Legal

Data Processing Agreement

Version 1.0 Effective 2026-03-15

This DPA is accepted via a checkbox when creating your account. The acceptance date and version number (1.0) are stored in the database at each registration, in accordance with Article 7 of the GDPR.

This Data Processing Agreement ("DPA") is entered into between Syvel ("Processor") and the Client who created an account on syvel.io ("Controller"), pursuant to Article 28 of the GDPR (EU Regulation 2016/679).

1. Subject Matter and Duration

This DPA defines the conditions under which Syvel, acting as a data processor, processes personal data on behalf of the Client for the purpose of providing the email validation API Service. It enters into force on the date of acceptance at account creation.

2. Nature, Purpose and Type of Data

2.1 Nature

Collection, analysis, cryptographic hashing, result caching, and deletion of data submitted via the API.

2.2 Purpose

Real-time email validation: disposable email detection, DNS infrastructure analysis (MX, SPF, DMARC), risk score calculation.

2.3 Types of Personal Data

Email addresses submitted to the API (processed ephemerally — see Article 3).
Domain name of the email address.

3. Processing Architecture and Data Protection

3.1 Ephemeral RAM-Only Processing

The plaintext email address is never persisted to disk or any database. It is loaded exclusively into RAM for the duration of the analysis — typically a few milliseconds — then immediately discarded from memory.

3.2 Database Storage: Hash Only

In the database, Syvel never stores the email address in plaintext. Only:

An irreversible SHA-256 hash of the local part (before the @), for result caching.
The domain name separately, for DNS infrastructure analysis.

Stored separately, these two elements cannot reconstruct a complete email address. The SHA-256 hash is cryptographically irreversible.

4. Log Retention Periods

API usage logs are retained according to the Client's subscribed plan. After expiry, logs are automatically and irreversibly purged within a maximum of 4 hours by an internal cron job.

Free plan: 24 hours.
Starter plan: 30 days.
Pro plan: 60 days.
Business plan: 90 days.

These periods are implemented in production code via the PLAN_LOG_RETENTION_DAYS parameter.

5. Hosting — 100% France

Syvel's entire infrastructure is hosted in France. No data is transferred outside France.

Application servers: Scaleway SAS (France).
PostgreSQL database: Scaleway SAS (France).
Redis cache: Scaleway (France).

This architecture provides complete immunity from the US CLOUD Act.

6. Sub-processors

Scaleway SAS (France) — server hosting, PostgreSQL database, Redis cache. DPA in place. No transfer outside France.
Stripe, Inc. (USA) — payments. EU SCCs in place. Does not process API validation data.
Resend, Inc. (USA) — transactional email (password reset). EU SCCs in place. Receives account email only.

7. Processor Obligations (Syvel)

Process data only for the purposes defined in this DPA.
Ensure confidentiality of processed data.
Implement appropriate technical and organizational security measures (GDPR art. 32).
Notify the Controller within 72 hours of any personal data breach.
Assist the Controller in responding to data subject rights requests.
Delete or return data at the end of the contract.

8. Controller Obligations (Client)

Have a valid legal basis for processing data submitted to the API.
Inform data subjects of processing by Syvel as sub-processor.
Secure API keys in accordance with Syvel's Terms of Service.

9. Security Measures

TLS 1.3 encryption in transit.
Encryption at rest.
2FA and least-privilege access to production systems.
Access logging and regular security testing.
Ephemeral architecture: email addresses never written to disk.

10. Versioning and Acceptance

This DPA bears version number 1.0, effective 2026-03-15. At each account creation, the acceptance date and version number are stored in the database (GDPR art. 7 compliance).

11. Contact

[email protected]