'%3e%3cpath%20d='M12%2041%20L24%2041%20L32%2049%20L40%2041%20L52%2041%20L52%2056%20L12%2056%20Z'%20fill='%2384CC16'%3e%3c/path%3e%3cpath%20d='M23%2041%20L32%2050%20L41%2041%20L37%2041%20L32%2046%20L27%2041%20Z'%20fill='%23B4E863'%3e%3c/path%3e%3c/g%3e%3cg%20clip-path='url(%23filtratFlask)'%3e%3crect%20x='8'%20y='27'%20width='48'%20height='10'%20fill='%23CBC9ED'%20opacity='0.9'%3e%3c/rect%3e%3c/g%3e%3cg%20clip-path='url(%23filtratFlask)'%3e%3ccircle%20cx='22'%20cy='32'%20r='1.4'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='29'%20cy='34'%20r='2.4'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='38'%20cy='33'%20r='1.8'%20fill='%23F87171'%3e%3c/circle%3e%3ccircle%20cx='44'%20cy='31'%20r='1.3'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='33'%20cy='30'%20r='1.1'%20fill='%238B87E0'%3e%3c/circle%3e%3c/g%3e%3cg%20clip-path='url(%23filtratFlask)'%3e%3ccircle%20cx='34'%20cy='20'%20r='2.6'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='29'%20cy='24'%20r='3.4'%20fill='%238B87E0'%3e%3c/circle%3e%3ccircle%20cx='33'%20cy='15'%20r='1.6'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='30'%20cy='18'%20r='1.1'%20fill='%238B87E0'%3e%3c/circle%3e%3c/g%3e%3cpath%20d='M28%2012%20V25%20L13%2050%20Q11.5%2053.5%2015%2053.5%20H49%20Q52.5%2053.5%2051%2050%20L36%2025%20V12'%20stroke='%234338CA'%20stroke-width='4'%20stroke-linejoin='round'%20stroke-linecap='round'%3e%3c/path%3e%3cpath%20d='M8%2036%20H56'%20stroke='%234338CA'%20stroke-width='4'%20stroke-linecap='round'%3e%3c/path%3e%3crect%20x='24'%20y='7'%20width='16'%20height='4.5'%20rx='2.25'%20fill='%234338CA'%3e%3c/rect%3e%3c/svg%3e)
Data Processing Agreement
Version 1.0 — June 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between filtrat.io and the User and is incorporated by reference into those Terms. By using the Service to process personal data of third parties, the User agrees to this DPA.
Processor
[FULL LEGAL NAME] (Przedsiebiorca Jednoosobowy)
NIP: [NIP NUMBER]
[REGISTERED ADDRESS], [POSTAL CODE] [CITY], Poland
Controller
The filtrat.io customer entity or individual identified in the account registration (“the Controller,” “you”).
1. Definitions
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council. References to GDPR in this DPA include the UK General Data Protection Regulation (UK GDPR) as retained under the Data Protection Act 2018, where applicable.
“Personal Data,” “processing,” “controller,” “processor,” “data subject,” “personal data breach,” and “supervisory authority” have the meanings given to them in the GDPR.
“Controller Personal Data” means personal data submitted by the Controller to the Service for processing — specifically email addresses belonging to third parties or the Controller’s own personnel submitted for verification via the dashboard or API.
“Services” means the email verification, catch-all resolution, pattern lookup, and related features provided by filtrat.io under the Terms of Service.
“Sub-processor” means any third party engaged by the Processor to carry out processing activities on Controller Personal Data.
2. Scope and Role of the Parties
2.1 Roles
The parties acknowledge that for the purposes of processing Controller Personal Data through the Services:
- The Controller determines the purposes and means of processing Controller Personal Data and bears responsibility for ensuring it has a valid legal basis to submit that data to the Processor
- The Processor processes Controller Personal Data solely on behalf of the Controller and for the purposes of providing the Services
2.2 Scope of processing
| Element | Detail |
|---|---|
| Subject matter | Email address verification |
| Duration | For the duration of the Controller's use of the Services, plus the 180-day verification result cache period |
| Nature of processing | Automated verification of email addresses against mail servers and external data sources; caching of results |
| Purpose | Returning verification results to the Controller |
| Type of personal data | Email addresses submitted by the Controller |
| Categories of data subjects | Individuals whose email addresses are submitted by the Controller, including third parties and the Controller's own personnel |
2.3 No processing outside scope
The Processor will not process Controller Personal Data for any purpose other than providing the Services as described in this DPA and the Terms of Service.
