Privacy and Security

Privacy and Security#

Melissa takes our responsibility of ensuring the privacy and security of the data we handle with the upmost urgency and dedication. We understand that in today’s landscape, you must always be on guard and diligent in your duty to protect your clients’ and your own information. This is why we have our own dedicated digital security team. We are always testing our structures and personnel for vulnerabilities. Additionally, we have the latest industry audits and certifications.

For a full view of our approach to Privacy and Security, see the Melissa Privacy Policy.

Encryption#

All of our services use HTTPS. We employ TLS 1.2 with SHA-256 bit encryption. Additionally, we are continually monitoring our family of cipher suites for any known vulnerabilities.

General FAQs#

These FAQs are applicable to most Melissa cloud APIs – please refer to your service agreement or speak with your representative if you have concerns about a specific service.

Does Melissa store the data that is submitted for validation?#

In general, Melissa does not persistently store customer data submitted for validation unless required for specific API functionalities. Data is processed in-memory and discarded after validation is complete.

However, some logging or usage tracking will be in place for account monitoring and/or debugging purposes. Logged data is minimized and primarily includes processing options and aggregate data.

What security measures do you take to protect your infrastructure?#

Melissa employs industry-standard security controls, including:

  • Network segmentation and firewall protection

  • Intrusion detection/prevention systems (IDS/IPS)

  • Access controls with role-based permissions

  • Security audits and vulnerability assessments

  • Regular security patching and updates

Is any of the submitted data shared with third parties?#

No, Melissa does not share, sell, or re-use any customer data submitted for validation to third parties. The data is used solely for the purpose of the validation/verification request and is not retained or distributed beyond the requirements for that interaction.

Depending on the specific service, however, it may be necessary to send data to a third party for validation only (email/telco servers, realtime identity checks, etc).

GDPR FAQs#

These FAQs are applicable to most Melissa cloud APIs – please refer to your service agreement or speak with your representative if you have concerns about a specific service.

Is your service compliant with data privacy regulations (e.g. GDPR, CCPA)?#

Yes. Melissa’s services are designed with data privacy principles in mind and comply with applicable regulations such as GDPR, CCPA, HITECH, and more. We practice data minimization, pseudonymization, and purpose limitation. Read more about our certifications on our Certifications and Compliance page.

Any data transfers outside the EU are governed by our Standard Contractual Clauses (SCCs). Read more on our EU-U.S. Security framework page.

Where is the data processed geographically?#

Requests are routed to our secure servers using geographic DNS routing. Data is processed in Melissa’s secure infrastructure, with servers located across the globe.

Can you sign a Data Processing Agreement (DPA)?#

Yes. Melissa offers a standard DPA compliant with GDPR and other regulatory frameworks.

Do you use subprocessors for validation?#

Yes, certain subprocessors may be engaged to facilitate processing as necessary. All subprocessors are vetted for GDPR compliance and data transfer agreements are in place.

Can you guarantee that my data stays within the EU?#

Clients with regional data residency requirements can contact us to ask about options for region-specific processing configurations.

However, due to the nature of some services, which rely on contacting authoritative third-party servers, certain lookups may require communicating to servers located outside the EU.

Contents