Compliance

KillBounce does not currently hold any third-party security or privacy certifications. That is the truthful answer, and we would rather state it plainly than imply otherwise. The product launched in June 2026 and our compliance program is built around the regulations we are legally required to follow, the contractual commitments we make in our DPA, and a set of internal controls described in our Security page.

The frameworks we actively use as a reference point — without claiming certification — are the CIS Critical Security Controls (for baseline operational hygiene), the OWASP Application Security Verification Standard (for the verification API and web app), and the NIST Privacy Framework (as a structure for our privacy program). We consider these appropriate to our scope: a verification service that processes email addresses and related metadata, not a service that handles payment cards, health records, or government identifiers.

On the regulatory side, we follow the laws that actually apply to us: the EU and UK General Data Protection Regulations where customer data describes EU or UK individuals, the California Consumer Privacy Act as amended by the CPRA where it describes California residents, the Digital Personal Data Protection Act 2023 in India, the Indian Information Technology Act 2000, and the Indian Contract Act for the underlying contractual relationship.

Our roadmap, in order of priority, is: a formal information security policy set during the second half of 2026; a SOC 2 Type I readiness assessment once we cross meaningful revenue and headcount thresholds; and ISO/IEC 27001 evaluation thereafter if customer demand justifies the cost and operational overhead. We will not commit to dates we are not confident in. If you need a certification today, we are probably not the right vendor for you yet, and we would rather tell you that up front.

KillBounce processes a narrow category of personal data: email addresses uploaded by our customers, the verification results we return, and standard account and billing metadata. We treat that data as personal data under every privacy law we are subject to, regardless of whether a particular regime would technically scope it in or out.

For customers and end users in the European Economic Area and the United Kingdom, we operate under the GDPR and UK GDPR. When a customer uploads a list of email addresses for verification, the customer is the controller of that data and KillBounce acts as a processor under Article 28. Our Data Processing Addendum sets out the processor obligations, including instructions, confidentiality, sub-processor flow-down, security, assistance with data subject requests, breach notification, and return or deletion at the end of the engagement. The GDPR page describes our transfer mechanism (Standard Contractual Clauses) and how we handle data subject rights in practice.

For California residents, the CCPA as amended by the CPRA applies. KillBounce is a service provider to its business customers and processes personal information only for the business purposes described in the customer agreement. We do not sell or share personal information for cross-context behavioral advertising, and we do not retain, use, or disclose it outside the scope of the agreement. The same posture extends, in substance, to comparable consumer privacy laws in Virginia, Colorado, Connecticut, and other US states.

For India, the Digital Personal Data Protection Act 2023 governs how we handle personal data of data principals located in India, supplemented by the Information Technology Act 2000 and the SPDI Rules. The Privacy Policy describes the purposes for which we process personal data, the rights individuals can exercise, and how to contact the Data Protection Officer. Where a particular obligation applies only to a specific jurisdiction, we apply it locally rather than degrading the experience for everyone else.

KillBounce is a verification service, not a sending service. We do not deliver marketing email on behalf of customers, we do not provide an outbound SMTP relay, and we do not store or rent contact lists. The anti-spam laws that apply most directly to email marketing — CAN-SPAM in the United States, CASL in Canada, the ePrivacy Directive and PECR in the EU and UK, and the relevant provisions of the Indian Information Technology Act and TRAI regulations — therefore apply to our customers when they send, not to KillBounce when we verify.

That said, we do require our customers to comply with the law when they use our verification output to send mail. Our Acceptable Use Policy explains, in plain terms, that the lists you upload must have been collected lawfully, that you must honor unsubscribe requests, that you must not use KillBounce to verify purchased or scraped lists where consent cannot be evidenced, and that a verified address is not a substitute for permission. A clean list and a lawful list are two different things, and only the second one keeps you out of trouble with regulators.

We will cooperate with reasonable abuse complaints and law enforcement requests where the legal basis is clear. If we receive credible evidence that a customer is using KillBounce to support an unlawful sending campaign — for example, validating addresses for a phishing operation — we will suspend access and, where appropriate, terminate the account. The customer remains responsible for their downstream conduct under the law.

KillBounce does not store, transmit, or process payment card data. All payment processing for credit purchases runs through Dodo Payments, which operates as the merchant of record for our transactions and is responsible for PCI DSS compliance on the payment surface. When you check out, you enter card details directly into the payment provider's environment, and KillBounce receives a tokenized record of the purchase along with whatever billing metadata the provider passes back to us.

The practical effect is that the PCI DSS scope on our side is limited to making sure we do not accidentally ingest cardholder data. We do not have a card-on-file system, we do not ask for full card numbers in support tickets, and we do not log payment payloads. For tax, invoicing, and refund handling, see the Refund Policy and the billing section of the Terms of Service.

