Data Processing Addendum (DPA)

Last updated: October 20, 2025

This Data Processing Addendum ("DPA") forms part of and supplements the Terms and Conditions or other written agreement between AMF Internet Services Limited trading as Anymail Finder ("Company", "Processor", "Data Importer") and the customer identified in the applicable order or online sign-up ("Customer", "Controller", "Data Exporter") that governs Customer's access to and use of Anymail Finder services (the "Agreement"). Capitalized terms not defined in this DPA have the meanings given in the Agreement.

Effective Date: the date on which Customer accepted or signed the Agreement (or, if later, this DPA).

1. Definitions

• "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
• "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU GDPR (Regulation (EU) 2016/679), the UK GDPR (as defined in s.3(10) of the UK Data Protection Act 2018), the UK Data Protection Act 2018, the Swiss FADP (as revised), and any national implementing legislation, in each case as amended or replaced from time to time. Terms such as "personal data", "processing", "controller", "processor", "supervisory authority", and "personal data breach" have the meanings set out in the EU GDPR (and, where applicable, the UK GDPR).
• "Services" means the Anymail Finder services purchased or used by Customer under the Agreement (including email finding and verification, account administration, and related support).
• "Customer Account Data" means personal data relating to Customer's relationship with Company (e.g., admin names, contact details, team members, billing contacts).
• "Customer Usage Data" means service usage/telemetry data processed by Company for service delivery, security, fraud/abuse prevention, troubleshooting, and performance.
• "Subprocessor" means any processor engaged by Company to process Personal Data on Company's behalf in connection with the Services.
• "EU SCCs" means the standard contractual clauses for international transfers of personal data to third countries adopted by the European Commission under Decision 2021/914 (4 June 2021).
• "UK Addendum" means the UK Information Commissioner's Addendum to the EU SCCs (or the IDTA, if elected by Company) for transfers of personal data from the UK.
• "Ex-EEA Transfer" / "Ex-UK Transfer" means a transfer of Personal Data from the EEA/UK to a country without an adequacy decision.

2. Roles of the Parties

1. Customer is Controller. For Personal Data that Customer uploads to or instructs Company to process via the Services, Customer acts as controller and Company acts as processor.
2. Company as Controller. Company acts as an independent controller for:
   • Customer Account Data,
   • billing, compliance, security/fraud prevention, service analytics, and
   • other processing required by law.
   This controller processing is governed by Company's Privacy Policyand is not "on behalf of Customer".

3. Processor Obligations

Company shall:

• Process on documented instructions. Process Personal Data only on Customer's documented instructions, as set out in the Agreement and this DPA (including Annex I), unless required by applicable law (in which case Company will inform Customer unless prohibited).
• Confidentiality. Ensure persons authorized to process Personal Data are subject to appropriate confidentiality obligations.
• Security. Implement and maintain appropriate technical and organizational measures ("TOMs") to protect Personal Data as described in Annex II.
• Subprocessors. Only engage Subprocessors pursuant to Section 6, and impose data protection obligations no less protective than those in this DPA.
• Assistance. Taking into account the nature of processing and information available, assist Customer with:
  • data subject requests (Section 7),
  • security and breach notifications (Section 8),
  • data protection impact assessments and consultations with supervisory authorities,
  • and compliance with Articles 32-36 EU/UK GDPR.
• Deletion/Return. At Customer's choice, return or delete Personal Data upon termination or expiry of the Services and delete existing copies, unless storage is required by law. Company will certify deletion upon Customer request. Operationally, where Customer deletes its account via the product flow, permanent deletion will occur within 14 days of a verified deletion request; backups are overwritten on normal retention cycles.
• Records. Maintain records of processing as required by Data Protection Laws and make them available to a competent supervisory authority upon request.

4. Customer Responsibilities

Customer shall:

• Ensure it has a lawful basis and provides required notices for the processing of Personal Data in/through the Services;
• Provide documented instructions that comply with Data Protection Laws and do not cause Company to violate those laws;
• Be responsible for the accuracy, quality, and legality of Personal Data and the means by which it was acquired; and
• Use available product features (e.g., deletions, opt-outs/blacklists) to support compliance.

5. Details of Processing

The subject matter, duration, nature and purpose, types of Personal Data, and categories of data subjects are set out in Annex I.

6. Subprocessors

1. Authorization. Customer provides general written authorization for Company to engage Subprocessors to support the delivery of the Services.
2. List & changes. Company's current Subprocessors are listed in Annex III (and may also be reflected on Company's website). Company will notify Customer of any intended changes to Subprocessors and provide an opportunity to object on reasonable data protection grounds within 30 days of notice.
3. Objections. If Customer reasonably objects and Company cannot provide a commercially reasonable alternative, Customer may suspend the affected processing or terminate the affected Services (without penalty for the terminated portion), and receive a pro-rata refund of pre-paid fees for the terminated portion.
4. Flow-down. Company will enter written agreements with Subprocessors imposing obligations no less protective than those set out in this DPA. Company remains liable for each Subprocessor's performance.

