Data Processing Agreement

GDPR-compliant DPA for enterprise customers

Request Full DPA

The complete Data Processing Agreement, including Standard Contractual Clauses (SCCs) for international data transfers, is provided to enterprise customers during validation program onboarding.

Request DPA

DPA Overview

Vericor's Data Processing Agreement (DPA) governs how we process customer data on behalf of enterprise customers. The DPA is designed to comply with GDPR, CCPA, and other global privacy regulations.

This page provides a summary of key DPA provisions. The full DPA is executed during enterprise validation program onboarding and can be requested by contacting our legal team.

1. Scope of Processing

Subject Matter

Provision of identity verification and fraud detection services as described in the Master Service Agreement.

Duration

For the term of the Master Service Agreement, plus 30 days following termination for data export.

Nature and Purpose

Processing of emails, invoices, and identity documents to provide verification signals and fraud risk assessments.

Data Categories

  • Email metadata (sender, recipient, timestamp, headers)
  • Email content (body text, attachments)
  • Invoice data (vendor names, bank account numbers, amounts)
  • Identity verification data (names, addresses, employment history)
  • Verification results and risk scores

2. Data Subject Categories

Personal data processed under this DPA may relate to the following categories of data subjects:

  • Customer employees (email senders and recipients)
  • Vendors and business partners (invoice issuers)
  • Job candidates (identity verification subjects)
  • Customer contacts and authorized users

3. Security Measures

Vericor implements technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures

  • Encryption at rest (AES-256-GCM)
  • Encryption in transit (TLS 1.3)
  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA)
  • Automated backup and disaster recovery
  • Intrusion detection and prevention

Organizational Measures

  • Security awareness training
  • Background checks for personnel
  • Confidentiality agreements
  • Incident response procedures
  • Regular security assessments
  • Vendor security reviews

4. Sub-Processors

Vericor engages the following categories of sub-processors to provide the Services:

Sub-ProcessorServiceLocation
Cloud Infrastructure ProviderHosting and infrastructureUnited States
LLM ProviderAI analysis servicesUnited States
Email Service ProviderTransactional emailsUnited States

Customers will be notified of any changes to sub-processors with 30 days' notice and may object to new sub-processors.

5. Data Subject Rights

Vericor will assist customers in responding to data subject requests, including:

  • Right of access: Provide copies of personal data
  • Right to rectification: Correct inaccurate personal data
  • Right to erasure: Delete personal data upon request
  • Right to data portability: Export personal data in machine-readable format
  • Right to object: Stop processing personal data for specific purposes

Customers remain responsible for responding to data subject requests. Vericor will provide reasonable assistance within 10 business days of receiving a request.

6. Data Breach Notification

In the event of a personal data breach, Vericor will:

  • Notify affected customers within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, affected data categories, and likely consequences
  • Describe measures taken or proposed to address the breach and mitigate harm
  • Provide contact information for further inquiries
  • Cooperate with customer investigations and regulatory reporting

7. International Data Transfers

Customer data is stored in US-based infrastructure by default. For customers subject to GDPR, Vericor provides:

  • Standard Contractual Clauses (SCCs): EU Commission-approved transfer mechanisms
  • EU data residency option: Store data exclusively in EU data centers
  • Transfer impact assessment: Documentation of safeguards for international transfers

8. Data Retention and Deletion

Vericor retains customer data according to the following schedule:

  • Verification metadata: 90 days (configurable)
  • Financial records: 7 years (configurable for compliance)
  • Audit logs: 7 years (immutable)
  • Account data: 30 days following termination

Upon termination or customer request, Vericor will delete all customer data within 30 days and provide a certificate of deletion.

9. Audits and Compliance

Customers have the right to audit Vericor's compliance with this DPA. Vericor will:

  • Provide SOC 2 Type II reports annually
  • Allow customer audits with 30 days' notice (max once per year)
  • Respond to security questionnaires within 15 business days
  • Provide evidence of compliance with security measures upon request

10. Contact Information

For questions about this DPA or to request the full executed agreement:

Email: [email protected]
Subject: Data Processing Agreement Request