Legal

GDPR Compliance

Last updated: June 5, 2026

This page explains how SpamCipher ("SpamCipher", "we", "us", or "our") complies with the EU General Data Protection Regulation, the UK GDPR, and Swiss data-protection law (together, the "GDPR"), and how we support our customers in meeting their own obligations. It applies to spamcipher.com, our applications, our APIs, and the related services (together, the "Service").

1.Our Commitment to the GDPR

Data protection is fundamental to how we build and run SpamCipher. We are committed to processing personal data lawfully, fairly, and transparently, and to collecting and using only the data we genuinely need to provide the Service.

Many of our customers are based in the European Economic Area, the United Kingdom, and Switzerland, or process the personal data of people who are. We have designed our practices, our contracts, and our infrastructure to support those customers in meeting their GDPR obligations, and to give individuals confidence that their data is handled responsibly.

This page explains how we comply with the GDPR and how that compliance works in practice. It should be read together with our Privacy Policy and Terms of Service.

2.Controller and Processor Roles

Under the GDPR, the role we play depends on the data involved. We act in two distinct capacities:

For information about your account, your use of the Service, and your billing (such as your name, login credentials, subscription details, and usage logs), we are the controller. We decide why and how this data is processed, and our Privacy Policy describes how we handle it.
For the email lists and contact data you submit to be verified or processed ("Customer Data"), you are the controller and SpamCipher is the processor. We process Customer Data only on your documented instructions, for the sole purpose of providing the Service to you.

Our Data Processing Agreement governs the processor relationship and sets out the rights and obligations of both parties for Customer Data, as required by Article 28 of the GDPR.

3.Lawful Bases for Processing

Where we act as controller, we rely on one or more of the following lawful bases under Article 6 of the GDPR, depending on the activity:

Performance of a contract — to create and operate your account, deliver the Service, process payments, and provide support, so that we can fulfil our agreement with you.
Legitimate interests — to secure the Service, prevent fraud and abuse, troubleshoot problems, and improve our product, where those interests are not overridden by your rights and freedoms.
Consent — for activities that require it, such as optional marketing communications or connecting a third-party account. You can withdraw consent at any time.
Legal obligation — to meet our tax, accounting, and other legal and regulatory requirements.

Where SpamCipher acts as a processor of Customer Data, the lawful basis for that processing is determined by you as the controller. You are responsible for ensuring that you have a valid lawful basis to collect and submit the personal data you upload to the Service, and the right to instruct us to process it.

4.Data We Process and Why

We process the categories of data described below, each only to provide, secure, and improve the Service. The full detail is set out in our Privacy Policy.

Account data — your name, email address, hashed password, and optional company details, used to create and secure your account and authenticate you.
Billing data — processed through our payment provider Stripe; we retain billing contact details, plan, and transaction history to manage your subscription and invoices, and we do not store full card numbers.
Customer Data — the email addresses and associated fields you submit for verification or processing, the names and domains you query, processed only to return results to you.
Domains, IPs, and DMARC reports — the domains and sending IP addresses you add for monitoring, the related public DNS and authentication records, and any DMARC aggregate reports you route to us, used to provide domain health and reputation monitoring.
OAuth tokens and authorized data from connected accounts — where you connect an account such as Google or an email service provider, we store an encrypted access token and access only the data needed for the feature you enable.
Usage and log data — technical information such as IP address, device and browser type, and activity timestamps, used for security, fraud prevention, troubleshooting, and improving the Service.

5.Your Rights as a Data Subject

If you are in the EEA, the UK, or Switzerland, the GDPR gives you the following rights regarding your personal data:

The right of access to the personal data we hold about you;
The right to rectification of inaccurate or incomplete data;
The right to erasure ("the right to be forgotten");
The right to restriction of processing;
The right to object to certain processing, including direct marketing;
The right to data portability, to receive your data in a structured, commonly used, machine-readable format;
The right to withdraw consent at any time where processing is based on consent; and
The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

To exercise any of these rights, email us at [email protected] or [email protected]. We will respond within one month of receiving your request, as required by the GDPR, and we will not discriminate against you for exercising your rights.

