Data Processing Agreement

This DPA is automatically incorporated by reference into the Terms of Service for all paying customers of the KillBounce Service. No separate signature is required for it to take effect: it becomes binding when the Customer accepts the Terms of Service, purchases credits, or otherwise begins using the paid Service. It supersedes any prior data processing terms exchanged between the parties in respect of the same subject matter, including any earlier version of this DPA published at this URL.

We adopt the incorporation-by-reference approach because it is the modern SaaS standard and because it allows every customer to benefit from the same baseline data-protection terms without bilateral negotiation. A countersigned copy of this DPA is available on request from legal@getkillbounce.com for customers whose internal procurement processes require one; the substantive terms of the signed version will mirror this document.

Where there is a conflict between this DPA and the Terms of Service in respect of the processing of Personal Data, this DPA prevails. Where there is a conflict between this DPA and the EU Standard Contractual Clauses (defined below) or the UK International Data Transfer Addendum, those instruments prevail in respect of the international transfers they govern. All other terms of the Terms of Service remain in force.

Capitalised terms used but not defined in this DPA have the meanings given to them in the Terms of Service. In this DPA, the following terms have the meanings set out below.

• Applicable Data Protection Laws means the GDPR, the UK GDPR, the DPDP Act, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other data-protection or privacy law applicable to a party's processing of Personal Data under this DPA.
• Controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, as defined in Article 4(7) GDPR (and the equivalent concept of "Data Fiduciary" under the DPDP Act).
• Processor means a natural or legal person which processes Personal Data on behalf of the Controller, as defined in Article 4(8) GDPR (and the equivalent concept of "Data Processor" under the DPDP Act).
• Sub-processor means any third party engaged by KillBounce that processes Personal Data on behalf of the Customer under this DPA, other than an employee of KillBounce.
• Personal Data means any information relating to an identified or identifiable natural person (a "Data Subject") that is processed by KillBounce on behalf of the Customer under this DPA. In the context of the Service, this consists primarily of email addresses submitted by the Customer and metadata derived from verifying those addresses.
• Data Subject means the identified or identifiable natural person to whom Personal Data relates.
• Processing has the meaning given in Article 4(2) GDPR and includes any operation performed on Personal Data, whether or not by automated means, such as collection, storage, retrieval, use, disclosure, restriction, erasure, or destruction.
• Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed by KillBounce on behalf of the Customer.
• Standard Contractual Clauses or SCCs means the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, in particular Module Two (controller-to-processor).
• UK IDTA means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner and laid before Parliament under section 119A of the Data Protection Act 2018.

The parties acknowledge and agree that, with respect to the processing of Personal Data under this DPA, the Customer is the Controller and KillBounce is the Processor. The Customer determines the purposes and means of the processing by deciding which email addresses to submit to the Service, when to submit them, and how to use the verification results we return.

KillBounce acts as Processor of the email addresses submitted by the Customer and of the metadata derived from verifying them (for example, MX record information about the address's domain, the result bucket, the 0–100 score, and timestamps). Where KillBounce processes Personal Data for its own purposes—such as account administration, billing, fraud prevention, security monitoring, and product analytics—it acts as an independent Controller, and that processing is governed by our Privacy Policy rather than this DPA.

For the purposes of the CCPA/CPRA, KillBounce is a "service provider" processing Personal Information on behalf of the Customer (the "business"). KillBounce does not sell or share Personal Data processed under this DPA, and does not retain, use, or disclose it for any purpose other than performing the Service or as otherwise permitted by the CCPA/CPRA. Under the DPDP Act, the Customer is the Data Fiduciary and KillBounce is the Data Processor; KillBounce processes Personal Data only on the Customer's instructions and in accordance with the DPDP Act's processor obligations.

The subject matter of the processing is the provision of the KillBounce email verification Service to the Customer, as described in the Terms of Service. The processing involves the verification of email addresses submitted by the Customer and the return of structured verification results.

The duration of the processing is the period during which the Customer uses the Service, plus the retention windows described in Section 14 (Return or Deletion) and the Customer Data retention windows set out in the Terms of Service (lists and per-row results are retained for approximately seven days after job completion; aggregate counters on the user record survive for the life of the account).