7. Data Subject Requests

If Company receives a request from a data subject relating to Customer's Personal Data, Company will promptly notify Customer (unless prohibited by law) and direct the data subject to contact Customer. Company will assist Customer, taking into account the nature of processing, by appropriate technical and organizational measures, so that Customer can respond to requests to access, rectify, erase, restrict, object, or port Personal Data.

8. Security & Incident Management

1. Security. Company will implement and maintain the TOMs described in Annex II.
2. Personal Data Breach. Company will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer's Personal Data and provide information required by Article 33(3) EU/UK GDPR as it becomes available, including: the nature of the breach, categories/approximate numbers of data subjects and records, likely consequences, and measures taken or proposed to address the breach.
3. Cooperation. Company will cooperate with Customer and provide reasonable assistance to enable Customer to comply with Articles 33 and 34 (including notifications to supervisory authorities and data subjects, where required).

9. Audits & Information Rights

1. Reports. Upon written request, Company will make available summary information reasonably necessary to demonstrate compliance (e.g., security overviews/TOMs, penetration test summaries, or third-party attestations if available).
2. Audits. If such information is insufficient under Data Protection Laws, Customer may conduct (or appoint an independent auditor to conduct) a targeted audit on reasonable prior written notice (at least 30 days), no more than once per 12 months (unless following a material incident), during normal business hours, in a manner that minimizes disruption and respects Company's confidentiality and security policies. Customer bears its own audit costs and reimburses Company for reasonable time/expenses.

10. International Data Transfers

1. General. Company may process and transfer Personal Data globally to provide the Services, including hosting on AWS (United States) and Hetzner (Germany).
2. EU SCCs. For Ex-EEA Transfers, the EU SCCs (Controller-to-Processor - Module 2) and, where relevant, Processor-to-Processor - Module 3 are incorporated by reference and deemed executed between Customer (as Data Exporter) and Company (as Data Importer), completed as follows:
   • Clause 7 (Docking): applies.
   • Clause 9 (Subprocessors): Option 2 (general authorization); notice per Section 6.
   • Clause 11: optional language does not apply.
   • Clause 17: Irish law governs the SCCs.
   • Clause 18: Courts of Ireland have jurisdiction.
   • Annex I/II: as set out in Annex I and Annex II to this DPA.
3. UK Addendum. For Ex-UK Transfers, the UK Addendum to the EU SCCs (or, at Company's election, the IDTA) is incorporated by reference and completed using the details in Annex I/II and Company's contact details; conflicts are resolved per the UK Addendum/IDTA.
4. Switzerland. For transfers from Switzerland, the EU SCCs apply with the modifications required by the FADP (e.g., FDPIC as competent authority; "Member State" interpreted to include Switzerland).
5. Supplementary measures. Company will implement supplementary measures as reasonably necessary to ensure an essentially equivalent level of protection (e.g., encryption in transit/at rest, access controls, need-to-know, challenge/notify where lawful of government access).

11. Return and Deletion

Upon termination or expiry of the Services, Customer may elect to have Company return all Personal Data (in a commonly used machine-readable format) and/or delete it. If no election is made, Company will delete Personal Data within 30 days of termination, subject to legal retention requirements. For Customer-initiated account deletion via the product, permanent deletion occurs within 14 days of a verified deletion request. Backups are overwritten on normal cycles.

12. Government Access Requests

Where legally permitted, Company will notify Customer of any legally binding request for disclosure of Personal Data by a law enforcement authority. Company will challenge unlawful or overbroad requests and will disclose only the minimum required to comply with the request.

13. Liability & Precedence

The parties' liability under this DPA is subject to the limitations/exclusions in the Agreement. If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict. If there is a conflict between this DPA and the EU SCCs/UK Addendum, the EU SCCs/UK Addendum prevail.

14. Governing Law

This DPA (excluding the EU SCCs and UK Addendum, which are governed per Section 10) is governed by the law specified in the Agreement. If the Agreement does not specify, this DPA is governed by the laws of England and Wales, and the courts of England have exclusive jurisdiction.

15. Amendments

Company may update this DPA to reflect changes in law or Services by providing at least 30 days' notice. If Customer reasonably objects on data protection grounds and the parties cannot resolve, Customer may terminate the affected Services and receive a pro-rata refund of any pre-paid fees for the terminated portion.

