Mon Compte

ApexVerify : Outils Tout-en-Un de Vérification de Données en Ligne

Accord de Traitement des Données

Accord de Traitement des Données

Last Updated: September 24, 2025 - Effective Date: September 24, 2025

This Data Processing Agreement (“Agreement“) forms part of the Contract for ApexVerify's Services (“Principal Agreement“) between:

  • You, the customer, identified in your ApexVerify account
  • (the "Controller", "you") and
  • HyperMesh Network Pte. Ltd. (trading as “ApexVerify”), company number 202528445W, 68 Circular Road, #02-01, 049422, Singapore
  • (the "Data Processor", "we", "us")
  • (together as the "Parties").

By accepting this DPA in the app (e‑sign), you agree to this DPA.

  1. Purpose and scope
  • This DPA applies to ApexVerify’s processing of Personal Data on your documented instructions to provide email, phone, and postal address verification services and related support (the “Services”).
  • This DPA is subject to the Terms of Service. If there is a conflict, this DPA controls for privacy and data protection matters. If Standard Contractual Clauses (SCCs) apply, the SCCs control over this DPA for the transfer in question.

2. Roles and definitions

  • You are the Data Controller. You decide what data to submit and why.
  • ApexVerify is the Data Processor. We process only as instructed by you.
  • “Personal Data” means any information relating to an identified or identifiable person.
  • “Applicable Data Protection Law” means the GDPR (EU/EEA), the UK GDPR, the Swiss FADP, Singapore PDPA, and any similar laws that apply to your use of the Services.
  • “Subprocessor” means a third party engaged by us to process Personal Data for the Services.

3. Your instructions

  • We will process Personal Data only on your documented instructions: to provide, maintain, secure, and support the Services; to prevent or address service or technical issues; to comply with law; and as otherwise described in this DPA and the Terms.
  • You must have a lawful basis to submit Personal Data to the Services (e.g., consent or legitimate interests) and must give required notices to data subjects. You must not upload special categories of data or other sensitive data (e.g., health, biometrics, political opinions, government IDs, payment card details) to the Services.
  • For best privacy, upload only what is needed: for email, the email address; for phone, an E.164 number; for address, the formatted address. Do not include names or extra attributes unless strictly necessary.

4. Details of processing (Annex I)

  • Nature and purpose: verification of reachability/validity (email/phone/address), deduplication/list hygiene, fraud/spam risk reduction, support, troubleshooting, and service improvement using aggregated/anonymized statistics.
  • Categories of data subjects: your contacts, leads, customers, or other individuals whose data you submit; your team members who operate the account.
  • Categories of Personal Data: email addresses; phone numbers (MSISDN); postal addresses; optional metadata you choose to submit (we recommend you do not include any special category data); service logs and technical identifiers relating to use of the Services.
  • Duration: for the Term of the Services and any retention you set in the app; default deletions are described in section 10 and the Terms.

5. Subprocessors (Annex III)

  • You authorize our use of Subprocessors needed to provide the Services. Current core Subprocessors:
    • Google Cloud Platform (EU regions)
    • OVHcloud SAS (EU datacenters)
  • Service‑specific counterparties:
    • Phone verification: global mobile networks and routing intermediaries (HLR/NP lookup) receive only the MSISDN necessary to answer the query.
    • Email verification: internet email servers (MX/SMTP endpoints) of recipients worldwide are contacted to validate deliverability; they receive only the email address and the protocol‑level request.
    • Address verification: vetted reference datasets and postal authorities (primarily EU‑hosted where available) receive the address string necessary to perform the check.
  • We will ensure each Subprocessor is bound by written terms that are no less protective than this DPA. We remain liable for our Subprocessors’ processing of Personal Data.
  • Changes: we may add or replace Subprocessors. We will post updates in‑app or by email at least 30 days before the change (unless urgent for security or continuity). You may object for reasonable data protection grounds. If we cannot reasonably resolve your objection, you may stop using the affected feature. No refunds are due unless required by law.

6. Data location and international transfers

  • Primary storage and processing are in the EEA (EU regions of Google Cloud and OVHcloud).
  • To perform lookups, limited data may be transmitted worldwide (for example, a phone number to its home carrier, or an SMTP check to a recipient’s mail server). We send only the minimum necessary and no Customer account identifiers with those queries.
  • Where the GDPR/UK GDPR applies to a transfer to a country without an adequacy decision, the European Commission SCCs (Decision 2021/914) are incorporated by reference (Module 2 and, where we engage a Subprocessor, Module 3). For UK transfers, the UK Addendum to the EU SCCs is incorporated by reference. For Swiss transfers, references in the SCCs to GDPR are to be read with the Swiss FADP as appropriate. The SCCs prevail over conflicting terms in this DPA.

