Subprocessors
VeriProof uses third-party services to deliver the platform. When these services process personal data, they are acting as sub-processors under our DPA (see GDPR Article 28(2)).
Last updated: 1 August 2026
We notify customers of material subprocessor changes at least 14 days before they take effect. Notifications are sent to the primary account email address. To opt out of a new subprocessor, contact legal@veriproof.app within the notice period.
Current Subprocessors
Core Infrastructure
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Microsoft Azure | Cloud hosting, storage, networking, Key Vault, Service Bus | All platform data | EU (West Europe primary, North Europe DR) |
| Microsoft Azure Container Instances | Notary service (TEE) hosting | Session commitments (TEE-protected) | EU (West Europe) |
| Microsoft Azure App Service | Static Web Apps hosting for Customer and Staff portals | Authentication tokens, portal session data | EU (West Europe) |
Blockchain
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Solana Foundation / Validators | Public blockchain ledger | 32-byte cryptographic commitments only — no personal data | Global (decentralised) |
Payments
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing and billing | Payment card data, billing address, invoice information | USA (transfers covered by SCCs) |
Monitoring and Support
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Microsoft Application Insights | Application performance monitoring, error logging | Service metadata and anonymised request telemetry | EU (West Europe) |
| Cloudflare, Inc. | CDN, DDoS protection, DNS, Web Analytics (docs site) | IP addresses, request headers | Global (privacy-preserving analytics; see Cloudflare’s GDPR documentation) |
Communications
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| SendGrid (Twilio) | Transactional email (account notifications, alert emails) | Email address, notification content | USA (transfers covered by SCCs) |
| PagerDuty | Incident alerting for VeriProof on-call team | VeriProof staff contact information only — not customer personal data | USA |
Enterprise Federated Deployments
Enterprise Federated customers run the VeriProof platform in their own Azure subscription. In this model, Microsoft Azure is your direct sub-processor relationship, not VeriProof’s. The VeriProof Managed Application software components run in your environment; VeriProof has no network access to your data.
Stripe, SendGrid, and PagerDuty remain VeriProof sub-processors for billing, notifications, and on-call operations respectively, even in Enterprise deployments.
Requesting Objection to a New Subprocessor
If you object to the addition of a new subprocessor during the 14-day notice period:
- Email legal@veriproof.app with the subject line “Subprocessor Objection: [Subprocessor Name]”
- Describe the specific concern (legitimate interests test, geographic restriction, etc.)
- We’ll evaluate whether the service is essential to your specific usage and whether an alternative processing arrangement is technically feasible
If we cannot accommodate your objection, you may terminate affected services in accordance with the Terms of Service.
Next Steps
- Data Processing Agreement — DPA terms and SCCs
- GDPR — full GDPR compliance coverage
- Privacy Policy — how personal information is handled