GDPR Compliance

Verifox operates in two distinct roles under GDPR, which determines our obligations and your obligations:

Data Controller (Article 4(7))

We are a data controller for personal data collected in connection with managing your Verifox account — including your name, email address, billing information, and usage logs. In this role, we determine the purposes and means of processing and are directly responsible for compliance with GDPR principles under Article 5.

Data Processor (Article 4(8))

We act as a data processor when you submit email lists and other data to the Service for verification or analysis. In this role, we process data solely on your documented instructions, as set out in our Data Processing Agreement (DPA). You, as the data controller, are responsible for ensuring you have a lawful basis (such as legitimate interests under Article 6(1)(f)) for submitting the data.

Data Processing Agreement

Our DPA is incorporated into our Terms of Service by reference and satisfies the requirements of GDPR Article 28. It covers: processing instructions, confidentiality, security measures, sub-processor management, data subject rights assistance, records of processing, data breach notification, and deletion/return of data.

In accordance with GDPR Article 30, Verifox maintains records of processing activities (RoPA) covering all processing for which we are the controller and all processing we conduct as a processor on behalf of customers. Our RoPA includes:

• Name and contact details of the controller and DPO
• Purposes of processing
• Description of categories of data subjects and personal data
• Categories of recipients
• International transfer details and safeguards
• Retention schedules
• Description of technical and organisational security measures

The RoPA is available for inspection by supervisory authorities upon request. Customers who need a summary of our processing activities as processor may request one at support@verifox.ai.

Under GDPR Articles 15–22, Verifox provides mechanisms for data subjects to exercise their rights. When a data subject submits a rights request directly to you (as controller) regarding data processed by Verifox on your behalf, we will assist you in responding, as required by GDPR Article 28(3)(e).

If a data subject contacts Verifox directly regarding data in your email lists, we will forward the request to you promptly and notify them that the request has been passed to the relevant controller. We will not process the request ourselves without your authorisation, unless required by law.

Verifox has documented incident response procedures that include data breach detection, containment, assessment, and notification processes.

• Supervisory authority notification: We will notify the relevant lead supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, in accordance with GDPR Article 33.
• Individual notification: Where a breach is likely to result in a high risk to individuals, we will notify affected individuals without undue delay, in accordance with GDPR Article 34.
• Customer notification (processor role): When a breach affects data we process as your processor, we will notify you without undue delay and within 24 hours of becoming aware of the breach, so that you can meet your 72-hour notification obligation to the supervisory authority.

For high-risk processing activities, Verifox conducts Data Protection Impact Assessments (DPIAs) in accordance with GDPR Article 35. We have conducted DPIAs for:

• Our SMTP probing infrastructure (bulk email verification)
• Our FoxGuard fraud detection scoring system
• Our DMARC monitoring service (which processes email header data at scale)

DPIA summaries are available to enterprise customers upon request at support@verifox.ai.

Verifox applies GDPR Article 25 (Privacy by Design and Default) in our product development process:

• Data minimisation: We collect only the data necessary for each feature. SMTP verification does not require storing the target email address beyond the session.
• Purpose limitation: Verification input data is processed only for the purpose of returning results and is not used for secondary purposes such as building marketing databases.
• Storage limitation: Our retention schedules (detailed in the Privacy Policy) are enforced by automated deletion routines.
• Privacy reviews in the SDLC: New features undergo a privacy review before launch, including assessment of GDPR obligations.

Enterprise customers who require a signed DPA as part of their vendor assessment process may request one by contacting support@verifox.ai. Our standard DPA is pre-signed by Verifox and includes the Standard Contractual Clauses (SCCs) for controller-to-processor transfers from the EU/EEA to the United States.

We aim to return executed DPAs within 3 business days for standard requests. Custom DPA negotiations are available for enterprise customers on custom plans.