7. Security measures (Annex II)

  • We maintain appropriate technical and organizational measures to protect Personal Data, including:
    • Encryption in transit (TLS) and at rest for stored data in our core platforms.
    • Access controls and least‑privilege permissions; MFA for privileged access.
    • Network isolation, firewalls, and monitoring; vulnerability management and patching.
    • Secure software development practices, code review, and logging.
    • Regular backups and tested restoration procedures.
    • Staff confidentiality and security training.
  • We will not materially reduce our security controls during the Term.

8. Confidentiality

  • We will ensure personnel who access Personal Data are bound by confidentiality obligations and access only what they need to perform their job.

9. Data minimization, pseudonymization, and anonymization

  • We minimize the fields we process and disclose to Subprocessors. Where feasible, we pseudonymize or anonymize data before sharing.
  • For the network queries described in section 6, counterparties receive only the specific value needed to answer the lookup (e.g., the phone number), and we do not include your Customer identity with the query. Only ApexVerify keeps the internal mapping between a lookup and your account.

10. Retention and deletion

  • You control retention via your account settings. By default, workspace data (files/results) are deleted after 90 days of account inactivity (as described in the Terms). You may choose a shorter retention.
  • You can delete files, jobs, or your entire account at any time in the dashboard. We will delete associated Personal Data without undue delay from active systems and during our normal backup rotation thereafter. We may retain billing records, invoices, fraud/abuse logs, and audit logs we are legally required to keep.
  • On termination of the Services (or your written request), we will delete or return Personal Data, at your choice, unless law requires us to keep it.

11. Assistance

  • We will assist you, taking into account the nature of processing, with:
    • Responding to data subject requests (access, deletion, etc.). If we receive a request directly, we will forward it to you without undue delay and no later than 5 days, unless prohibited by law.
    • Security, breach notices, and data protection impact assessments (DPIAs), where relevant and reasonable.
    • Providing information needed to demonstrate compliance with Article 28 GDPR (or equivalents).
  • If your requests are excessive, repetitive, or outside normal scope, we may charge reasonable costs.

12. Personal Data breach

  • We will notify you without undue delay and in any case within 48 hours after becoming aware of a Personal Data breach affecting your Personal Data. The notice will include known details, including the nature of the breach, likely consequences, measures taken or proposed, and a contact point. We will keep you informed of updates and assist you in your own notifications.

13. Audits and reports

  • On reasonable written request, we will make available information necessary to demonstrate compliance with this DPA (e.g., summaries of our controls or third‑party compliance reports that we are permitted to share).
  • You may conduct an audit (including inspections) once per 12‑month period, with at least 30 days’ advance notice, during business hours, without disrupting operations, and subject to confidentiality and safety rules. Remote audits are preferred. On‑site audits are limited to areas where Personal Data is processed by us and not by our infrastructure Subprocessors (e.g., Google/OVHcloud, where we will provide their available reports instead). You are responsible for audit costs and our reasonable support costs.

14. Requests from public authorities

  • If a government or law enforcement authority requests Personal Data, we will, to the extent legally permitted, notify you before any disclosure, and will challenge requests we reasonably believe are unlawful or overbroad. We will disclose only the minimum required by law.

15. Liability and order of precedence

  • Each party remains responsible for complying with the laws that apply to it. This DPA does not expand either party’s liability beyond what is stated in the Terms. All limitations and exclusions of liability in the Terms apply to this DPA, except to the extent prohibited by law or overridden by the SCCs for the relevant transfer.
  • If there is a conflict between: (i) SCCs and this DPA, the SCCs control for the transfer; (ii) this DPA and the Terms, this DPA controls for data protection.

16. Term and termination

  • This DPA starts when you accept it and continues for as long as we process Personal Data for you under the Terms. Either party may terminate this DPA if the Services end. Sections that by their nature should survive, will survive (e.g., confidentiality, deletion, liability limits, governing law for the DPA and SCCs).

