Skip to content
catchotp

Legal

Data Processing Agreement

Last updated: May 1, 2026 Effective: May 1, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement between [catchotp Ltd. — REGISTERED ENTITY NAME PLACEHOLDER] ("catchotp", "Processor") and you ("Customer", "Controller"), governing the processing of Personal Data by catchotp on behalf of Customer in connection with the catchotp service (the "Service"). It applies whenever catchotp acts as a Processor of Personal Data subject to applicable Data Protection Laws.

1. Definitions

Unless otherwise defined here, capitalized terms have the meaning given in the Terms.

  • "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"), and the Israeli Protection of Privacy Law, as amended from time to time.
  • "Personal Data", "Controller", "Processor", "Data Subject", "processing", and "supervisory authority" have the meaning given in the GDPR.
  • "Customer Personal Data" means Personal Data contained in Customer Data that catchotp processes on behalf of Customer in providing the Service.
  • "Sub-processor" means a third party engaged by catchotp to process Customer Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, as approved by the European Commission in Decision (EU) 2021/914.

2. Scope; roles

This DPA applies to catchotp's processing of Customer Personal Data in providing the Service. With respect to Customer Personal Data, Customer is the Controller and catchotp is the Processor. catchotp is a Controller in respect of account-management, billing, and security data described in the Privacy Policy; that processing is governed by the Privacy Policy, not this DPA.

3. Processing instructions

catchotp shall process Customer Personal Data only on documented instructions from Customer, including with regard to transfers to third countries, unless required to do so by applicable law (in which case catchotp will inform Customer of that legal requirement before processing, unless prohibited from doing so). The Terms, the configuration of the Service in use by Customer, and reasonable use of the Service's features constitute Customer's documented instructions for the duration of the Agreement.

catchotp shall promptly inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

4. Details of processing (Annex I)

Subject matter and nature of processing. catchotp provides receive-only email inboxes and related software for testing, OTP verification, AI-agent automation, and similar developer use cases. Processing includes receiving, storing, transmitting, parsing, indexing, and deleting Personal Data contained in inbound emails and related metadata.

Duration of processing. The duration of the Agreement plus the retention periods set out in the Privacy Policy (for example, 30 days post-termination for account data; per-plan retention windows for message bodies; 365 days for audit-log metadata).

Categories of Data Subjects. (i) Customer's end users, employees, contractors, or other individuals whose email addresses are used to communicate with a catchotp inbox; (ii) Customer's authorized users of the Service.

Categories of Personal Data. Email addresses (sender and recipient), sender display names, subject lines, message bodies (text and HTML), attachments, IP addresses contained in email headers, message identifiers and timestamps, API request metadata, and any Personal Data Customer or its end users choose to include in email content.

Special categories. Catchotp does not solicit or require special-category Personal Data (such as health, biometric, or political-opinion data). To the extent Customer or its end users transmit such data via the Service, Customer is solely responsible for the lawfulness of doing so.

Frequency. Continuous, for as long as the Service is in use.

5. Confidentiality and personnel

catchotp shall ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory) and have received appropriate training in the protection of Personal Data.

6. Security measures (Annex II)

catchotp implements appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  • Encryption. TLS 1.3 in transit; AES-256 at rest using AWS KMS. Customer-managed keys are available on Enterprise.
  • Access control. Role-based access with least-privilege defaults, multi-factor authentication enforced for all engineers, no shared accounts, no long-lived static credentials in production.
  • Network controls. Private VPC, restricted security groups, public endpoints behind WAF, DDoS protection at the edge.
  • Logging and monitoring. Immutable audit logs of administrative actions and key API calls; centralized log aggregation; alerting on anomalous patterns.
  • Vulnerability management. Automated dependency scanning, periodic penetration testing, and a coordinated disclosure program at security@catchotp.com.
  • Backups and recovery. 35-day point-in-time recovery; documented disaster-recovery procedures.
  • Secure SDLC. Code review, automated CI checks, segregated environments, and infrastructure-as-code with peer review.
  • Personnel. Background checks where lawful, security training on hire and annually thereafter, off-boarding access removal within 24 hours.