The concrete inputs and outputs of the processing are summarised in Annex A (List of Processing Activities).

The nature of the processing is automated verification of email addresses. For each address the Customer submits, the Service performs up to three layered probes: (i) syntactic validation against the relevant RFCs, (ii) DNS and MX record lookup on the address's domain, and (iii) where necessary, a live SMTP conversation with the recipient mail server (HELO/EHLO, MAIL FROM, RCPT TO) sufficient to determine whether the address would accept a message, without delivering message content. The Service returns a result bucket of Valid, Risky, Invalid, or Unknown and a 0–100 confidence score.

The purpose of the processing is to enable the Customer to assess the deliverability of the addresses on its lists before sending mail to them, thereby reducing bounce rates, protecting sender reputation, and avoiding mail to inactive or malformed addresses. The Service is a verification tool only; it does not generate profiles of Data Subjects, does not make automated decisions producing legal or similarly significant effects under Article 22 GDPR, and does not enrich addresses with demographic, behavioural, or personally identifying information beyond what is technically returned by the recipient mail server during the SMTP probe.

KillBounce does not use Personal Data submitted to the Service to send marketing or transactional email to Data Subjects on its own behalf, to train machine-learning models for third parties, or to enrich any independent database. Cached verification results for the same address (held in Redis on our VPS) may be reused to satisfy subsequent verifications for the Customer or for other customers, but the underlying Customer submission is not disclosed and the cache entry is keyed on the address as a technical input only.

The categories of Personal Data processed under this DPA are:

• Email addresses submitted by the Customer for verification, whether via single lookup, bulk upload (CSV/TXT/paste), or API call.
• Verification metadata derived from those addresses: the result bucket, the 0–100 score, the inferred mailbox provider, MX hostnames, response codes returned by the recipient server, and timestamps.
• Any additional columns or fields the Customer chooses to include in an uploaded list alongside the email address (for example, a recipient name or an internal record identifier). The Customer is responsible for deciding what to upload; we do not require fields other than the email address itself.

The categories of Data Subjects are the natural persons whose email addresses the Customer submits to the Service. These are typically the Customer's prospects, existing contacts, newsletter subscribers, customers, leads, or employees. KillBounce does not select or determine which Data Subjects are processed; that determination is made entirely by the Customer.

KillBounce does not knowingly process Special Categories of Personal Data within the meaning of Article 9 GDPR (such as health data, racial or ethnic origin, or biometric data) under this DPA. The Customer agrees not to submit Special Categories of Personal Data to the Service except where strictly inherent to an email address itself and incidental to verification, and acknowledges that the Service is not designed for and is not appropriate for processing Special Categories of Personal Data.

The Customer represents and warrants that it has a lawful basis under Applicable Data Protection Laws to collect, hold, and share with KillBounce the Personal Data it submits to the Service, and to instruct KillBounce to process that Personal Data for the purposes set out in this DPA. The Customer is responsible for providing any notices and obtaining any consents required from Data Subjects in connection with that submission.

The Customer is responsible for the substance and accuracy of its instructions to KillBounce. The Customer's documented instructions are: (i) the instructions set out in this DPA and the Terms of Service, (ii) the instructions implicit in the Customer's use of the Service through its dashboard, API, or documented features, and (iii) any further written instructions given to KillBounce by an authorised representative of the Customer, including instructions to support a Data Subject rights request.

The Customer agrees to use the Service only in compliance with our Acceptable Use Policy, including the prohibition on verifying lists for which the Customer has no lawful basis to email, on enumeration of addresses for phishing or credential stuffing, and on use of the Service to support unsolicited bulk mail. The Customer will respond to Data Subject requests directed to it using the assistance KillBounce provides under Section 11.

Where the Customer is itself a processor for a further upstream controller, the Customer represents that it has authority under its own contractual arrangements to appoint KillBounce as a Sub-processor and to bind that upstream controller to the relevant terms of this DPA.

