Data Processing Agreement

This DPA applies whenever the Customer’s use of the Service involves the processing of personal data within the meaning of GDPR Article 4(1) or equivalent legislation. It supplements and forms part of the underlying Terms of Service available at https://databridge.so/terms (the “Agreement”), and is incorporated by reference into the Agreement. In the event of conflict between this DPA and the Agreement regarding the processing of personal data, this DPA prevails.

Method of acceptance. This DPA is a click-through agreement. The Customer accepts it by creating an account on https://databridge.so and processing personal data through the Service — the same mechanism recognised under GDPR Article 28 and the model jurisprudence on browse-/click-wrap contracts. We record the date and version accepted against each Customer account (see Version history and section 11.1 below) so an audit trail exists in the event of a dispute or audit.

The Customer enters into this DPA on behalf of itself and, to the extent required under applicable law, in the name and on behalf of any of its Authorised Affiliates.

Capitalised terms not defined here have the meaning given in GDPR. For convenience:

• “Personal Data” — any information relating to an identified or identifiable natural person processed by us on the Customer’s behalf.
• “Processing” — any operation performed on Personal Data, including collection, storage, alteration, retrieval, transmission, and deletion.
• “Sub-processor” — any third party engaged by us to process Personal Data on the Customer’s behalf.
• “Data Subject” — the natural person to whom Personal Data relates (e.g. an email address in your CSV).
• “Personal Data Breach” — a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

We will process Personal Data only on the Customer’s documented instructions. The Customer’s use of the Service constitutes its instructions to us to process Personal Data for the following purposes:

• • Validating email addresses against syntax, MX, disposable-provider, role-based, no-reply, typo-guard, and TLD trust checks.
• • Returning the cleaned dataset to the Customer with verdict and reason metadata.
• • Storing the original and cleaned datasets in the Customer’s account until the Customer deletes them.
• • Generating audit trails and dashboard statistics for the Customer’s use.
• • Providing technical support requested by the Customer.

We will not process Personal Data for any other purpose (such as marketing, training machine-learning models, or data brokerage) without the Customer’s prior written consent. The categories of Data Subjects, Personal Data, and the duration of processing are set out in Annex A.

We commit to the following:

• • Confidentiality: Personnel with access to Personal Data are bound by written confidentiality obligations and only access data on a need-to-know basis for incident response or support.
• • Security: We implement the technical and organisational measures listed in Annex C and review them at least annually.
• • Assistance: We assist the Customer in fulfilling its obligations under GDPR Articles 32–36, taking into account the nature of processing and information available to us.
• • Notification of unlawful instructions: If we believe an instruction violates GDPR or other applicable data protection law, we will notify the Customer without delay.
• • Records of processing: We maintain records of all categories of processing carried out on behalf of the Customer in accordance with GDPR Article 30(2).

The Customer is the controller of the Personal Data uploaded to the Service and bears ultimate responsibility for its lawful processing. By using the Service, the Customer represents and warrants that:

• • Lawful basis: the Customer has a valid lawful basis under GDPR Article 6 (or equivalent) to process each item of Personal Data uploaded to the Service.
• • Notices & consents: the Customer has provided Data Subjects with all required privacy notices and obtained any consents necessary for the processing described in section 3 and Annex A — including, where applicable, consent for international transfer to the United States.
• • Accuracy: the Customer is responsible for the accuracy, quality, and legality of the Personal Data it uploads, and for keeping it up to date.
• • Lawful instructions: all instructions given to us through the Service comply with applicable law. We may decline to act on, or pause processing of, any instruction we reasonably believe to be unlawful, and will notify the Customer in such case.
• • Prohibited data: the Customer must not upload, and must take reasonable steps to prevent its end users from uploading, any of the following through the Service:
  • – Special categories of Personal Data under GDPR Article 9 (health, biometric, political opinions, religious beliefs, sexual orientation, etc.);
  • – Data relating to criminal convictions or offences (GDPR Article 10);
  • – Protected Health Information (PHI) within the meaning of HIPAA — the Service is not a HIPAA Business Associate;
  • – Cardholder Data within the meaning of PCI DSS — the Service is not PCI-certified;
  • – Personal Data of children under the age of 16 without verified parental consent.
• • Account security: the Customer is responsible for protecting its account credentials and API keys, controlling access by its authorised users, and notifying us promptly if it believes either has been compromised.
• • Configuration choices: the Customer is responsible for the data-protection consequences of its configuration choices in the Service (e.g. enabling webhooks to a third-party endpoint, sharing dataset links, granting access to teammates).

