Legal
Last Updated: November 14, 2025
GDPR Article 28 Compliant
1. Purpose and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer" or "Data Controller") and CampaignKit (the "Processor" or "Service Provider") for the provision of email validation and deliverability services (the "Services").
This DPA applies when and to the extent that CampaignKit processes Personal Data on behalf of the Customer as part of providing the Services, and the processing is subject to the General Data Protection Regulation (GDPR) or other applicable data protection laws.
2. Definitions
In this DPA, the following terms have the meanings set out below:
- "Personal Data" means any information relating to an identified or identifiable natural person processed by CampaignKit on behalf of the Customer pursuant to or in connection with the Services.
- "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA).
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-processor" means any third party appointed by CampaignKit to process Personal Data on behalf of the Customer in connection with the Services.
- "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to the GDPR.
3. Roles and Responsibilities
3.1 Data Controller (Customer)
The Customer is the Data Controller and is responsible for:
- Determining the purposes and means of processing Personal Data
- Ensuring a lawful basis exists for all processing activities (consent, legitimate interest, contract, etc.)
- Providing appropriate privacy notices to Data Subjects
- Handling Data Subject rights requests (access, deletion, rectification, portability, etc.)
- Ensuring compliance with all applicable Data Protection Laws
- Only providing Personal Data to CampaignKit that the Customer has the right to process
3.2 Data Processor (CampaignKit)
CampaignKit is the Data Processor and will:
- Process Personal Data only on documented instructions from the Customer
- Implement appropriate technical and organizational security measures
- Assist the Customer in meeting Data Subject rights obligations
- Notify the Customer of any Personal Data breaches
- Delete or return Personal Data upon termination of Services
- Maintain records of processing activities
4. Processing Details
4.1 Subject Matter and Duration
Subject Matter: Email validation and deliverability services, including email address syntax validation, domain verification, SMTP mailbox checking, and identification of disposable, role-based, and high-risk email addresses.
Duration: The term of the Agreement and Services, plus any retention period required for legal or contractual obligations.
4.2 Nature and Purpose of Processing
CampaignKit processes Personal Data to provide email validation services requested by the Customer. This includes:
- Validating email address syntax and format
- Verifying domain DNS records (MX, SPF, DMARC)
- Checking mailbox existence via SMTP protocols
- Identifying disposable, temporary, and role-based email addresses
- Detecting catch-all domains
- Flagging known spam traps and high-risk addresses
- Providing validation scores and detailed reports
4.3 Types of Personal Data
- Email addresses: Contact information of Data Subjects
- Name (if included in API requests): Optional field sometimes associated with email validation
- Metadata: Timestamps, IP addresses of API requests, validation results
4.4 Categories of Data Subjects
- Customer's contacts, leads, subscribers, and mailing list recipients
- Prospective customers identified through the Customer's marketing activities
- Any individuals whose email addresses are submitted by the Customer for validation
5. Customer Instructions
CampaignKit will process Personal Data only in accordance with the Customer's documented instructions, unless required to do so by applicable law. The Customer's instructions are:
- To perform email validation services as requested via API calls, integrations, or web interface
- To store validation logs for the retention period specified in the Privacy Policy (90 days for API logs)
- To provide support and troubleshooting services
- To improve service quality and fraud detection
If CampaignKit believes an instruction violates Data Protection Laws, it will inform the Customer immediately.
6. Security Measures (GDPR Article 32)
CampaignKit implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
6.1 Technical Measures
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access Controls: Role-based access control (RBAC) with least-privilege principles
- Authentication: Multi-factor authentication (MFA) for administrative access
- Network Security: Firewalls, intrusion detection systems, and regular security patching
- Pseudonymization: Where feasible, email addresses are pseudonymized in logs
- API Security: API key authentication, rate limiting, and request validation
6.2 Organizational Measures
- Confidentiality: All employees and contractors are bound by confidentiality agreements
- Training: Regular security and data protection training for staff
- Access Limitation: Personal Data access limited to authorized personnel on a need-to-know basis
- Incident Response: Documented incident response procedures and breach notification protocols
- Vendor Management: Sub-processors selected based on security and privacy assessments
7. Sub-Processors
7.1 General Authorization
The Customer provides general authorization for CampaignKit to engage Sub-processors to perform specific processing activities. CampaignKit will:
- Ensure Sub-processors are bound by data protection obligations equivalent to this DPA
- Remain fully liable for the performance of Sub-processors
- Conduct due diligence before engaging Sub-processors
7.2 Current Sub-Processors
| Sub-Processor | Service | Location | Purpose |
|---|
| Amazon Web Services (AWS) | Cloud Infrastructure | EU/Global | Application hosting and data storage |
| Hetzner GmbH | Cloud Infrastructure | EU (Germany) | Dedicated server hosting |
| Cloudflare Inc. | CDN & Security | Global | Content delivery, DDoS protection, DNS services |
| Brevo (formerly Sendinblue) | Email Services | EU | Transactional email and newsletter delivery |
| PostHog Inc. | Analytics | EU | Product analytics (website only, not customer API data) |
| Crisp IM SAS | Live Chat | EU | Customer support chat widget |
7.3 Sub-Processor Changes
CampaignKit will notify the Customer of any intended changes to Sub-processors (additions or replacements) at least 30 days in advance by:
- Email notification to the Customer's registered email address
- Update to this DPA page with the effective date of change
If the Customer objects to a new Sub-processor on reasonable grounds relating to data protection, the Customer may:
- Terminate the affected Services upon 30 days' written notice
- Work with CampaignKit to find an alternative solution
8. Data Subject Rights Assistance
CampaignKit will assist the Customer in fulfilling Data Subject rights requests to the extent possible, including:
- Access: Providing data extracts of Personal Data processed on the Customer's behalf
- Rectification: Correcting inaccurate Personal Data upon Customer instruction
- Erasure: Deleting Personal Data upon Customer request
- Restriction: Limiting processing activities upon Customer request
- Portability: Providing Personal Data in a structured, machine-readable format (CSV, JSON)
- Objection: Ceasing processing upon Customer instruction
Response Time: CampaignKit will respond to Customer assistance requests within 10 business days.
