Legal

GDPR Compliance

Last updated: February 18, 2026

Cascade Verify, operated by Salloq Software, is committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page details how we meet our obligations under the GDPR and explains the rights available to individuals in the European Union and European Economic Area.

1. Our Role Under GDPR

Depending on the context, Cascade Verify acts in different capacities:

Scenario	Our Role	Explanation
Your account data (name, email, password)	Data Controller	We determine the purpose and means of processing your account information
Email addresses you submit for verification	Data Processor	We process third-party email addresses on your behalf, according to your instructions

As a Data Controller for account data, we are responsible for ensuring lawful processing, providing transparency, and respecting your rights.

As a Data Processor for verification data, we process email addresses solely to perform the verification service you request. You, as the customer, remain the Data Controller for the email lists you submit.

2. Lawful Basis for Processing

We process personal data under the following legal bases as defined in Article 6 of the GDPR:

Data Type	Lawful Basis	Detail
Account registration data	Contract (Art. 6(1)(b))	Processing is necessary to provide the Service you signed up for
Email addresses submitted for verification	Legitimate interest (Art. 6(1)(f))	Email list hygiene is a recognized legitimate interest for maintaining sender reputation and reducing bounces
Usage logs and analytics	Legitimate interest (Art. 6(1)(f))	Necessary for service improvement, billing accuracy, and abuse prevention
Session cookies	Contract (Art. 6(1)(b))	Technically necessary to provide authenticated access to the Service

Note for our customers: If you are based in the EU/EEA and submit third-party email addresses for verification, you are responsible for ensuring you have a lawful basis (e.g., legitimate interest, consent) for processing those addresses. Our verification service supports your email hygiene obligations but does not replace your own data protection responsibilities.

3. Your Rights Under GDPR

If you are located in the EU or EEA, you have the following rights regarding your personal data:

Right of Access (Article 15)

You can request a copy of all personal data we hold about you. Your dashboard provides direct access to your account information, verification history, and API usage. For a formal Subject Access Request (SAR), email us at the address below.

Right to Rectification (Article 16)

If any of your personal data is inaccurate or incomplete, you have the right to have it corrected. You can update your name and company directly through your account settings.

Right to Erasure (Article 17)

You can request deletion of your personal data. Upon request, we will delete your account and all associated data including verification logs, API keys, and bulk job results. Note that we may retain certain data where we have a legal obligation to do so.

Right to Restriction of Processing (Article 18)

You can request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of contested data.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format. Our Service allows you to export verification results as CSV files. For a complete data export, contact us.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interest. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe we are not handling your data in compliance with GDPR.

How to exercise your rights: Email privacy@cascade-mail.net with your request. We will respond within 30 days. We may need to verify your identity before processing your request.

4. Data Processing Agreement

For customers who require a Data Processing Agreement (DPA) under Article 28 of the GDPR, we provide a standard DPA that covers:

The nature, purpose, and duration of processing
Types of personal data processed (email addresses, domain data)
Our obligations as a Data Processor
Sub-processor notifications
Assistance with data subject rights requests
Data breach notification procedures
Data deletion upon contract termination

Enterprise customers can request a signed DPA by contacting legal@cascade-mail.net.

5. International Data Transfers

Our servers are located in the United States. When personal data is transferred from the EU/EEA to our servers, we rely on:

Standard Contractual Clauses (SCCs) as approved by the European Commission
Additional technical safeguards including encryption in transit and at rest

We do not transfer personal data to countries that lack adequate data protection without appropriate safeguards in place.

6. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33)
Notify affected individuals without undue delay if the breach is likely to result in a high risk (Article 34)
Document the breach, its effects, and the remedial actions taken

7. Data Protection Measures

We implement the following technical and organizational measures in accordance with Article 32:

Encryption: TLS 1.2+ for all data in transit; bcrypt for password storage
Access control: Role-based access; API keys with per-key tracking and revocation
Data minimization: We only collect data necessary for the Service to function
Retention limits: Verification logs are automatically purged after 90 days
Pseudonymization: Internal analytics use aggregated, anonymized data where possible
Regular review: Security practices are reviewed and updated periodically

8. Sub-Processors

We use a limited number of sub-processors to deliver the Service:

Sub-Processor	Purpose	Location
Server hosting provider	Infrastructure and data storage	United States
Payment processor	Payment handling (no card data stored by us)	United States

We will notify Enterprise customers of any changes to sub-processors with 30 days advance notice.

9. Data Protection Officer

For GDPR-related inquiries, you may contact our designated privacy contact:

Salloq Software — Privacy
Email: privacy@cascade-mail.net

10. Cookie Policy

Cascade Verify uses only technically necessary cookies (session authentication). We do not use:

Analytics or tracking cookies
Advertising or third-party cookies
Social media tracking pixels

Because we only use strictly necessary cookies, consent under the ePrivacy Directive is not required. However, we disclose cookie usage in our Privacy Policy for full transparency.