Legal · Email Validation

Data Processing Agreement

Last updated: May 29, 2026

Scope. This Data Processing Agreement ("DPA") covers personal data you upload to the Publish Now Email Validation tool only. For DPA terms covering the Publish Now social-posting product, see the main DPA.

This DPA forms part of the agreement between Driven Success LLC ("Processor", "Publish Now", "we", "us") and the customer ("Controller", "you") who uses the Email Validation tool at publishnow.app/email-validation ("Service").

This DPA applies whenever we process personal data on your behalf in connection with the Service, as required by the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the Swiss FADP, and other applicable data-protection laws. By uploading a list to the Service you accept this DPA; no signed counterpart is required for the free tier.

1. Parties

Processor: Driven Success LLC, 160 Greentree Drive, Suite 101, Dover, Delaware 19904, United States.
Controller: The natural or legal person identified by the notification email address provided at upload, or — for authenticated users — the organisation owning the workspace.
Effective date: The date you first upload a list to the Service.
Counterparty signing block (optional). Authenticated organisations on a future paid tier may request a signed counterpart by emailing yo@publishnow.app. Placeholder for counterparty: [Customer Legal Name], [Customer Address], signed by [Authorised Signatory], on [Date].

2. Definitions

"Personal Data" means the email addresses, the notification email, the IP address, and any other identifying information contained in the file you upload or that we collect when you use the Service.
"Controller" means the entity that determines the purposes and means of processing — that is you, when you upload a list for validation.
"Processor" means Publish Now, processing Personal Data only on your documented instructions.
"Data Subject" means the individual whose email address appears in the uploaded list.
"Sub-processor" means any third party we engage to process Personal Data on your behalf, listed at /legal/subprocessors.
"Processing" means any operation performed on Personal Data — collection, storage, syntactic checks, MX lookups, scoring, deletion.
"Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

3. Roles and Scope

When you upload an email list to the Service:

You are the Controller — you determine why the list exists and decide to validate it. You warrant that you have a lawful basis (consent, contract, or legitimate interest) for processing the email addresses in the list.
We are the Processor — we process the list only to deliver the result you requested (regex check, MX lookup, scoring, output CSVs, notification email).
For our own operational data — the notification email address as a marketing lead (where you opted in), aggregate usage metrics, anti-abuse counters — we act as an independent Controller, as described in the Email Validation Privacy Notice.

4. Categories of Personal Data and Data Subjects

Category	Data types	Data subjects
Uploaded email lists	Email addresses; any additional columns the Controller chose to include (name, company, tags, custom fields)	The Controller's contacts, prospects, subscribers, or customers
Notification address	The email address to which results are sent	The Controller or the Controller's nominated recipient
Connection metadata	IP address, user-agent, UTM parameters, Turnstile challenge result, anti-abuse rate-bucket counters	The Controller (the natural person submitting the upload)
Derived data	Per-address verdict (deliverable / risky / undeliverable / unknown), score, subcode, source flag	Same as uploaded list

5. Nature, Purpose, and Duration of Processing

Nature: automated regex syntax checking and Mail-Exchanger (MX) DNS lookups against the domain part of each address. We do not send mail to the addresses, we do not probe SMTP, and we do not enrich the data with third-party sources.

Purpose: to produce three output files — a per-address scored CSV, a deliverable-only CSV, and a risky-review CSV — and to deliver them to the notification address.

Duration:

Anonymous (no-account) jobs: input + output files retained for 7 days from job completion, then permanently deleted from object storage. Job-level metadata retained for the same window.
Authenticated jobs: input + output files retained for 30 days from job completion. Per-row records retained for 90 days, then aggregated to counts only.
Notification address treated as a lead: retained up to 24 months from last activity, unless the data subject withdraws marketing consent (in which case 30 days for audit, then purged).
Domain MX cache contains no Personal Data and is retained indefinitely.

6. Sub-processors

You provide general written authorisation for us to engage the Sub-processors listed at /legal/subprocessors. We commit to:

Imposing data-protection obligations on each Sub-processor no less protective than those in this DPA, by contract.
Updating the Sub-processor list at least 14 days before adding or replacing a Sub-processor.
Giving you a right to object to any new Sub-processor by email to yo@publishnow.app. If objection cannot be resolved within 30 days, you may terminate the affected portion of the Service and obtain deletion of all your Personal Data without penalty.
Remaining liable to you for the acts and omissions of any Sub-processor.