3. Controller’s Obligations
The Controller represents, warrants, and undertakes that:
- It has and will maintain a valid legal basis under GDPR (or applicable data protection law) for submitting Controller Personal Data to the Processor for verification
- It has provided, or will provide, appropriate privacy notices to data subjects whose email addresses it submits for verification, where required by applicable law
- It will comply with its own obligations under GDPR and applicable data protection law in connection with its use of the Services
- It will ensure that any instructions it gives to the Processor comply with applicable law
- It will execute any further documentation reasonably requested by the Processor to demonstrate compliance with this DPA
4. Processor’s Obligations
4.1 Processing on instructions only
The Processor will process Controller Personal Data only on documented instructions from the Controller as set out in this DPA and the Terms of Service. If the Processor is required to process Controller Personal Data under EU or Polish law, the Processor will inform the Controller of that legal requirement before processing, unless prohibited from doing so by law.
The Processor will immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data protection provisions.
4.2 Confidentiality
The Processor will ensure that all personnel authorised to process Controller Personal Data are bound by appropriate confidentiality obligations and access Controller Personal Data only on a need-to-know basis.
4.3 Security
The Processor will implement and maintain appropriate technical and organisational measures to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Current measures include:
- TLS encryption for all data in transit
- Encryption at rest for stored data
- Access controls and authentication on all systems processing Controller Personal Data
- Automated deletion of cached verification results after 180 days
- Restricted staff access on a strict need-to-know basis
4.4 Sub-processors
The Controller provides general authorisation for the Processor to engage the sub-processors listed in Schedule 1. The Processor will:
- Ensure sub-processors are bound by data protection obligations no less protective than those in this DPA
- Remain fully liable to the Controller for the performance of sub-processors’ obligations
- Notify the Controller of any intended changes to the sub-processor list by updating Schedule 1 and providing at least 30 days prior notice via the filtrat.io website or email to active accounts
If the Controller objects to a new sub-processor on reasonable data protection grounds, the Controller may notify the Processor at [email protected] within 30 days. The parties will work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the relevant Services without penalty.
4.5 Data subject rights
Taking into account the nature of processing, the Processor will assist the Controller by appropriate technical and organisational measures to fulfil the Controller’s obligation to respond to requests from data subjects exercising their rights under GDPR (including rights of access, rectification, erasure, restriction, portability, and objection), to the extent the Processor is reasonably able to do so.
Where a data subject contacts the Processor directly regarding Controller Personal Data, the Processor will inform the Controller promptly and will not respond to the data subject directly except to direct them to the Controller, unless legally required to do so.
4.6 Assistance with compliance obligations
The Processor will assist the Controller in ensuring compliance with obligations under GDPR Articles 32–36 (security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities), taking into account the nature of processing and the information available to the Processor.
4.7 Return and deletion of data
Upon termination of the Services or upon request by the Controller, the Processor will:
- Make Controller Personal Data available for export in a structured, commonly used, machine-readable format (CSV) via the dashboard export function or the API export endpoints, for a period of 30 days following termination
- Delete all Controller Personal Data from active systems within 30 days after the export period, or immediately upon the Controller’s written request to skip the export period
- Confirm deletion in writing upon request
Automated deletion of cached verification results occurs after 180 days in the ordinary course. The Controller may trigger deletion of their cached results at any time from account settings. Copies retained in system logs or backups will be overwritten in the ordinary course within 90 days.
The Processor is not required to delete data where retention is required by EU or Polish law.
