Data Processing Addendum

For Personal Data that Customer submits to Bounso for verification (the “Customer Personal Data”), Customer is the Controller and Bounso is the Processor. Bounso will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers, unless required by law. Customer’s instructions are reflected in (a) the agreement, (b) this DPA, and (c) Customer’s configuration of the service.

For Personal Data about Customer’s own account (e.g., the email of the user who signs up), Bounso is the Controller and processes that data under our Privacy Policy. This DPA does not cover that processing.

• Subject matter: email verification, including DNS lookups, SMTP probes, and provider-API checks.
• Nature and purpose: processing email addresses (and any optional metadata Customer uploads alongside them) to produce verification verdicts, scores, and provider signals.
• Duration: for the term of the agreement and for the post-termination period described under §8 (Return or deletion on termination).

Categories of Personal Data

• Email addresses Customer submits for verification.
• Any additional fields Customer chooses to include in CSV uploads (e.g., first name, last name, company), which Bounso stores alongside the verification result for export back to Customer.
• Technical metadata associated with verification (MX provider, response codes, timestamps).

Categories of data subjects

• Customer's prospects, leads, contacts, customers, employees, and any other individuals whose email addresses Customer chooses to verify.

Bounso does not require, and Customer should not provide, special categories of Personal Data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR). Customer is responsible for ensuring it has a lawful basis for processing the Personal Data it submits.

Customer provides general authorization for Bounso to engage sub-processors to assist in delivering the service. The current list of sub-processors is:

• Stripe, Inc. — payment processing (United States)
• Supabase, Inc. — managed database and auth (United States)
• Contabo GmbH — server infrastructure for verification workers
• Google LLC — provider-level signals for catch-all detection (limited to domain-level lookups)
• Microsoft Corporation — provider-level signals for Microsoft 365 / Outlook verification

Bounso will notify Customer of any intended changes to sub-processors (addition or replacement) at least 30 days in advance by email or via a prominent in-product notice. Customer may object on reasonable data-protection grounds within 30 days of notification by emailing privacy@bounso.com. If the parties cannot resolve the objection in good faith, Customer may terminate the affected portion of the service and receive a prorated refund of any prepaid fees for the unused period.

Bounso will impose data-protection obligations on each sub-processor that are no less protective than those set out in this DPA, and will remain liable for each sub-processor’s compliance.

Bounso implements appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, including:

• Encryption in transit (TLS 1.2+) for all customer-facing traffic.
• Encryption at rest for stored verification data and account records.
• Role-based access controls, least-privilege provisioning, and unique credentials per administrator.
• Multi-factor authentication on administrator accounts.
• Centralized audit logging of administrative actions on Customer Personal Data.
• Network segmentation between application, database, and worker tiers.
• Vulnerability monitoring and timely patching of underlying systems.
• Background checks on personnel with access to production systems, and confidentiality obligations under their employment agreements.
• Documented incident response plan tested at least annually.
• Regular review of sub-processor security postures.

Bounso may update these measures from time to time provided that the updates do not materially diminish the level of protection.

Taking into account the nature of the processing, Bounso will assist Customer with appropriate technical and organizational measures, as far as possible, in responding to requests from data subjects to exercise their rights under applicable data protection law (e.g., access, rectification, erasure, restriction, portability, objection).

Bounso’s standard support is that Customer can use the dashboard and API to look up, export, and delete records itself. Where Bounso receives a data-subject request directly, we will, without undue delay, forward it to Customer and will not respond ourselves unless Customer authorizes us to do so or we are legally required to.

Bounso will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer Personal Data. The notification will include, to the extent known at the time:

• A description of the nature of the breach and the categories and approximate number of data subjects and records concerned.
• The name and contact details of Bounso's privacy contact.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate its effects.

Bounso will reasonably cooperate with Customer’s investigation and any notifications Customer is required to make to regulators or data subjects. Notification of a breach is not an acknowledgment of fault or liability.

• On termination or expiration of the agreement, Customer may export Customer Personal Data through the dashboard or API for up to 30 days.
• Bounso will delete or anonymize Customer Personal Data within 90 days of termination, except for (a) backup archives, which are deleted on the regular backup-rotation schedule, and (b) any data Bounso is legally required to retain.
• On request, Bounso will provide written confirmation that deletion is complete.

Bounso processes Customer Personal Data primarily in the United States. Where Customer’s use of the service involves a transfer of Personal Data from the European Economic Area, United Kingdom, or Switzerland to a third country that has not been recognized as providing an adequate level of protection, the parties agree that:

• The European Commission's Standard Contractual Clauses (Module Two — controller to processor — Decision 2021/914) are incorporated into this DPA by reference, with the data exporter being Customer and the data importer being Bounso.
• For transfers subject to UK data protection law, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs.
• For transfers subject to Swiss data protection law, the SCCs are read with the modifications described by the Swiss Federal Data Protection and Information Commissioner.
• Bounso will provide reasonable assistance to Customer with any transfer impact assessments Customer needs to perform.

A copy of the executed SCCs is available on request at privacy@bounso.com.

Bounso will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including:

• On request, Bounso's then-current security overview and third-party audit reports (where available).
• An annual summary of any material changes to security measures or sub-processors.
• Responses to reasonable security questionnaires.

Where Customer reasonably believes that the information provided above is insufficient to demonstrate compliance, Customer may, on at least 30 days’ written notice and not more than once per twelve-month period (except where required by a supervisory authority), conduct or appoint a mutually agreed independent third party to conduct an audit. The audit will be conducted during business hours, will not unreasonably interfere with Bounso’s operations, and will be subject to confidentiality obligations. Customer will bear its own audit costs and Bounso’s reasonable costs of supporting any on-site audit. Bounso may decline access to information that would compromise the security of other customers or violate legal obligations.

Each party’s liability arising out of or related to this DPA is subject to the limitations of liability set out in the underlying agreement (Terms of Service).

• If there is a conflict between this DPA and the underlying agreement, this DPA prevails with respect to processing of Customer Personal Data.
• If there is a conflict between this DPA and the SCCs, the SCCs prevail.
• Bounso may update this DPA to reflect changes in applicable data protection law or sub-processor lists. Material changes will be notified in advance.
• This DPA is governed by the law of the underlying agreement; SCCs are governed by their own choice of law.