KillBounce will process Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Union, Member State, UK, or Indian law to which KillBounce is subject. In such a case, KillBounce will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

KillBounce will ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data within KillBounce is limited to personnel with a legitimate operational need to access it. Role-based access controls are applied and tightened over time in line with the measures set out in Annex B and in our Security Overview.

KillBounce will implement the technical and organisational measures set out in Annex B and described in our Security Overview, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Taking into account the nature of the processing and the information available to it, KillBounce will assist the Customer in ensuring compliance with the Customer's obligations under Articles 32 to 36 GDPR (security of processing, breach notification, data protection impact assessments, and prior consultation), as further described in Sections 11 and 12. KillBounce will, on the Customer's request, make available to the Customer all information necessary to demonstrate compliance with its Article 28 obligations, as further described in Section 13.

The Customer grants KillBounce general written authorisation to engage Sub-processors to process Personal Data under this DPA, subject to the conditions set out in this Section. The current list of Sub-processors engaged by KillBounce is available at /subprocessors. The list is maintained as the single source of truth for who processes Personal Data on the Customer's behalf alongside KillBounce; the parties acknowledge that this list will evolve as the Service evolves.

KillBounce will impose data-protection obligations on each Sub-processor that are no less protective than those set out in this DPA, including in respect of confidentiality, security measures, and assistance with Data Subject rights and breach notification. KillBounce remains fully liable to the Customer for the performance of each Sub-processor's obligations.

Before engaging a new Sub-processor, or replacing an existing Sub-processor, KillBounce will provide the Customer with at least thirty (30) days' prior notice by updating the /subprocessors page and, where the Customer has subscribed to sub-processor change notifications, by email. The Customer may object to the engagement of the new Sub-processor on reasonable grounds related to data protection by notifying legal@getkillbounce.com within that thirty-day window.

If the Customer objects on reasonable grounds, the parties will work together in good faith to find a workable resolution. If no resolution can be found, the Customer may terminate the affected portion of the Service on written notice and receive a pro-rata refund of the unused credit balance attributable to the affected processing. This is a deliberately customer-friendly off-ramp because changing infrastructure providers should not lock customers in against their reasonable objections.

KillBounce is established in India and operates infrastructure in India and other jurisdictions through its Sub-processors. Personal Data processed under this DPA may therefore be transferred outside the European Economic Area (the "EEA"), the United Kingdom, or other jurisdictions with restrictions on international transfers, in the course of providing the Service.

Where Personal Data subject to the GDPR is transferred from the EEA to a country that is not the subject of an adequacy decision under Article 45 GDPR, the parties incorporate the Standard Contractual Clauses (Module Two, controller-to-processor) into this DPA by reference. The Customer is the "data exporter" and KillBounce is the "data importer". Clause 7 (docking clause) is not used. Option 2 of Clause 9 (general written authorisation for Sub-processors with thirty days' notice) applies, as implemented in Section 9 of this DPA. Clause 11(a) (optional independent dispute resolution) is not used. The governing law under Clause 17 is the law of the Republic of Ireland. The competent supervisory authority under Annex I.C is the Irish Data Protection Commission. Annex I (parties, description of transfer) and Annex II (technical and organisational measures) of the SCCs are populated by Annex A and Annex B of this DPA respectively.

Where Personal Data subject to the UK GDPR is transferred from the United Kingdom to a country that is not the subject of an adequacy regulation under the UK GDPR, the parties incorporate the UK IDTA by reference, with the EU SCCs above as the approved EU SCCs to which the IDTA attaches. The IDTA Tables are completed using the equivalent details set out in this DPA and its Annexes. For Personal Data subject to the Swiss Federal Act on Data Protection, references in the SCCs are read as references to the Swiss FADP and the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

The parties agree that the SCCs and the UK IDTA, as incorporated, are sufficient safeguards for the international transfers contemplated by this DPA. If at any time a decision of a competent court or supervisory authority determines that the SCCs or the IDTA are no longer a valid transfer mechanism for the relevant transfers, the parties will negotiate in good faith an alternative mechanism (such as a successor instrument or binding corporate rules) to maintain the lawfulness of the transfer.

