Skip to content
Get your API key

GDPR

View as Markdown

Syvel is designed with GDPR compliance as a first principle. The API validates email addresses in real time without retaining any personal data beyond the scope of each individual request.

What data we process

When you call the Syvel API to check an email address, we process:

  • The email address submitted in the API request
  • Request metadata (timestamp, API key identifier, response status) for rate limiting and billing

We do not collect, store, or enrich any other personal data. Email addresses are never associated with names, IP addresses, device identifiers, or any other identifying information.

Where your data is hosted

Syvel’s infrastructure is entirely hosted within the European Union. No data is transferred to servers outside the EU during the processing of your requests. Your API calls — and the email addresses within them — never leave EU jurisdiction.

This makes Syvel a compliant alternative to US-hosted email validation services, where every API call constitutes a cross-border data transfer subject to additional GDPR requirements (Standard Contractual Clauses, Transfer Impact Assessments, etc.).

Retention policy

Syvel retains no personal data (email addresses) after returning the API response. Email addresses are processed in memory and discarded immediately upon completion of the check — nothing is written to disk or persistent storage.

Request metadata (API key ID, timestamp, HTTP response code) is retained solely for billing and rate-limiting purposes, in accordance with your subscription terms. These records do not contain email addresses.

As the data controller, you are responsible for establishing the legal basis for validating your users’ email addresses under GDPR Article 6. Common legal bases include:

  • Legitimate interest (Art. 6(1)(f)): preventing fraudulent registrations and protecting the quality of your contact database
  • Contract performance (Art. 6(1)(b)): ensuring a valid contact email is collected at account creation
  • Consent (Art. 6(1)(a)): where users have explicitly agreed and email validation is part of the stated service

As a data processor, Syvel processes personal data solely according to your instructions (the API call) and does not use it for any other purpose.

Data subject rights

Under GDPR Articles 15–22, your users have the right to access, rectify, erase, restrict, or port their personal data. Since Syvel retains no email addresses after processing, there is no personal data held by Syvel that is subject to these rights.

For personal data stored in your own systems (CRM, database, marketing platform), you remain the data controller and are responsible for handling data subject requests.

Data Processing Agreement (DPA)

Organizations that require a formal Data Processing Agreement as part of their GDPR compliance program can request one by contacting us. The DPA documents:

  • The roles and responsibilities of controller and processor
  • The subject matter, nature, and purpose of processing
  • The type of personal data and categories of data subjects
  • The technical and organizational security measures in place
  • Sub-processor details and obligations

Security measures

Syvel implements the following technical and organizational measures (TOMs):

  • All API traffic is encrypted in transit (TLS 1.2+)
  • API keys are never stored in plaintext
  • Access to production infrastructure is restricted to authorized personnel and protected by multi-factor authentication
  • No email addresses are written to disk or persistent storage at any point during processing
  • Regular security reviews and dependency audits

Sub-processors

Syvel uses a minimal set of sub-processors, all based in the European Union, to operate its infrastructure. A current list of sub-processors is available on request via the contact address below.

Contact

For privacy-related questions, DPA requests, or GDPR compliance documentation, contact us at privacy@syvel.io.

Last updated: