Data Processing Addendum (DPA)

Last updated: 2025-12-10

1. Roles

Customer acts as Controller. SenderGuard acts as Processor of Customer Data solely to provide the Service as described.

2. Subject matter and duration

Processing is limited to DNS records and email header fields required to compute compliance results, and persists for the subscription term. Upon termination, data is deleted per the retention schedule below.

3. Nature and purpose of processing

• Compute SPF/DKIM/DMARC status, alignment, and header checks
• Generate Proof‑of‑Scan (normalized JSON + sha256)
• Deliver alerts on material changes (if configured)

4. Categories of data

• DNS TXT records (SPF/DMARC), public MX where applicable
• Email header fields (Authentication‑Results, header.from, smtp.mailfrom, DKIM d=)
• Organization/account metadata strictly necessary for billing and access control

5. Technical and organizational measures

• HTTPS in transit; signed download URLs with short TTL
• Access controls, audit events, rate limiting, abuse prevention
• EML uploads deleted immediately after header parsing; bodies never stored

6. Subprocessing

We engage a small number of vetted infrastructure providers and remain responsible for their performance. Detailed listings are available upon request, and we will notify you of material changes.

7. International transfers

Where applicable, transfers are subject to appropriate safeguards (e.g., SCCs). Hosting region details are documented in service materials and can be shared with you on request.

8. Assistance and notifications

• We assist with data subject requests that relate to data we process for you.
• We notify you without undue delay of personal‑data incidents we become aware of.

9. Deletion and return

On termination or upon request, we delete Customer Data in accordance with our retention policy and, where technically feasible, return an export of your organization’s data.

Contact

Support: joseph.zheng97@outlook.com