16. Signatures

This DPA is deemed executed upon acceptance of the Agreement or signature of an order that references this DPA. If a separate signature is required, each party may sign electronically.

Annex I - Details of Processing (Art. 28(3); SCC Annex I)

1. Parties:
   • Data Exporter (Controller):
     Customer (and Customer Affiliates, where applicable)
     Address: As per order/registration
     Contact: As per order/registration
     Role: Controller
   • Data Importer (Processor):
     AMF Internet Services Limited (Anymail Finder)
     Registered office: United Kingdom
     Contact: team@anymailfinder.com
     Role: Processor
2. Description of Processing:
   • Subject matter: Processing of Personal Data as necessary to provide the Services (email finding/verification, account administration, support).
   • Duration: Term of the Agreement plus deletion/return period in Section 11.
   • Nature & Purpose: Hosting, transmission, validation/verification of email addresses on Customer instruction; storage in Customer's account; support; security monitoring; service analytics (as processor where applicable).
   • Categories of Data Subjects: Customer's employees/contractors; leads/prospects/contacts whose data Customer processes via the Services; Customer users/admins.
   • Categories of Personal Data: Names; business contact details (email, role/title, company, domain); metadata required to verify email deliverability (e.g., domain status, SMTP checks); account credentials (hashed); usage/telemetry (IP, timestamps, device/browser info) where processed as processor; support communications.
   • Special Categories: Not intended; Customer shall not submit special category data or children's data.
   • Frequency: Continuous/episodic during the term.
   • Transfers: See Section 10 (AWS US; Hetzner DE).
   • Retention: See Section 11 and the product controls; search data auto-deletes per product policy (6 months bulk / 12 months single) or upon account deletion; logs up to 14 days.
3. Competent Supervisory Authority:
   For EU SCCs: the authority where the Data Exporter is established or, if none, Ireland's DPC.

Annex II - Technical & Organisational Measures (Art. 32; SCC Annex II)

Information security program. Company maintains a risk-based security program that includes:

1. Governance & access control
   • Role-based access; least privilege; approval workflows.
   • MFA enforced for internal systems; SSO for employees where supported.
   • Employee confidentiality obligations and security/privacy training.
2. Encryption
   • TLS for data in transit; encryption at rest for production data stores.
   • Key management via cloud provider services with restricted access.
3. Network & infrastructure security
   • Segmented environments; firewalls and security groups; hardened images.
   • Vulnerability management and periodic security reviews/pen-tests.
   • Continuous monitoring and alerting for anomalies.
4. Application security
   • Secure SDLC practices; code review and automated testing; dependency scanning.
   • Secrets management; CI/CD with approval gates.
5. Logging & monitoring
   • Centralized logs for security and operations; restricted access; retention up to 14 days for API/system/access logs.
6. Data management
   • Data minimization; configurable retention (search data auto-deletion: 6 months bulk / 12 months single).
   • Customer-initiated deletion features (per-search delete; account deletion).
   • Backups and restore testing; backups overwritten on normal cycles.
7. Physical security
   • Data centers provided by AWS (US) and Hetzner (DE) with industry-standard physical controls.
8. Business continuity & incident response
   • Documented incident response plan with escalation; lessons-learned reviews.
   • Breach notification without undue delay and cooperation per Section 8.
   • High-level BCP/DR procedures aligned with cloud provider resilience.
9. Third parties
   • Vendor due diligence; DPAs with Subprocessors; periodic reviews; least-privilege API/service access.

Annex III - Authorized Subprocessors (current as of the Effective Date)

• Amazon Web Services (AWS) - Hosting & data storage (United States)
• Hetzner Online GmbH - Backup & infrastructure hosting (Germany)
• Intercom - Customer communications & support
• Plausible - Privacy-focused website analytics
• Google - Email delivery & internal communications
• Slack - Internal team communications & support notifications
• Rewardful - Affiliate/referral program management
• Sentry - Application error monitoring
• Mailcoach (by Spatie) - Transactional/marketing email delivery

Company may update this list in accordance with Section 6.

Annex IV - International Transfer Mechanics (Summary)

EU SCCs (2021/914):

• Module 2 (Controller→Processor) and Module 3 (Processor→Subprocessor) as applicable.
• Clause 9: General authorization; notice per Section 6.
• Clause 17/18: Irish law and courts.
• Annex I/II: As set out above.

UK Transfers:

• UK Addendum to the EU SCCs (or IDTA at Company's election).
• Tables completed using the details in Annex I/II and Company contact: team@anymailfinder.com.

Switzerland:

• EU SCCs with FADP modifications (FDPIC as competent authority; Swiss courts as permitted).