The Customer indemnifies DataBridge against losses arising out of processing carried out in breach of this section, except to the extent caused by our own breach of this DPA.

The Customer authorises the engagement of the sub-processors listed in Annex B. Each sub-processor is bound by written terms imposing data protection obligations materially equivalent to those in this DPA.

We will give the Customer at least 30 days’ written notice (via the email associated with the account) before adding or replacing any sub-processor. The Customer may object to the proposed change on reasonable grounds within 14 days; if the parties cannot resolve the objection in good faith, the Customer may terminate the affected portions of the Service without penalty.

Personal Data of EU/UK Data Subjects may be transferred to and processed in the United States and other countries where our sub-processors operate. Such transfers are made under the European Commission’s Standard Contractual Clauses (SCCs) of 4 June 2021 (Module Two: controller to processor), incorporated by reference into this DPA, supplemented by the UK International Data Transfer Addendum where applicable.

We perform Transfer Impact Assessments (TIAs) for material new sub-processor engagements. A summary is available on request to support@databridge.so.

We maintain a written information security programme that includes, at a minimum, the technical and organisational measures described in Annex C. We may update these measures from time to time provided the overall level of protection is not reduced.

We will notify the Customer of a Personal Data Breach affecting the Customer’s data without undue delay and in any event within 72 hours of becoming aware of it. Notification will be made in writing to the email address on the Customer’s account and will include, to the extent known: (a) the nature of the breach, (b) the categories and approximate number of Data Subjects and records affected, (c) the likely consequences, and (d) the measures taken or proposed to address it.

We will cooperate with the Customer’s reasonable requests for information needed to fulfil the Customer’s notification obligations under GDPR Articles 33–34.

Taking into account the nature of the processing, we will assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil requests by Data Subjects exercising their rights under GDPR Chapter III (access, rectification, erasure, restriction, portability, and objection).

If we receive a request directly from a Data Subject in respect of Personal Data processed on behalf of the Customer, we will not respond directly (except to direct the Data Subject to the Customer) and will forward the request to the Customer without undue delay.

We will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. The Customer may, at its own expense and no more than once per year (except in case of a Personal Data Breach), request an audit of our compliance with this DPA, on at least 30 days’ written notice and during normal business hours, conducted in a manner that does not interfere with our operations.

The Customer may rely on independent audit reports we provide (such as the Supabase SOC 2 Type II report covering our primary infrastructure) in lieu of conducting its own audit, where reasonable.

We will retain Personal Data for the duration of the Agreement. Upon termination, or on the Customer’s written request at any time, we will, at the Customer’s choice, either delete or return all Personal Data and delete existing copies, unless storage is required by applicable law.

Datasets deleted by the Customer through the Service interface (e.g. via /dashboard/trash) are removed from active storage immediately and from backups within 30 days. Account deletion triggers full erasure within 30 days.

The liability of each party under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either party’s liability for breaches of confidentiality obligations, for fraud or fraudulent misrepresentation, or where such limitation would be unlawful.

This DPA takes effect on the date the Customer first uses the Service or otherwise accepts the Agreement, and remains in force for as long as we process Personal Data on the Customer’s behalf. Sections that by their nature should survive termination (including those on confidentiality, audits, and surviving definitions) will survive.

This DPA is governed by the law of the jurisdiction set out in the Agreement, except that, in respect of the SCCs, the choice of law and forum specified in the SCCs themselves prevails.

This section applies to the extent the Customer’s use of the Service involves the processing of Personal Information of California consumers within the meaning of the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (collectively, the “CCPA”). For the purposes of this section, terms such as “Personal Information”, “Sell”, “Share”, “Service Provider”, “Contractor”, and “Business Purpose” have the meanings given in the CCPA.

The following sub-processors are authorised at the date of this DPA. The current list is mirrored in our Privacy Policy section 4 and updated on material change.

Material changes to this DPA result in a version bump. Customers on a paid plan are notified by email at the address on their account at least 30 days before a new version takes effect, providing time to object or migrate. The current version is v1.1 (effective 2026-05-08).