Last Updated: 14 February 2026

Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Customer ("Controller") and Autheona ("Processor"). It governs the processing of Personal Data in connection with Autheona's intelligent verification services.

By using the Service, Customer agrees to this DPA. If you do not agree, you must discontinue use of the Service.

Definitions

  • Controller: The entity determining the purposes and means of processing Personal Data (the Customer)
  • Processor: Autheona, processing Personal Data on behalf of the Controller
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Subprocessor: A third party engaged by Autheona to assist in processing Personal Data
  • Data Protection Laws: Applicable data protection regulations, including any implementing legislation
  • Services: Autheona's real-time intelligent verification platform and API

Purpose and Instructions

Autheona processes Customer Personal Data solely to deliver the Services and provide related support. Processing is limited to:

  • Analyzing email addresses submitted via API calls
  • Generating risk assessments and classification results
  • Detecting fraud indicators, domain health issues, and deliverability concerns
  • Providing dashboard access and reporting

We process Personal Data only on documented instructions from Customer, unless required by law.

Data Protection Obligations

We agree to:

  • Process Personal Data only on documented instructions from Customer
  • Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist Customer in responding to data subject rights requests
  • Delete or return Personal Data upon termination of the Services
  • Provide information necessary to demonstrate compliance with this DPA

Prohibited Data

Customer must not submit sensitive or special category data (health, race, religion, political opinions, sexual orientation, biometric data, etc.) to our API.

If such data is submitted accidentally, we will delete it immediately upon discovery and notify Customer.

Customer Responsibilities

Customer represents and warrants that:

  • Customer has a lawful basis for processing and transferring Personal Data to Autheona
  • Customer has provided required notices to data subjects
  • Customer has obtained necessary consents where required
  • Customer's use of the Services complies with Data Protection Laws

Security

We implement appropriate technical and organizational measures to protect Personal Data, including:

  • AES-256 encryption for data at rest
  • TLS/HTTPS encryption for data in transit
  • Secure API authentication and access controls
  • Infrastructure monitoring and logging
  • Regular security updates and patches

Additional security details are available upon request.

Subprocessors

We engage trusted subprocessors to help deliver the Services. Current subprocessors include:

  • Amazon Web Services (AWS): Cloud hosting and infrastructure
  • Polar.sh: Payment processing

We will provide Customer with notice of any intended changes to subprocessors. Customer may object to such changes within 7 days of notification.

Data Breach Notification

We will notify Customer without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data breach affecting Customer's data.

Notification will include:

  • The nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

We will cooperate with Customer and provide reasonable assistance in investigating and remedying the breach.

International Transfers

Currently, all data is stored and processed within the US. No transfers outside the US are conducted at this time.

If we initiate transfers outside the US in the future, we will:

  • Notify affected Customers in advance
  • Implement appropriate safeguards (such as Standard Contractual Clauses)

Data Retention and Deletion

Retention Periods

  • Raw API logs: Retained for 90 days to 2 years for security monitoring
  • Analyzed email addresses: Retention controlled by Customer via API parameters
  • Account data: Retained while account is active plus limited period after closure

Deletion

Upon Customer request or termination:

  • We delete Customer Personal Data from live systems within 30 days
  • Data is removed from backups within 90 days
  • Deletion confirmation is available upon request

We may retain anonymized or aggregated data indefinitely for service improvement and analytics.

Audit Rights

We will complete reasonable security questionnaires about our data protection practices and provide relevant documentation upon request.

For enterprise Customers, additional audit rights may be negotiated in a separate agreement.

Assistance with Compliance

We will assist Customer with Data Protection Impact Assessments (DPIAs), prior consultations with supervisory authorities, and other reasonable compliance activities required under Data Protection Laws.

Assistance may be subject to additional fees for significant requests.

Liability

Each party's liability under this DPA is limited to fees paid by Customer to Autheona in the twelve (12) months preceding the claim.

This limitation does not apply to:

  • A party's gross negligence or willful misconduct
  • Liability for claims by data subjects under Data Protection Laws
  • Obligations that by law cannot be limited

Term and Termination

This DPA remains effective for the duration of Customer's use of the Services.

Data protection obligations under this DPA survive termination as required by Data Protection Laws.

We will delete or return Customer Personal Data upon termination in accordance with the Data Retention and Deletion section.

Order of Precedence

In the event of conflict between documents, the following order of precedence applies:

  1. Data Protection Laws
  2. Standard Contractual Clauses (if applicable)
  3. This DPA
  4. Terms and Conditions
  5. Privacy Policy

Changes to This Agreement

We may update this DPA to reflect changes in law, regulatory guidance, or our processing activities. Material changes will be communicated to Customer.

Continued use of the Services after changes constitutes acceptance of the updated DPA.

Contact Us

If you have any questions about this DPA, please contact:

Autheona
legal@autheona.com