Data Processing Addendum
Last updated: March 30, 2026
1. Introduction
This Data Processing Addendum (“DPA”) forms part of the Terms of Service (“Agreement”) between you (“Customer”, “Controller”) and NoTemp.email, operated by an individual sole proprietor based in Israel (“Processor”), and governs the processing of personal data by the Processor on behalf of the Controller in connection with the Service.
This DPA is designed to ensure compliance with the EU General Data Protection Regulation (GDPR), the Israeli Privacy Protection Law, 5741-1981, and other applicable data protection laws.
2. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service.
- “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
- “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3. Scope of Processing
The Processor processes Personal Data solely to provide the Service as described in the Agreement. The details of processing are as follows:
Provision of the NoTemp.email disposable email detection API
For the duration of the Agreement, plus any retention period specified in the Privacy Policy
Transient processing of email addresses submitted via API to determine if they are disposable; account management and billing
Customer’s end users whose email addresses are submitted to the API; Customer’s account administrators
Email addresses (transient), account email addresses, hashed passwords, billing metadata, API usage logs (timestamps, response codes)
4. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to ensure the security of Personal Data, including encryption in transit (TLS 1.2+), secure password hashing, and access controls
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
- Assist the Controller in ensuring compliance with obligations related to security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities
- At the Controller’s choice, delete or return all Personal Data upon termination of the Agreement, unless retention is required by applicable law
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
5. Sub-processors
The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall:
- Maintain an up-to-date list of Sub-processors (see Section 5.1 below)
- Impose data protection obligations on each Sub-processor that are no less protective than those in this DPA
- Notify the Controller of any intended addition or replacement of Sub-processors at least 14 days in advance via email
- If the Controller objects to a new Sub-processor within 14 days of notification, the parties will work in good faith to resolve the concern. If no resolution is reached, the Controller may terminate the Agreement
5.1 Current Sub-processors
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, API Gateway, Cognito (authentication), DynamoDB (database) | US East (N. Virginia), EU (Frankfurt) | AWS DPA, SOC 2, ISO 27001 |
| Lemon Squeezy (Lemon Squeezy, LLC) | Payment processing, subscription billing | United States | LS Privacy Policy, PCI DSS compliant (via Stripe as sub-processor) |
| AWS Amplify | Website hosting and deployment | US East (N. Virginia) | Covered under AWS DPA |
6. Data Breach Notification
In the event of a Data Breach affecting Personal Data processed under this DPA, the Processor shall:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide sufficient information to enable the Controller to meet its own breach notification obligations under applicable law
- Include in the notification: (a) a description of the nature of the breach, (b) the categories and approximate number of affected data subjects, (c) the likely consequences, and (d) measures taken or proposed to mitigate adverse effects
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
- Document all Data Breaches, including the facts, effects, and remedial actions taken
7. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom, the Processor shall ensure that appropriate safeguards are in place:
- Israel: Recognized by the European Commission as providing an adequate level of data protection (Commission Decision 2011/61/EU)
- United States (AWS, Lemon Squeezy): Transfers are governed by Standard Contractual Clauses (SCCs) as incorporated into the respective Sub-processor DPAs, and where applicable, the EU-U.S. Data Privacy Framework
8. Audits
The Processor shall make available to the Controller, upon reasonable request and subject to confidentiality obligations, all information necessary to demonstrate compliance with this DPA.
The Controller may conduct audits (including inspections) of the Processor’s data processing activities, subject to: (a) at least 30 days’ advance written notice, (b) no more than one audit per calendar year (unless required by a supervisory authority), and (c) the audit being conducted during normal business hours with minimal disruption to the Processor’s operations.
Where feasible, the Processor may satisfy audit requests by providing relevant third-party certifications, audit reports (e.g., SOC 2), or summaries of security measures.
9. Data Retention & Deletion
Email addresses submitted to the API are processed transiently and are not stored beyond the duration of the request. API usage logs (timestamps, response codes, request counts) are retained for up to 90 days, after which they are aggregated and anonymized.
Upon termination of the Agreement, the Processor shall delete all Personal Data within 30 days, unless retention is required by applicable law. The Controller may request a copy of their data in a structured, machine-readable format prior to deletion.
10. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement. This DPA does not limit or exclude liability for breaches of data protection obligations to the extent such limitation is not permitted by applicable law.
11. Governing Law
This DPA is governed by the same laws that govern the Agreement (the laws of the State of Israel). To the extent a conflict exists between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.
12. Contact
For DPA-related inquiries, data subject requests, or breach notifications, contact us at support@notemp.email.