If your request concerns Customer Data for which one of our customers is the controller, we are acting as a processor and cannot act on it directly. In that case we will promptly refer your request to the relevant customer, who is responsible for responding to you.

6.Data Processing Agreement (DPA)

Business customers who act as controllers and engage SpamCipher to process Customer Data on their behalf can enter into our Data Processing Agreement.

Our DPA sets out the processor terms required by Article 28 of the GDPR, including the subject matter and duration of processing, the obligation to process Customer Data only on your documented instructions, confidentiality, security measures, the use of sub-processors, assistance with data subject requests, and deletion or return of data at the end of the engagement. It also incorporates the European Commission's Standard Contractual Clauses (and the UK Addendum) to cover international transfers.

A copy of our DPA is available on request at [email protected].

7.Sub-processors

To deliver the Service we rely on a small number of vetted sub-processors. Each is engaged under a contract that requires it to protect personal data to a standard consistent with the GDPR, to process data only for the purposes we specify, and to apply appropriate security measures. Our main sub-processors are:

Stripe — payment processing and billing;
Google Cloud Platform — cloud hosting, databases, and infrastructure;
Cloudflare — content delivery, DNS, and security, including bot and DDoS protection;
Email and deliverability infrastructure providers — the sending and probing infrastructure used to verify whether an address can receive mail, without delivering mail to the recipient; and
AI service providers — for optional automated analysis and plain-language summaries, where we send only the limited data needed for the feature. These providers are contractually prevented from using your data to train their models, and we do not use this data for advertising.

A current list of our sub-processors is available on request at [email protected]. We give customers advance notice of any new sub-processor so they have the opportunity to object.

8.International Data Transfers

SpamCipher is operated from, and primarily hosts data in, the United States. As a result, personal data may be transferred to and processed in the United States and other countries where we or our sub-processors operate, which may have different data-protection laws than your country.

Where we transfer personal data out of the EEA, the UK, or Switzerland, we protect it using appropriate safeguards, in particular the European Commission's Standard Contractual Clauses and the UK Addendum, which are incorporated into our Data Processing Agreement. We also apply supplementary measures, such as encryption of data in transit and at rest, to protect transferred data.

9.Data Retention

We keep personal data only for as long as we need it for the purposes described here and in our Privacy Policy, unless a longer period is required or permitted by law.

Customer Data — stored encrypted and retained only as long as needed to provide your results. You can delete uploaded files and results at any time, and we delete uploaded lists within 30 days unless you ask us to keep them longer.
Account and billing data — retained while your account is active and for a limited period afterward to meet legal, tax, accounting, and dispute-resolution requirements.
OAuth tokens and connected-account data — kept only while the integration remains connected; disconnecting or revoking access deletes them.
Logs and usage data — retained for a limited period for security and operational purposes.

When we no longer need personal data, we delete or anonymize it. Residual copies may remain in backups for a limited time before they are overwritten in the normal course of operations.

10.Security

We use technical, administrative, and organizational measures designed to protect personal data against loss, misuse, and unauthorized access, disclosure, alteration, or destruction. These include:

Encryption of data in transit using TLS, and encryption of sensitive data at rest;
Access controls that limit who can reach systems and data, on a need-to-know basis;
Secure, reputable cloud infrastructure on Google Cloud Platform and security tooling from Cloudflare;
Hashing of passwords and encrypted storage of credentials and OAuth tokens; and
Ongoing monitoring, logging, and regular review of our systems and controls.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a personal data breach, we will notify the relevant supervisory authorities and affected individuals as required by the GDPR.

11.Contact and Complaints

For any GDPR matter, including exercising your rights or requesting our DPA or sub-processor list, contact us at [email protected].

If you are in the EEA, the UK, or Switzerland, you also have the right to lodge a complaint with your local data-protection supervisory authority. We would, however, appreciate the chance to address your concern first, so please consider contacting us before approaching the authority — we will do our best to resolve the matter directly.