Legal

Data Processing Agreement (DPA)

Last updated: 28 June 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Controller") and [Ivan Laginestra] operating LookupSwiss in [Kanton Aargau], Switzerland (the "Processor"). It governs the processing of personal data carried out by the Processor on behalf of the Controller through the LookupSwiss validation API.

1. Parties

Controller: the LookupSwiss customer using the validation API. Processor: [Ivan Laginestra], LookupSwiss, [Kanton Aargau], Switzerland. Contact: laginestraivan3@gmail.com.

2. Subject matter

The Processor validates phone numbers and email addresses submitted to the LookupSwiss REST API on behalf of the Controller, returning structured validation results.

3. Duration

This DPA is effective from the moment the Controller accepts it (e.g. via the signup checkbox) and remains in force for as long as the Controller has an active LookupSwiss account.

4. Nature & purpose of processing

Real-time validation of phone numbers and email addresses, abuse detection, billing-related usage accounting.

5. Types of personal data processed

Email addresses, phone numbers, IP addresses of API callers, API request logs (timestamps, endpoint, outcome).

6. Categories of data subjects

End customers, leads, users, or prospects of the Controller’s own services whose data the Controller submits to the API.

7. Obligations of the Processor

The Processor shall:

  • Process personal data only on the documented instructions of the Controller (the API requests themselves constitute such instructions).
  • Ensure that persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (encryption at rest and in transit, least-privilege access, isolated environments).
  • Not engage new sub-processors without prior general authorisation — the Controller will be notified of any addition or replacement at least 30 days in advance and may object.
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction).
  • Assist the Controller in meeting GDPR Articles 32–36 obligations (security, breach notification, DPIA, prior consultation).
  • Notify the Controller without undue delay, and at the latest within 72 hours, after becoming aware of a personal data breach.
  • At the end of the contract, delete or return all personal data and copies, unless retention is required by law.

8. Sub-processors

The Processor uses the sub-processors listed in the table below to provide the Service. The Controller hereby authorises the use of these sub-processors.

9. International transfers

Where personal data is transferred outside Switzerland or the EEA, transfers are governed by EU Standard Contractual Clauses (SCCs) or an equivalent mechanism recognised under FADP/GDPR.

10. Liability

Liability of the Processor under this DPA is subject to the limitations set out in the Terms of Service.

11. Governing law & jurisdiction

This DPA is governed by Swiss substantive law and, where applicable, GDPR. Exclusive jurisdiction lies with the ordinary courts of [Kanton Aargau], Switzerland.

ProviderPurposeLocationTransfer basis
MongoDB AtlasDatabase / API logsFrankfurt, EUEU
SupabaseAuthenticationEU WestEU
VercelHostingUSASCC
StripePayment processingUSASCC
ResendTransactional emailsUSASCC
ZeroBounceEmail validationEUEU
TwilioPhone validation (planned)USASCC