Taking into account the nature of the processing, KillBounce will assist the Customer, by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the Customer's obligation to respond to requests by Data Subjects exercising their rights under Applicable Data Protection Laws (access, rectification, erasure, restriction, portability, objection, and the right not to be subject to automated decision-making). This obligation reflects Article 28(3)(e) GDPR.

Where a Data Subject contacts KillBounce directly with a request relating to Personal Data processed on behalf of the Customer, KillBounce will, without undue delay, forward the request to the Customer and direct the Data Subject to the Customer as the appropriate party to respond. KillBounce will not respond substantively to such a request on behalf of the Customer except on the Customer's documented instructions or where required by law.

Because the Service does not store standing records of Data Subjects beyond the short-window retention described in the Terms of Service and the aggregate counters on the user record, fulfilment of many requests (in particular erasure) is satisfied substantially through the automatic seven-day purge of lists and per-row results. For requests during the retention window, KillBounce will support targeted deletion or extraction on the Customer's instruction.

KillBounce may recover reasonable costs from the Customer for assistance under this Section to the extent the assistance required is materially beyond the standard support provided as part of the Service (for example, large-volume forensic extraction across many historical jobs). We will agree the scope and cost with the Customer in writing before incurring it.

KillBounce will notify the Customer without undue delay, and in any event within seventy-two (72) hours of confirming a Personal Data Breach affecting the Customer's Personal Data. Notification will be sent to the email address on file for the Customer and, where appropriate, posted in the dashboard.

The notification will, to the extent then known, include the information required by Article 33(3) GDPR: (i) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) the name and contact details of the relevant KillBounce contact, including our Data Protection Officer alias at dpo@getkillbounce.com; (iii) the likely consequences of the Personal Data Breach; and (iv) the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where information is not available within the seventy-two-hour window, KillBounce will provide it in phases as it becomes available, without further undue delay. Initial notifications may be conservative and over-inclusive to comply with the deadline; this is deliberate and not an admission as to the scope of the incident. KillBounce will assist the Customer in meeting any obligation it has to notify the relevant supervisory authority or affected Data Subjects.

The reporting obligations under this Section do not constitute an acknowledgement by KillBounce of any fault or liability in respect of the underlying incident. The parties will cooperate in good faith to investigate and remediate.

KillBounce will make available to the Customer, on reasonable request, all information necessary to demonstrate compliance with its obligations under this DPA and Article 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

The Customer may exercise the right to audit no more than once in any twelve-month period, except where (i) required by a supervisory authority, (ii) prompted by a confirmed Personal Data Breach affecting the Customer, or (iii) the Customer has reasonable grounds to suspect material non-compliance by KillBounce with this DPA. The Customer will give KillBounce at least thirty (30) days' prior written notice of an audit, will conduct the audit during normal business hours, and will take reasonable steps to minimise disruption to KillBounce's operations and to protect the confidentiality and security of the data of KillBounce's other customers.

The Customer bears its own costs of the audit. Where the audit requires significant dedicated effort from KillBounce personnel (more than two business days), the Customer will reimburse KillBounce's reasonable internal costs at a rate to be agreed in advance. Where an audit identifies a material failure by KillBounce to comply with this DPA, KillBounce will bear its own costs and will not charge the Customer for the dedicated effort.

As an alternative to an on-site audit, the Customer may discharge its audit right by accepting third-party audit reports (such as SOC 2 Type II or ISO 27001 reports) and security questionnaires that KillBounce makes available. KillBounce does not currently hold SOC 2 or ISO 27001 certifications, but intends to pursue appropriate certifications as the business scales; in the interim, KillBounce will respond to reasonable security questionnaires and provide the documentation listed in Annex B and in our Security Overview.

On termination of the Customer's use of the Service for any reason, KillBounce will, at the Customer's choice, delete or return all Personal Data processed on the Customer's behalf and delete existing copies, unless retention is required by Applicable Data Protection Laws or other applicable law (for example, tax or accounting records).