17. Governing law and venue

  • This DPA is governed by the laws of Singapore, and disputes are subject to the exclusive jurisdiction of the courts of Singapore, except that the SCCs are governed as specified within the SCCs (for EU transfers, the laws of Ireland by default unless you specify another EU Member State).

18. Contact for privacy matters

Annex I – Details of processing A. Controller (data exporter)

  • The ApexVerify customer identified in the account.

B. Processor (data importer)

  • HyperMesh Network Pte. Ltd. (ApexVerify), 68 Circular Road, #02-01, 049422, Singapore.

C. Data subjects

  • Individuals whose email addresses, phone numbers, or postal addresses you submit for verification.
  • Your users/team who operate your account (limited to account data).

D. Categories of Personal Data

  • Email: the email address being verified and protocol‑level metadata necessary to validate deliverability.
  • Phone: MSISDN (E.164 format) and routing information necessary to perform HLR/NP or equivalent checks.
  • Postal address: the address string and parsing/standardization outputs.
  • Optional: any fields you choose to upload (we advise against including names or other identifiers).
  • Technical data: logs (timestamps, API key/ID, request/response codes), IP addresses of your systems that call our API, and device/browser data for your team’s access to the dashboard.

E. Special categories

  • Not permitted. Do not submit special categories of data or other sensitive data.

F. Nature and purpose of processing

  • Collection, receipt, transmission to necessary counterparties, matching/validation, formatting, storage, display, retrieval, deletion, and backup as needed to deliver the Services; security, fraud prevention, and support; service improvement using aggregated/anonymized statistics.

G. Retention

  • As configured by you in the app; defaults as set in the Terms (90 days after account inactivity for workspace data). Account deletion triggers deletion of Personal Data from active systems without undue delay and from backups during normal rotation, subject to legal record‑keeping.

H. Instructions and frequency

  • Continuous, as initiated by you (API calls / uploads) and as needed to operate the Services.

Annex II – Security measures (summary)

  • Organization
    • Security policies; staff training and confidentiality; least‑privilege access; MFA for privileged roles; background checks where permitted.
  • Infrastructure
    • Hosting in EU regions of Google Cloud and OVHcloud; network segmentation; firewalls; DDoS protections; monitoring and alerting.
  • Data protection
    • Encryption in transit (TLS 1.2+); encryption at rest for stored data; key management via cloud KMS; regular backups and restore tests.
  • Application security
    • Secure SDLC; code reviews; dependency scanning; periodic penetration testing; hardened build/deploy; secrets management.
  • Operations
    • Vulnerability management and patching; logging and audit trails; change management; business continuity and incident response runbooks.
  • Access controls
    • Role‑based access; approval workflows; session timeouts; device management for admins.

Annex III – Subprocessors Core infrastructure (primary storage/compute in the EEA):

  • Google Cloud Platform (EU regions)
  • OVHcloud SAS (EU datacenters)

Service‑specific counterparties (limited, necessary transmission only; no Customer account identifiers disclosed):

  • Global telecommunications networks and routing intermediaries used solely to perform HLR/NP or similar phone validations (receive only the MSISDN).
  • Recipient email servers (MX/SMTP endpoints) contacted during deliverability checks (receive only the email address and protocol request).
  • Postal reference datasets and postal authorities needed to validate address inputs (receive only the address string).

We keep a current list of Subprocessors in the app and will notify you of material changes as described in section 5.

Annex IV – International transfer mechanisms

  • For transfers subject to the GDPR to countries without adequacy, the EU SCCs (2021/914) are incorporated:
    • Module 2 (Controller to Processor) for ApexVerify’s processing as Processor.
    • Module 3 (Processor to Processor) for Subprocessors.
    • Clause 7 (Docking clause) applies.
    • Clause 9(a) – general authorization for Subprocessors, with notice as in section 5.
    • Clause 17 – governing law: the law of Ireland by default unless you specify another EU Member State in writing.
    • Clause 18 – forum: courts of Ireland by default unless you specify another EU Member State in writing.
  • For UK transfers, the ICO’s International Data Transfer Addendum to the EU SCCs is incorporated by reference.
  • For Swiss transfers, references to GDPR in the SCCs are interpreted with the Swiss FADP as appropriate, and references to “Member State” refer to Switzerland where needed.

Signatures and acceptance

  • By approving this DPA in the ApexVerify app (e‑sign) by continuing to use the Services as a Controller, you and ApexVerify agree to this DPA.