4.8 Audit and demonstration of compliance
The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Processor will allow for and contribute to audits and inspections conducted by the Controller or an auditor appointed by the Controller, subject to:
- Reasonable prior written notice of at least 30 days
- Agreement on the scope and timing of the audit to minimise disruption
- The Controller bearing the cost of the audit unless the audit reveals a material breach of this DPA by the Processor
- Confidentiality obligations on the auditor regarding the Processor’s systems and other customers’ data
The Controller agrees to exercise audit rights no more than once per calendar year unless a personal data breach gives reasonable cause for additional inspection.
4.9 Personal data breach notification
The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach involving Controller Personal Data. Notification will be provided to the email address registered on the Controller’s account and will include, to the extent then known:
- A description of the nature of the breach
- The categories and approximate number of data subjects and records concerned
- The likely consequences of the breach
- Measures taken or proposed to address the breach
Where information is not immediately available, the Processor will provide it in subsequent communications as it becomes available.
5. International Transfers
Where processing involves the transfer of Controller Personal Data to a country outside the European Economic Area (or the United Kingdom, where UK GDPR applies) that does not benefit from an adequacy decision, the Processor ensures that such transfers are made pursuant to Standard Contractual Clauses (SCCs) approved by the European Commission, or another valid transfer mechanism under GDPR Chapter V.
For transfers from Controller to Processor, the SCCs Module 2 (controller to processor) applies. For transfers from Processor to sub-processors, the SCCs Module 3 (processor to sub-processor) applies. Details of transfers and applicable mechanisms are set out in Schedule 1.
6. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Where both parties are responsible for damage caused by processing in breach of GDPR, they will be jointly and severally liable to the extent provided by GDPR Article 82, with each party bearing liability proportionate to their responsibility for the damage.
7. Term and Termination
This DPA remains in force for as long as the Processor processes Controller Personal Data. It terminates automatically upon termination of the Terms of Service. Sections 4.7 (return and deletion), 4.8 (audit), 6 (liability), and 8 (governing law) survive termination.
8. Governing Law
This DPA is governed by Polish law. For processing subject to UK GDPR, the relevant provisions of this DPA will be interpreted in accordance with UK law to the extent required. Any disputes arising from this DPA are subject to the jurisdiction set out in the Terms of Service.
9. Order of Precedence
In the event of any conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA takes precedence.
10. Amendments
The Processor may update this DPA to reflect changes in applicable law, regulatory guidance, or processing activities. Material changes will be communicated by email to active accounts at least 30 days before they take effect. The updated version will be posted at filtrat.io/dpa with a new version number and date. Continued use of the Service after the effective date constitutes acceptance of the updated DPA.
11. Enterprise DPA Requests
This DPA operates as standard terms accepted through use of the Service. Enterprise customers requiring a countersigned DPA, custom clauses, or a specific DPA format should contact [email protected]. The Processor will use reasonable efforts to accommodate requests that do not conflict with this DPA or applicable law.
Schedule 1 — Sub-processors and International Transfers
Last updated: June 2026
The following sub-processors are authorised to process Controller Personal Data as necessary to provide the Services. Only services that receive or store Controller Personal Data (email addresses submitted for verification) are listed. Services that process only User account data (payment processing, authentication, transactional email) operate as independent controllers or process only User’s own personal data and are documented in the Privacy Policy rather than this Schedule.
| Sub-processor | Purpose | Country | Transfer mechanism |
|---|---|---|---|
| [HOSTING PROVIDER] | Cloud infrastructure and data storage — hosts all Controller Personal Data | [COUNTRY] | [ADEQUACY DECISION / SCCs Module 3] |
| Serper | Domain pattern data lookup — receives domain names extracted from submitted email addresses | United States | SCCs Module 3 |
| Linkup | Domain pattern data lookup — receives domain names extracted from submitted email addresses | France | EU–EU transfer — no additional mechanism required |
The Processor will maintain this schedule and notify Controllers of material changes as described in Section 4.4. Copies of Standard Contractual Clauses in place with sub-processors are available upon request at [email protected].
Placeholders to complete before publishing
[FULL LEGAL NAME]— your registered first and last name[REGISTERED ADDRESS], [POSTAL CODE], [CITY][NIP NUMBER]— Polish tax identification number[HOSTING PROVIDER]— name of your hosting provider[COUNTRY]for hosting provider[ADEQUACY DECISION / SCCs Module 3]for hosting provider