KillBounce maintains a Data Protection Officer function. The DPO is the primary point of contact for privacy regulators, for data subjects exercising their rights under the GDPR, UK GDPR, CCPA/CPRA, and DPDP Act, and for customers raising privacy escalations under the DPA.

Reach the DPO at dpo@getkillbounce.com. We aim to acknowledge DPO mail within two business days and to substantively respond within the statutory deadlines (one month under GDPR/UK GDPR, forty-five days under CCPA/CPRA, with extensions only where permitted by the relevant law).

A subprocessor is any third party that processes customer personal data on our behalf to deliver the service. We keep this list short on purpose, both for operational simplicity and to make security review easier for our customers. The current list — the hosting provider, payment provider, transactional email provider, frontend host, and CDN — is maintained on the Subprocessors page, with the purpose of processing and the data categories involved.

Under our DPA, we give customers advance notice before adding or replacing a subprocessor. We do not bury subprocessor changes inside a general terms update. If you object to a proposed change in writing within the notice window, we will work with you in good faith to find a workable path, including termination of the affected service if there is no reasonable alternative.

KillBounce does not currently hold SOC 2, ISO/IEC 27001, HIPAA, PCI DSS (as a merchant ourselves), or any other third-party security or privacy certification. We do not imply, suggest, or list logos that would give the impression that we do. If a sales deck, vendor questionnaire, or RFP requires a current SOC 2 Type II report or ISO 27001 certificate to proceed, we will not pass that gate today.

We recognise that this disclosure will disqualify KillBounce from procurement processes that require a current SOC 2 Type II report or ISO 27001 certificate as a precondition. At our current scale, the cost of a credible audit program would either price the product out of reach or divert engineering capacity from the controls that materially protect customer data. The roadmap in section 1 sets out the order in which we expect to address this. This section will be updated when a certification engagement is in progress — naming the auditor, scope, and realistic completion window — and not before.

HIPAA in particular is out of scope by design. KillBounce is not a Business Associate, we do not sign BAAs, and customers should not upload Protected Health Information into the service. The Acceptable Use Policy reflects this.

The detailed description of our security controls lives on the Security page. At a high level: customer lists and per-row verification results are retained for approximately seven days and then purged, with only aggregate lifetime counters surviving on the user record; passwords are stored as bcrypt hashes and OAuth is supported through Google and GitHub; data in transit is protected with TLS; the application, queue, cache, and database run on a hardened VPS with restricted administrative access; and backups are taken on a defined schedule with documented restore procedures.

Vulnerability reports are welcome. Email security@getkillbounce.com with a reproduction and we will acknowledge within one business day. We do not currently run a paid bug bounty, but we will credit researchers who follow responsible disclosure and we will not pursue legal action against good-faith research conducted within the scope described on the Security page.

We would much rather hear about a problem than have you stew on one. Use the address that fits the topic so the right person sees it first:

For privacy matters — data subject requests, access, deletion, correction, portability, objection, or anything else under GDPR, UK GDPR, CCPA/CPRA, or the DPDP Act — privacy@getkillbounce.com. The DPO is copied on this address.

For security matters — suspected vulnerabilities, account takeover, unusual activity, or anything you think might be a breach — security@getkillbounce.com. If the matter is time-sensitive, say so in the subject line.

For abuse matters — phishing, spam, unauthorized use of the service, or someone using KillBounce against the Acceptable Use Policy — abuse@getkillbounce.com. Please include headers, screenshots, or other evidence where you can.

Retaliation against anyone who reports a concern in good faith is not acceptable on our side and we will not tolerate it from customers either. If a report turns out to be mistaken, that is fine; reporting in the first place is what matters.

We know that procurement teams need more than a marketing page to clear a vendor. On request, we will send a short pack that includes a one-page compliance overview, a copy of the current Data Processing Addendum ready for execution, a summary of the Privacy Policy mapped to common questionnaire items, the subprocessor list in a clean format, and a short answer set covering the most frequent SIG, CAIQ, and bespoke security questionnaire items at our current scope.

Email legal@getkillbounce.com with your company name, the deployment use case, and any specific questionnaire requiring a response. Turnaround is typically two to five business days. Where a question cannot be answered in the affirmative, the response will state that directly — see section 7.

We do not sign customer-paper MSAs, NDAs longer than two pages, or DPAs that are not materially the same as our own at our current scale. This is not a posture statement; it is a bandwidth one. As we grow, we expect to relax this.

KillBounce is based in Bengaluru, India. The governing law for the underlying contract is the law of India; the DPA contains the standard EU and UK transfer provisions where they apply.

Use the address that fits your question: legal and procurement at legal@getkillbounce.com; privacy and DPO matters at privacy@getkillbounce.com or dpo@getkillbounce.com; security at security@getkillbounce.com; abuse at abuse@getkillbounce.com; and anything else at support@getkillbounce.com.