Data Processing Agreement

Last updated: July 4, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Veridexa, Inc. ("Processor") and the customer ("Controller") for the use of Veridexa's document verification services. It reflects the parties' commitments under the EU General Data Protection Regulation (GDPR), the UK GDPR, and comparable data protection laws.

1. Roles of the Parties

The Controller determines the purposes and means of processing personal data submitted to the Services. Veridexa acts as Processor and processes personal data solely on the Controller's documented instructions.

2. Subject Matter and Duration

The subject matter of processing is document verification. Processing continues for the duration of the Controller's use of the Services and any legally required retention period thereafter.

3. Nature and Purpose

Personal data is processed to verify the authenticity of submitted documents, generate verification reports, prevent fraud, and support the Controller's account.

4. Categories of Data Subjects and Data

  • Data subjects: individuals whose documents are submitted for verification, and Controller end users.
  • Personal data: identity data, document images and metadata, account and contact information, and technical/log data.

5. Processor Obligations

  • Process personal data only on documented instructions from the Controller.
  • Ensure personnel authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures.
  • Assist the Controller with data subject requests and regulatory obligations.
  • Notify the Controller without undue delay of any personal data breach.

6. Subprocessors

The Controller grants general authorization for Veridexa to engage subprocessors listed on our Subprocessors page. Veridexa will impose data protection obligations on subprocessors that are no less protective than those in this DPA.

7. International Transfers

Where personal data is transferred outside the EEA/UK, Veridexa relies on Standard Contractual Clauses or another lawful transfer mechanism.

8. Security Measures

Security measures include encryption in transit and at rest, access controls, network protections, secure development practices, logging, and regular reviews.

9. Return or Deletion of Data

Upon termination of the Services, Veridexa will delete or return personal data at the Controller's choice, unless retention is required by law.

10. Contact

To request a signed copy of this DPA or ask questions, contact privacy@veridexa.io.