In practice, the seven-day retention window described in the Terms of Service means that most Customer-submitted Personal Data is purged automatically before or shortly after termination. For Personal Data still held at the point of termination, KillBounce will complete deletion from the primary database and Redis cache within thirty (30) days, subject to backup retention cycles (encrypted backups are rotated and expire on their normal schedule rather than being individually purged on termination).

On the Customer's written request, KillBounce will provide a written certificate of deletion confirming that the steps in this Section have been completed. Aggregate counters on the user record (which do not identify individual Data Subjects) may be retained where required for billing history, fraud-prevention, or accounting purposes.

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations of liability set out in the Terms of Service, which apply to this DPA as if set out in full. References to liability in the Terms of Service include any liability arising under this DPA, including liability for the acts and omissions of Sub-processors for which KillBounce is responsible.

Where the SCCs apply, any limitation of liability between the parties does not affect a Data Subject's rights under the SCCs as third-party beneficiaries. Nothing in this DPA or the Terms of Service limits a party's liability where such limitation is not permitted by Applicable Data Protection Laws.

The parties have agreed the structure of this DPA, including the liability allocation, on the basis of the pay-as-you-go pricing model of the Service. The combination of the Terms of Service liability cap, the SCC carve-outs for Data Subject rights, and the accuracy-miss refund mechanism in the Terms of Service is intended to be a balanced allocation of risk for a low-friction, no-commitment Service.

This DPA is governed by the laws of India and is subject to the dispute-resolution provisions of the Terms of Service, except as set out below.

The Standard Contractual Clauses incorporated by reference under Section 10 are governed by the law of the Republic of Ireland in accordance with their Clause 17, and are subject to the jurisdiction of the courts of Ireland in accordance with their Clause 18, in respect of disputes arising from those clauses. The UK IDTA is governed by the law and subject to the jurisdiction specified in the IDTA itself in respect of disputes arising from it. To the extent of a conflict in respect of those instruments, the SCCs and the IDTA prevail over the general governing law of this DPA.

Nothing in this Section limits a Data Subject's right to bring proceedings under the SCCs or the UK IDTA in the courts or before the supervisory authorities granted to them by those instruments and by Applicable Data Protection Laws.

This DPA does not require a separate signature to take effect. It is incorporated by reference into the Terms of Service and is binding on the Customer from the moment the Customer accepts the Terms of Service or uses the paid Service, in line with the standard SaaS practice of binding all customers to a single, regularly updated baseline DPA.

We adopt this approach because it is consistent with guidance from supervisory authorities that contracts under Article 28 GDPR may be concluded electronically (Article 28(9) GDPR), and because requiring a wet-ink or DocuSign step for every customer would slow procurement without changing the substance of the protections offered. The trade-off for the Customer is that the protections are consistent and apply uniformly across the customer base, including the SCCs and the UK IDTA for international transfers.

A countersigned copy of this DPA is available on request to customers whose internal procurement processes require one. To request a signed copy, email legal@getkillbounce.com from a verified Customer account contact. The signed copy will mirror the published version effective on the date of signature.

This Annex describes the processing activities carried out by KillBounce as Processor on behalf of the Customer as Controller. It also serves as Annex I to the Standard Contractual Clauses where they are incorporated under Section 10.

A. List of Parties. Data exporter (Controller): the Customer, as identified in the account record on the Service. Data importer (Processor): KillBounce, an email verification platform based in India. Contact for data-protection matters: dpo@getkillbounce.com.

B. Description of Transfer.

• Categories of Data Subjects: the natural persons whose email addresses the Customer submits to the Service, typically the Customer's prospects, contacts, customers, leads, newsletter subscribers, or employees.
• Categories of Personal Data: email addresses; verification result bucket (Valid, Risky, Invalid, Unknown); 0–100 confidence score; mailbox provider inference; MX record information for the address's domain; SMTP response codes; timestamps; and any additional columns the Customer chooses to include in an uploaded list alongside the address.
• Special Categories of Personal Data: none knowingly processed.
• Frequency of Transfer: continuous, as the Customer submits verifications.
• Nature of the Processing: automated verification of email addresses through syntactic, DNS/MX, and live SMTP probes; storage of lists and per-row results for approximately seven days; storage of aggregate counters on the user record for the life of the account.
• Purpose of the Processing: provision of the Service to the Customer for the purposes set out in the Terms of Service.
• Retention Period: lists and per-row results retained approximately seven days; aggregate counters retained for the life of the account; backups expire on their normal rotation schedule.
• Sub-processors: as listed at /subprocessors, including infrastructure providers (VPS, CDN, frontend hosting), email delivery (transactional notifications to the Customer), and payments (Dodo Payments as merchant of record).

