skink.devverified

Data Processing Agreement

Last updated: 2026-07-13

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Sagar Parmar, an individual resident of India trading as skink ("Processor," "skink," "we"), and the customer entering into the Service agreement ("Controller," "you"), and applies whenever skink processes personal data on your behalf and documented instructions in connection with the Service. In the event of a conflict between this DPA and the Terms of Service on data-protection matters, this DPA controls. See our GDPR page for a plain-language summary of this Agreement.

1. Definitions

"Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Supervisory Authority" have the meanings given in the GDPR. "Data Fiduciary" and "Data Principal" have the meanings given in India's Digital Personal Data Protection Act, 2023 ("DPDP"). "Business" and "Service Provider" have the meanings given in the California Consumer Privacy Act, as amended by the CPRA ("CCPA"). Each such term, and its jurisdiction-specific equivalent, is used interchangeably below to mean the same underlying role.

2. Subject Matter and Duration

Processing of email addresses (and derived deliverability signals) that the Controller submits to the Service via API, for the purpose described in Section 3, for the term of the underlying Service agreement plus any post-termination retention or deletion period described in Section 9.

3. Nature and Purpose of Processing

skink processes submitted email addresses solely to determine and return a deliverability verdict (status, confidence score, and supporting signals) via the API, on the Controller's documented instructions (i.e., the API request itself and the Controller's own account settings, including its elected retention period and whether an encrypted copy of the submitted address is retained alongside the hash). skink does not process this data for any other purpose, including marketing, profiling, or enrichment.

4. Categories of Data and Data Subjects

  • Categories of data: email addresses; derived deliverability signals (e.g., mailbox-existence indicators, domain configuration); no other personal data is required or accepted by the verification endpoints.
  • Categories of Data Subjects: the Controller's contacts, leads, customers, or prospects whose email addresses are submitted for verification.

5. Processor Obligations

skink shall:

  • Process Personal Data only on the Controller's documented instructions (the API request), including with regard to international transfers, unless required to do otherwise by law applicable to skink, in which case skink will inform the Controller before processing, unless that law prohibits such notice.
  • Ensure persons authorized to process the Personal Data are subject to confidentiality obligations.
  • Implement the technical and organizational security measures described in our Security page, including hashing at rest, encryption in transit, least-privilege access, and key rotation.
  • Not engage a sub-processor without providing notice of intended changes and giving the Controller an opportunity to object, and impose data-protection obligations on any sub-processor that are no less protective than those in this DPA.
  • Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures in responding to Data Subject/Data Principal requests.
  • Notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller's data, and provide reasonably requested assistance with the Controller's own notification obligations.
  • At the Controller's choice, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies, except where retention is required by applicable law (see our Data Retention schedule).
  • Make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality.

6. Sub-processors

The Controller provides general authorization for skink to engage sub-processors for hosting, object storage, payment processing, and mailbox-existence verification queries. The current list of sub-processor categories is set out in our Privacy Policy, Section 8; a named, current list is available on request at `privacy@skink.dev`.

7. International Transfers

skink's infrastructure is currently hosted with a United States infrastructure provider; skink (the Processor) is operated from India. Personal Data originating in the EEA, UK, or Switzerland that reaches this US-hosted infrastructure is transferred outside the EEA/UK under GDPR/UK GDPR Chapter V; the parties incorporate by reference the Standard Contractual Clauses annexed hereto as Annex 4 (Module Two: Controller to Processor), or the UK International Data Transfer Addendum where applicable, which shall govern in the event of any conflict with this DPA on transfer-specific terms. skink's remote administrative access from India is an additional transfer covered by the same Clauses. Transfers of India-origin Personal Data to the US hosting infrastructure are governed by DPDP's restricted-country transfer model described in our Privacy Policy, Section 5.

8. Breach Notification

skink will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting Personal Data processed under this DPA, describing the nature of the breach, likely consequences, and measures taken or proposed.

9. Deletion and Return of Data

On termination of the Service agreement, skink will, at the Controller's election, delete or provide an export of the Controller's Personal Data within a commercially reasonable period, subject to skink's standard retention schedule and any legal-hold or tax-record retention obligations. See our Data Retention schedule for default timelines.

10. Jurisdiction-Specific Terms

### India — DPDP Act, 2023 The Controller is the Data Fiduciary; skink processes strictly on the Data Fiduciary's documented instructions and supports the Data Fiduciary's Grievance Officer obligations (DPDP §13) by forwarding any Data Principal request received directly to the Controller, unless the Controller has authorized skink to respond directly.

### United States — CCPA/CPRA skink acts as a Service Provider under Cal. Civ. Code §1798.140(ag) and agrees that it will not: (a) sell or share the Personal Data processed under this DPA; (b) retain, use, or disclose the Personal Data for any purpose other than performing the services specified in this DPA and the underlying Service agreement; (c) retain, use, or disclose the Personal Data outside the direct business relationship between skink and the Controller; or (d) combine the Personal Data with personal data that skink receives from or on behalf of another source, except as permitted by the CCPA. skink will notify the Controller if it determines it can no longer meet these obligations.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Terms of Service.

12. Precedence and Term

This DPA remains in effect for as long as skink processes Personal Data on the Controller's behalf under the Service agreement.


Annex 1 — Description of Processing

  • Subject matter — Email deliverability verification.
  • Duration — Term of the Service agreement.
  • Nature of processing — Automated verification via API; addresses stored by default as a keyed hash and domain, deleted on the Controller's elected schedule (1-90 days, 7 by default); full plaintext held transiently in memory during the check, and persisted in encrypted form only if the Controller elects to retain it.
  • Purpose — Return a deliverability verdict to the Controller.
  • Categories of data — Email addresses; derived deliverability signals.
  • Categories of Data Subjects — Controller's contacts/leads/customers.

Annex 2 — Sub-processors

See Privacy Policy, Section 8, for current sub-processor categories; a named list is available on request.

Annex 3 — Security Measures

See our Security page for the full list of technical and organizational measures.

Annex 4 — Standard Contractual Clauses

The parties incorporate by reference the Standard Contractual Clauses set out in the Annex to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor). skink is the "data importer"; the Controller is the "data exporter." For the purposes of those Clauses:

  • Annex I.A (parties) — the data exporter is the Controller identified in the Service agreement; the data importer is Sagar Parmar, trading as skink, India.
  • Annex I.B (description of transfer) — as set out in Annex 1 of this DPA.
  • Annex II (technical and organizational measures) — as set out in Annex 3 of this DPA / our Security page.
  • Annex III (sub-processors) — as set out in Annex 2 of this DPA / our Privacy Policy, Section 8.
  • Competent supervisory authority and the data exporter's specific signatory details are completed at the time of execution between skink and each Controller, and are available as a fully executed document on request at `privacy@skink.dev`.