Data processing addendum.
GDPR, UK GDPR, and CCPA-aligned. The contract governing how Veridra processes personal data on behalf of customers.
Veridra is pre-launch. Our Data Processing Addendum is in finalization with external counsel and will be published in full before v1.0 GA.
For procurement or privacy-office review of the current draft, email legal@veridra.io directly.
What the DPA covers
- Roles: customer is the controller; Veridra is the processor
- Scope and purpose of processing (attestation, evidence generation, verification)
- Subprocessor list and notification-of-change commitments
- Cross-border transfer mechanisms (SCCs, UK IDTA, adequacy)
- Data subject rights handling and response timelines
- Breach notification within 72 hours
- Audit rights and security certifications
- Data return and deletion on termination
Key technical guarantees
Minimization by design. Veridra processes hashes of AI decision inputs and outputs, not the underlying content. The DPA reflects this architectural choice.
Residency enforcement. EU customer data stays in EU regions, UK in UK, US in US. Cross-border replication is off by default.
Encryption and key custody. Data encrypted at rest and in transit. Signing keys live in customer KMS, not Veridra.
Request the draft
Email legal@veridra.io for the current draft DPA under MNDA. Include your organization name and intended use case.
April 2026 · revisions pending v1.0 launch