Trust · For procurement and security review

Six questions a buyer asks. Answered, with the contract.

KillBounce is small and new. The way we make up for that is by writing the contracts the way a real B2B vendor does and then linking to them so you can verify before you spend. Every claim below points at the document that backs it. Nothing on this page is decorative.

01

Who is the legal counterparty?

KillBounce is based in Bengaluru, India. The merchant of record on every charge is Dodo Payments — they handle PCI scope, tax, and the legal receipt; KillBounce never stores card data. The named operator is Nikhil Chaudhary; the founder reads every reply at nikhil@getkillbounce.com.

Founder note + how to reach a person
02

What contract do we sign?

Two documents auto-execute when you accept the Terms: a master Terms of Service governed by Indian law (Bengaluru arbitration seat), and a GDPR Article 28 Data Processing Agreement that incorporates the 2021 EU Standard Contractual Clauses (Module 2, Controller → Processor) and the UK IDTA addendum.

Read the DPA in full
03

Where does our list actually go?

Uploaded addresses live on a single VPS in Postgres for the duration of the job, then auto-purge from the database within seven (7) days. Aggregate counts (verified / valid / invalid totals) survive on the account record so dashboards keep working; per-row payloads do not. The published Subprocessor list names every third party that can touch the data.

Subprocessors list
04

What happens when a verdict is wrong?

If we return Valid for an address and the actual send hard-bounces within 72 hours, the consumed credit returns to the account balance. Email the bounce notification to support@getkillbounce.com — refunded in credits within five business days. The refund is in credits, not cash; a single credit-back event does not entitle a customer to cancel a pack for a money refund. Pack purchases are non-refundable.

Refund policy + exclusions
05

How is the account protected on our side?

Passwords bcrypt-hashed with per-user salt; sessions issued as short-lived JWTs with a per-user token-version counter (sign-out-everywhere works without a blocklist). TLS 1.2+ via Cloudflare. Postgres at-rest encryption via filesystem-level encryption on the VPS. No card data is ever stored; that lives entirely with Dodo Payments. No SOC 2 / ISO 27001 / HIPAA today — the Compliance page sets out where we are honest about the gap.

Security policy
06

What are we not allowed to do with it?

KillBounce verifies the deliverability of an address; it is not a sending tool, a scraping anonymizer, or a way to re-sell verification results as a service. The Acceptable Use Policy spells out exactly which list sources are in-scope and which uses lead to account suspension.

Acceptable Use Policy

Index

All ten legal documents, on one screen.

Forward this list to your legal or procurement reviewer. Every document is public and signed by reference into the purchase.

Need it in a signed PDF

Same documents, on a counter-signed copy.

The above docs incorporate by reference for online checkout, which is the standard for SaaS. If your procurement process needs a counter-signed copy of the DPA or Terms, email legal@getkillbounce.com — we'll send back a one-page vendor sheet plus the signed DPA within one business day.

Request vendor pack