Data Processing Agreement
A Data Processing Agreement (DPA) formalises the relationship between VeriProof (as data processor) and your organisation (as data controller) when personal data is processed through the VeriProof platform. A DPA is required under GDPR Article 28 whenever a controller engages a processor for personal data processing.
The standard DPA is incorporated by reference into VeriProof’s Terms of Service for all paying customers. Enterprise customers may negotiate custom terms.
To execute a signed copy, contact legal@veriproof.app.
When a DPA is Required
A DPA is required if:
- Your organisation is subject to GDPR or UK GDPR and you process personal data through VeriProof
- Your organisation is subject to other data protection laws that require processor agreements (e.g., LGPD in Brazil, PDPA in Singapore)
- Your internal data governance policy requires processor agreements for all SaaS vendors
If you only process fully anonymised data through VeriProof (no personal data reaches the platform), a signed DPA is optional but may still be requested for your vendor inventory.
What the Standard DPA Covers
The standard DPA includes:
| Section | Contents |
|---|---|
| Subject matter | Instructions to process personal data for the purposes described in the Terms of Service |
| Processing activities | Categories of data subjects, data types, and processing purposes |
| Technical and organisational measures | VeriProof’s security controls as described in the security documentation |
| Sub-processor obligations | VeriProof’s obligations regarding sub-processors (see Subprocessors) |
| Data subject rights | How VeriProof will assist with responding to data subject requests |
| Security incidents | Breach notification obligations (72-hour notification target) |
| Deletion and return | Data handling on contract termination |
| International transfers | Standard Contractual Clauses (Module 2: controller-to-processor) for transfers out of the EEA |
Standard Contractual Clauses
The DPA incorporates the European Commission’s Standard Contractual Clauses (SCCs) under EU 2021/914 (Module 2) for transfers of personal data from the EEA to VeriProof’s processing infrastructure. These SCCs are pre-signed and available as an exhibit to the standard DPA.
UK customers receive the UK Addendum under the UK IDTA in addition to the EU SCCs.
Custom Terms
Enterprise customers with more than 500,000 sessions per month, or with specific legal requirements, may negotiate custom DPA terms. Typical customisation requests include:
- Modified audit rights provisions
- Additional or modified sub-processor restrictions
- Custom data retention and deletion timelines
- Country-specific provisions for state privacy laws (CCPA, etc.)
Contact your account manager or email legal@veriproof.app to begin the negotiation process. Allow 10–15 business days for standard enterprise DPA review cycles.
Requesting a Signed DPA
To receive a countersigned copy of the standard DPA:
- Email legal@veriproof.app with your account ID and organisation name
- We’ll send the current standard DPA for your review
- Return a signed copy via email
- We’ll return a countersigned copy within five business days
The signed DPA is stored on your account and available for download from the Customer Portal under Settings → Legal Documents.
Next Steps
- Privacy Policy — how VeriProof handles personal information
- Subprocessors — current list of sub-processors
- GDPR — full GDPR compliance coverage
- HIPAA — BAA information for healthcare use cases