Fees: Assistance with complex or frequent Data Subject requests may incur reasonable fees to cover administrative costs. CampaignKit will notify the Customer of any applicable fees in advance.
9. Data Breach Notification
9.1 Notification Obligation
In the event of a Personal Data breach affecting the Customer's data, CampaignKit will:
- Notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware
- Provide sufficient information to enable the Customer to meet any obligations to report or inform Data Subjects
9.2 Breach Information
The breach notification will include, to the extent known:
- The nature of the breach, including categories and approximate numbers of Data Subjects and records affected
- The likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
- Contact details for further information
10. Data Protection Impact Assessments (DPIA)
CampaignKit will provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (DPIAs) where required under Data Protection Laws, including:
- Information about security measures and processing activities
- Risk assessments related to CampaignKit's processing operations
- Documentation of compliance measures
11. International Data Transfers
11.1 Transfer Mechanisms
Where Personal Data is transferred outside the European Economic Area (EEA), CampaignKit ensures appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): EU Commission-approved SCCs with US-based Sub-processors
- Adequacy Decisions: Transfers to countries with an EU adequacy decision
- Additional Safeguards: Supplementary measures as recommended by the European Data Protection Board (EDPB)
11.2 Data Residency
Where technically feasible, CampaignKit processes and stores Personal Data within the European Union. API validation services may involve temporary data transfers to US-based infrastructure, which are covered by SCCs.
12. Audit Rights
The Customer has the right to audit CampaignKit's compliance with this DPA:
- Information Requests: The Customer may request information about CampaignKit's data protection practices at any time
- Documentation: CampaignKit will provide relevant compliance documentation, including security certifications and audit reports
- On-Site Audits: Upon reasonable written notice (at least 30 days), the Customer may conduct an on-site audit once per calendar year, subject to:
- Confidentiality agreements
- Reasonable business hours
- No disruption to CampaignKit's operations
- Customer bears all costs of the audit
13. Data Retention and Deletion
13.1 Retention Period
CampaignKit retains Personal Data for the following periods:
- API Validation Logs: 90 days from the date of validation
- Account Data: Duration of the Services plus 7 years for financial and legal compliance
- Support Communications: 24 months from last interaction
13.2 Deletion Upon Termination
Upon termination or expiration of the Services, CampaignKit will, at the Customer's choice:
- Delete: Permanently delete all Personal Data within 30 days, except where retention is required by law
- Return: Return Personal Data in a commonly used, machine-readable format (CSV, JSON)
The Customer must make this election within 30 days of termination. If no election is made, CampaignKit will delete all Personal Data.
13.3 Backup Retention
Personal Data in backups will be deleted in accordance with CampaignKit's backup retention policy (maximum 90 days) following the primary deletion.
14. Liability and Indemnification
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits or excludes either party's liability for:
- Fraud or fraudulent misrepresentation
- Gross negligence or willful misconduct
- Violations of Data Protection Laws that cannot be limited by contract
15. Term and Termination
This DPA takes effect on the date the Customer first uses the Services and remains in effect until:
- Termination or expiration of the Terms of Service
- All Personal Data has been deleted or returned
Sections 6 (Security), 9 (Breach Notification), 13 (Deletion), and 14 (Liability) survive termination.
16. Amendments
CampaignKit may update this DPA from time to time to reflect changes in:
- Data Protection Laws
- Regulatory guidance from Supervisory Authorities
- Industry best practices
- Service offerings or technical infrastructure
Material changes will be communicated to Customers at least 30 days before the effective date via:
- Email notification to the Customer's registered email address
- In-app notification or dashboard alert
- Update to the "Last Updated" date at the top of this page
17. Governing Law and Disputes
This DPA is governed by the same law as the Terms of Service. Any disputes arising from this DPA will be resolved in accordance with the dispute resolution provisions in the Terms of Service.
In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.
18. Contact Information
For questions about this DPA or data processing practices:
Email: support@campaignkit.cc
Subject Line: "DPA Inquiry"
Privacy Policy: View our Privacy Policy
Terms of Service: View our Terms of Service
Need a Signed Copy of This DPA?
Enterprise customers can request a signed, customized Data Processing Agreement. Contact our team for assistance with DPA execution and any specific requirements.