Catchotp regularly evaluates and updates these measures to maintain a level of security appropriate to the risk.

7. Sub-processors (Annex III)

Customer hereby provides general written authorization for catchotp to engage Sub-processors in connection with the Service, subject to the conditions in this Section. catchotp's current Sub-processors are listed at /legal/subprocessors. catchotp shall:

  • enter into a written contract with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA;
  • remain liable to Customer for the performance of each Sub-processor's obligations under that contract; and
  • give Customer at least thirty (30) days' notice before engaging any new Sub-processor or replacing an existing one. If Customer reasonably objects to a new Sub-processor on data-protection grounds, Customer may terminate the affected portion of the Service for convenience and receive a pro-rated refund of pre-paid, unused fees.

8. Data Subject rights

Taking into account the nature of the processing, catchotp shall assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfil Customer's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection). If catchotp receives a request from a Data Subject directly relating to Customer Personal Data, catchotp shall (unless prohibited by law) promptly forward the request to Customer and not respond except as instructed by Customer.

9. Personal Data breach notification

catchotp shall notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any Personal Data breach affecting Customer Personal Data. The notification will include the information required by Article 33(3) GDPR to the extent then known. catchotp shall cooperate with Customer and provide reasonable assistance in connection with Customer's notification and remediation obligations.

10. Data protection impact assessments

catchotp shall provide Customer with reasonable assistance, taking into account the nature of the processing and the information available to catchotp, with any data protection impact assessments and prior consultations with supervisory authorities required under Data Protection Laws.

11. Audits and inspections

catchotp shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports (such as SOC 2 Type II once issued). Customer or a mutually agreed independent auditor may, no more than once per calendar year (and more frequently if required by a supervisory authority or following a Personal Data breach), audit catchotp's compliance with this DPA on at least thirty (30) days' written notice, during regular business hours, subject to reasonable confidentiality obligations and at Customer's expense (unless the audit reveals material non-compliance, in which case catchotp shall bear reasonable costs).

12. International data transfers

Customer Personal Data may be transferred to and processed in the United States and other jurisdictions where catchotp or its Sub-processors operate. Where such transfers are subject to Chapter V of the GDPR, the parties agree that the Standard Contractual Clauses (Module 2: Controller-to-Processor and, where applicable, Module 3: Processor-to-Sub-Processor) are incorporated into this DPA by reference, with the following selections:

  • Clause 7 (Docking clause) is included.
  • Clause 9(a) Option 2 (general written authorization for Sub-processors) applies, with the notice period set in Section 7 of this DPA.
  • Clause 11(a) optional independent dispute-resolution body is not selected.
  • Clause 17 governing law is the law of Ireland, unless another EU member state's law applies.
  • Clause 18 forum and jurisdiction are the courts of Ireland.
  • Annexes I, II, and III are populated by Sections 4, 6, and 7 of this DPA respectively.

For transfers from the United Kingdom, the parties agree to the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner's Office. For transfers from Switzerland, the SCCs apply with appropriate adaptations as required by the Swiss Federal Data Protection Act.

13. Return and deletion of data

Upon termination of the Agreement and at Customer's option, catchotp shall delete or return to Customer all Customer Personal Data and delete existing copies, except as required by applicable law. Standard deletion follows our retention practices: account data is retained for 30 days post-termination to allow export, then deleted; backups expire automatically per the 35-day PITR window.

14. Liability

The liability of each party arising under this DPA is subject to the limitations and exclusions of liability in the Agreement.

15. Conflict; severability

In the event of any conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA prevails. If any provision of this DPA is held unenforceable, the remaining provisions remain in full force and effect.

16. Contact

Questions about this DPA, or to request a counter-signed copy on letterhead, email privacy@catchotp.com.