Data Processing Agreement

Last Updated: July 9, 2025
Between: Customer ("Controller") and Issoudun Pte. Ltd. dba UserCheck ("Processor")

1. Definitions

• Controller: The entity determining the purposes and means of processing Personal Data
• Processor: UserCheck, processing Personal Data on behalf of the Controller
• Personal Data: Information about identified or identifiable natural persons
• Subprocessor: Third party engaged by UserCheck to help process Personal Data

2. Purpose and Instructions

UserCheck processes Customer Personal Data only to deliver the API services and provide related support. Processing is limited to validating email addresses and domains as instructed through API calls.

3. Data Protection Obligations

3.1 General Obligations

• Process Personal Data only on documented instructions from Customer
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist Customer with data subject rights requests
• Delete or return Personal Data upon termination

3.2 Prohibited Data

Customer must not submit sensitive data (health, race, religion, etc.) to our API. If submitted accidentally, we'll delete it immediately upon discovery.

4. Security

Data is encrypted in transit via TLS 1.3 and encrypted at rest by our database provider, PlanetScale (SOC 2 Type 2). Further security details available upon request.

5. Subprocessors

Current subprocessor list is available at usercheck.com/legal/subprocessors. We'll email customers about changes. You may object within 7 days of notification.

6. Data Breach Notification

We'll notify you within 72 hours of becoming aware of a Personal Data breach affecting your data. Notification will include the nature of the incident and measures taken.

7. International Transfers

For transfers outside the EU, we rely on Standard Contractual Clauses (Module 2: Controller to Processor). SCCs are incorporated by reference and available upon request.

8. Data Retention and Deletion

Raw API logs are retained for 90 days, then anonymized in line with our public retention schedule. If you request deletion, we erase Customer Personal Data from live systems within 7 days and from backups within 90 days.

9. Audit Rights

We'll complete reasonable security questionnaires about our data protection practices. For enterprise customers, additional audit rights may be negotiated.

10. Assistance with Compliance

We'll provide information reasonably required for your Data Protection Impact Assessments (DPIAs) and regulatory consultations.

11. Liability

Each party's liability is limited to fees paid in the last 12 months, except for data subject rights under European Data Protection laws.

12. Term and Termination

This DPA remains effective while you use our services. Data protection obligations survive termination as required by law.

13. Order of Precedence

In case of conflict: (1) Data Protection Laws, (2) Standard Contractual Clauses, (3) This DPA, (4) Terms of Service

Contact

Privacy inquiries: [email protected]
Address: 68 Circular Road, #02-01, 049422, Singapore