party’s liability under this DPA is subject to the limitation-of-liability provisions in our Terms of Use.

15. Order of precedence

If there is a conflict between these GDPR terms and the Terms of Use, these GDPR terms prevail with respect to the processing of Submitted Data of EU/UK/EEA data subjects.

16. Contact

Data Protection contact: privacy@surewyse.com
Where required by Article 27 of the GDPR, our EU representative will be listed here.