C. Competent Supervisory Authority. For EU transfers under the SCCs: the Irish Data Protection Commission. For UK transfers under the IDTA: the UK Information Commissioner's Office. For DPDP Act matters: the Data Protection Board of India.

This Annex describes the technical and organisational measures ("TOMs") implemented by KillBounce to ensure an appropriate level of security for the Personal Data it processes on behalf of the Customer. It also serves as Annex II to the Standard Contractual Clauses where they are incorporated under Section 10. The measures listed here mirror, in summary form, the controls described in our Security Overview; the Security Overview is the authoritative and current source.

• Encryption in transit. All connections to the Service are served over HTTPS with modern TLS configurations. Traffic between the Customer and the Service passes through Cloudflare for CDN and DDoS protection before reaching our origin.
• Encryption at rest. The self-hosted Postgres database and Redis cache run on volumes provided by our VPS host (Webdock) with disk encryption enabled. Encrypted backups are stored separately and rotated on a defined schedule.
• Authentication. User authentication uses email and password (stored as bcrypt hashes) or Google or GitHub OAuth. API access uses scoped API keys that the Customer can rotate from the dashboard at any time.
• Access control. Administrative access to production infrastructure is restricted to authorised personnel on a need-to-access basis. Access requires SSH key-based authentication. Role-based access controls are applied with the principle of least privilege.
• Network security. The VPS exposes only the network ports required for the Service. Cloudflare sits in front of the application to absorb volumetric attacks and to enforce rate limits at the edge.
• Data minimisation and retention. Uploaded lists and per-row results are purged approximately seven days after job completion. The Service is designed not to store more Personal Data than is necessary to perform the verification and return results to the Customer.
• Logging and monitoring. Application and infrastructure logs are collected and reviewed to detect anomalies, unauthorised access attempts, and operational issues. Sensitive log fields (such as raw email addresses) are minimised in logs where reasonably possible.
• Vulnerability management. Operating-system and dependency security patches are applied on a defined cadence. Application dependencies are tracked and monitored for known vulnerabilities.
• Backup and recovery. Encrypted backups of the Postgres database are taken on a defined schedule and tested for restorability. Backup retention is time-bounded.
• Sub-processor management. Sub-processors are selected with regard to their security posture, are listed at /subprocessors, and are subject to contractual data-protection obligations consistent with this DPA.
• Incident response. Personal Data Breaches are handled in accordance with Section 12 of this DPA, with notification to affected customers within seventy-two hours of confirmation.
• Certifications. KillBounce does not currently hold SOC 2, ISO 27001, or HIPAA certifications. We do not claim compliance with frameworks for which we are not certified. As the business scales, KillBounce intends to pursue appropriate certifications and will update this Annex and the Security Overview accordingly.

These TOMs are reviewed periodically and updated to reflect changes to the Service, the threat landscape, and applicable legal and regulatory requirements. We commit to maintaining controls that are appropriate to the risk represented by the Personal Data we process, which, for the Service, is primarily email addresses and derived verification metadata rather than higher-risk categories of Personal Data.

For matters relating to this DPA, including requests for a countersigned copy, objections to a new Sub-processor, exercises of audit rights, breach notifications received from Data Subjects, and questions about the SCCs or the UK IDTA, please use the contacts below.

• DPA, SCCs, IDTA, audit, and contractual matters: legal@getkillbounce.com
• Privacy and Data Subject rights requests: privacy@getkillbounce.com
• Data Protection Officer alias and breach notifications: dpo@getkillbounce.com
• Product support and operational queries: support@getkillbounce.com