7. Security Measures

We maintain the following technical and organisational measures, summarised here and detailed on request:

Encryption in transit: TLS 1.2 or higher on all public endpoints; HSTS enforced; modern ciphers only.
Encryption at rest: Cloudflare D1 storage encrypted by the platform; Backblaze B2 server-side encryption enabled on the validation bucket prefix.
Access controls: Production systems accessible only to engineering staff under principle of least privilege; access logged; SSO + MFA required.
Tenancy isolation: Per-tenant scoping of address-level caches and result files; cross-tenant access prevented at the query layer.
Anti-abuse: Cloudflare Turnstile on upload; rate-limit buckets per IP and per notification email; single-domain enumeration detection.
Storage minimisation: Uploaded list files lifecycle-deleted by the retention windows in §5.
Network segmentation: The Service runs on Cloudflare Workers — no shared OS, no shared filesystem.
Logging: Structured request and workflow-step logs, retained for 30 days for security and reliability investigation.
Vulnerability management: Dependency updates monitored via Dependabot; routine review of advisories.

8. Personal Data Breach Notification

In the event of a Personal Data Breach affecting your data, we will:

Notify you without undue delay and in any event within 72 hours of becoming aware of the breach, by email to the notification address on file (and, where applicable, to the registered organisation admin).
Provide sufficient information to enable you to meet your own notification obligations to supervisory authorities and Data Subjects: nature of the breach, categories and approximate number of records and Data Subjects affected, likely consequences, measures taken or proposed.
Take reasonable steps to contain, investigate, and remediate the breach, and cooperate with your reasonable security-incident enquiries.
Document the breach and our response in our internal incident-response log.

9. Data Subject Rights

We will assist you in fulfilling Data-Subject requests (access, rectification, erasure, restriction, portability, objection) by appropriate technical and organisational measures, taking into account the nature of the processing. Specifically:

Access / portability: Authenticated users can download their per-row records via GET /api/email-validation/jobs/:id/records. Anonymous users receive a one-time signed JSON export link in the result email on request.
Erasure: Authenticated users can soft-delete a job via DELETE /api/email-validation/jobs/:id; storage objects are purged within 24 hours. Anonymous users get a "delete my data" link in every result email, gated by their signed lookup token. Once deleted, recovery is impossible.
Bulk erasure: Organisation-wide purge requests can be made by emailing yo@publishnow.app from the organisation owner's address; we will action within 30 days.
If a Data Subject contacts us directly with a request relating to data you uploaded, we will redirect them to you and notify you of the request.

10. International Data Transfers

The Service runs on Cloudflare Workers (global edge network) and stores result files on Backblaze B2 (United States). For transfers of Personal Data from the EEA, the UK, or Switzerland to countries without an adequacy decision, we rely on:

The European Commission's Standard Contractual Clauses (Module 2: Controller to Processor, Module 3: Processor to Processor) as approved by Commission Decision (EU) 2021/914.
The UK International Data Transfer Addendum issued by the ICO, where applicable.
Our Sub-processors' own adequacy mechanisms (e.g., Cloudflare's published SCCs and EU-U.S. Data Privacy Framework certification, where applicable).

An EU bucket residency option is not available in MVP and is tracked as a roadmap item.

11. Audit Rights

Upon reasonable prior written notice (at least 30 days), and no more than once per calendar year, you may request — at your cost — a summary of our most recent independent security assessment, our internal access-control policies, and evidence of Sub-processor data-protection obligations. Where the documentation is insufficient, you may conduct or appoint a qualified third-party auditor to conduct an on-site audit during regular business hours, subject to reasonable confidentiality and access restrictions, and at your cost.

12. Liability and Indemnity

Each party's liability under this DPA is subject to the limitations set out in the Publish Now Terms of Service. Nothing in this DPA limits a party's liability for a breach of its own statutory data-protection obligations to a Data Subject.

13. Term and Termination

This DPA takes effect on the Effective Date and remains in force as long as we process Personal Data on your behalf. On termination — whether by you ceasing to use the Service, by us discontinuing the Service, or by deletion of your account — we will, at your choice:

Delete all Personal Data within 30 days, certifying deletion in writing on request; or
Return Personal Data via the existing export endpoints within 30 days, then delete.

Retention beyond termination is permitted only where required by law, in which case we will continue to apply this DPA's protections.

14. Governing Law and Jurisdiction

This DPA is governed by the laws of the State of Delaware, United States, except where overridden by mandatory provisions of the data subject's local law. Any dispute arising out of or relating to this DPA shall be subject to the exclusive jurisdiction of the federal and state courts located in Delaware.

15. Counterpart and Signature

Acceptance by ticking the DPA acknowledgement at upload constitutes a binding agreement. For organisations requiring a wet-signed counterpart, the following block is provided:

Signed for and on behalf of Driven Success LLC: [Name] / [Title] / [Date]
Signed for and on behalf of the Customer: [Name] / [Title] / [Date]

16. Contact

Data-protection enquiries: yo@publishnow.app
Postal: Driven Success LLC, 160 Greentree Drive, Suite 101, Dover, Delaware 19904, United States
See also: Sub-processor list · Email Validation Privacy Notice