Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Lanos Technologies Pvt. Ltd. ("Processor", "we", "us") and the entity or individual agreeing to these terms ("Controller", "you"). This DPA governs how we process personal data on your behalf when you use InboxCheck ("the Service"), and supplements any obligations under applicable data protection legislation, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and India's Digital Personal Data Protection Act, 2023 (DPDP Act).
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").
- "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, restriction, erasure, or destruction.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including GDPR, UK GDPR, DPDP Act, and any other relevant national or regional data protection legislation.
2. Scope of Processing
We process the following categories of Personal Data on your behalf:
| Data Category | Details | Retention |
|---|---|---|
| Email addresses | Submitted for verification; immediately SHA-256 hashed after processing. Raw email addresses are never persisted. | Hash retained 90 days |
| Verification results | Safe, Risky, or Unsafe verdicts associated with the SHA-256 hash | 90 days |
| Usage metadata | Timestamps, daily verification counts for rate limiting and billing | Duration of account |
| Account data | Email address, hashed password or OAuth identity | Until account deletion |
We do NOT process names, physical addresses, financial data (payment data is handled exclusively by PayPal/Razorpay), or any special categories of Personal Data (e.g., health, biometric, or political data).
3. Processing Purposes
Personal Data is processed solely for:
- Providing email verification results to the Controller
- Enforcing rate limits, preventing abuse, and maintaining Service integrity
- Fulfilling billing and subscription management obligations
- Generating aggregated, anonymized analytics to improve Service accuracy
We will not process Personal Data for any purpose other than those specified above or as instructed by the Controller in writing.
4. Processor Obligations
As Processor, we shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case, we will inform the Controller of that legal requirement before processing, unless prohibited by law)
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement and maintain the technical and organizational security measures described in Section 5
- Not engage another processor (Sub-processor) without prior notice to the Controller, as described in Section 6
- Assist the Controller in responding to Data Subject requests, as described in Section 8
- Assist the Controller in ensuring compliance with data breach notification obligations
- Delete or return all Personal Data to the Controller upon termination, as described in Section 7
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
5. Data Security Measures
We implement the following technical and organizational measures to ensure a level of security appropriate to the risk:
- Encryption at rest: All data is encrypted at rest using AES-256 via our database provider (Supabase/AWS).
- Encryption in transit: All communications between the extension, our API, and our database use TLS 1.2 or higher. No data is transmitted over unencrypted channels.
- Pseudonymization: Email addresses are SHA-256 hashed before database storage. Raw email addresses are never persisted in our systems after processing.
- Access control: Row-Level Security (RLS) is enforced on all database tables. Administrative access is restricted to authorized personnel only. Service keys are rotated regularly.
- Edge computing: Verification API processing occurs on Cloudflare's edge network with smart placement, minimizing data transit distance and exposure.
- Monitoring: Automated alerting for anomalous access patterns, rate limit violations, and infrastructure anomalies.
- Confidentiality: All personnel with access to Personal Data are bound by confidentiality obligations.
6. Sub-processors
We use the following Sub-processors. We will notify the Controller at least 30 days before adding, replacing, or materially changing any Sub-processor. The Controller may object to a new Sub-processor by contacting us within that notice period.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Authentication, database storage | US East (Virginia) |
| Cloudflare | Edge compute, CDN, DNS | Global (Smart Placement) |
| Upstash | Redis caching for rate limiting and hashed results | US East (Virginia) |
| PayPal | Payment processing (international) | US / Global |
| Razorpay | Payment processing (India) | India |
Each Sub-processor is bound by data processing obligations no less protective than those set out in this DPA. We remain fully liable for the acts and omissions of our Sub-processors.
7. Data Retention & Deletion
- Local browser cache of verification results is retained for up to 24 hours and is automatically purged by the extension.
- Server-side verification history logs (SHA-256 hash, result, timestamp) are retained for 90 days, then automatically deleted.
- Account data is retained until the Controller deletes their account.
- Upon account deletion, all associated Personal Data is permanently deleted within 30 days, except where retention is required by applicable tax, financial, or legal obligations.
- Payment transaction records (order ID, amount, status) are retained as required by applicable financial regulations.
8. Data Subject Rights
We will assist the Controller in responding to Data Subject requests exercising their rights under Applicable Data Protection Law, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to restriction of processing
- Right to object to processing
We will respond to Data Subject requests within 30 days. Please contact us at privacy@inboxcheck.io for data subject requests. If we receive a Data Subject request directly, we will promptly notify the Controller unless prohibited by law.
9. International Transfers
Personal Data may be transferred to and processed in countries outside the Controller's jurisdiction, including the United States and the European Union. All such transfers are protected by:
- Standard Contractual Clauses (SCCs) adopted by the European Commission, incorporated into our agreements with Sub-processors where required
- Sub-processor compliance certifications (SOC 2, ISO 27001 where applicable)
- Technical measures (encryption, pseudonymization) providing equivalent protection regardless of data location
- Assessment of the adequacy of data protection in the recipient country, where required by Applicable Data Protection Law
10. Data Breach Notification
In the event of a Data Breach affecting Personal Data processed on behalf of the Controller, we will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide details of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
- Describe the likely consequences of the breach
- Describe the measures taken or proposed to address the breach and to mitigate its effects
- Cooperate with the Controller and provide reasonable assistance in the Controller's efforts to comply with its own breach notification obligations under Applicable Data Protection Law
11. Audit Rights
The Controller may audit our compliance with this DPA upon reasonable written notice of at least 30 days. We will provide necessary information, access to relevant documentation, and reasonable assistance for such audits. Audits shall be conducted no more than once per calendar year, during normal business hours, and in a manner that does not disrupt the Service. The Controller shall bear the cost of any such audit. Alternatively, we may provide the Controller with a third-party audit report or certification (such as SOC 2) that covers the obligations under this DPA.
12. Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for damages resulting from its breach of data protection obligations that cannot be limited under Applicable Data Protection Law.
13. Term & Termination
This DPA shall remain in effect for as long as we process Personal Data on the Controller's behalf. Upon termination of the Service agreement, we will, at the Controller's written election, delete or return all Personal Data within 30 days, unless retention is required by applicable law. We will certify deletion upon request. The obligations of confidentiality and data security survive termination of this DPA.
14. Contact
Lanos Technologies Pvt. Ltd.
Silver Square, Dattatray Road, Santacruz West, Mumbai, India
Data Protection Contact: privacy@inboxcheck.io