Veridra
Built for regulated environmentsEU AI ActNIST AI RMFSR 11-7ISO 42001 (mapped)SOC 2 (in progress)
PlatformSolutionsArchitectureTrustDevelopersCompanyRequest review
Trust · Data Protection

Regional residency. Minimal retention. Clear rights.

Where Veridra holds data, how long, under which classifications, and the rights customers retain under GDPR Article 22, HIPAA, and other applicable frameworks. Residency is architectural, not optional.

Residency, retention, and minimum-necessary are architectural commitments at Veridra, not fine-print promises. The platform is built to satisfy them by construction.

What Veridra actually processes

Veridra intentionally processes as little customer-owned data as possible. The SDK hashes AI inputs and outputs before transmission, so the content of your model's decisions never reaches Veridra infrastructure. What we process is decision metadata: hashes of inputs and outputs, model version identifiers, policy version identifiers, signing requests, transparency log entries, and signatures. This metadata is what becomes your evidence. The original decision content stays in your environment.

This architectural choice is why we can satisfy HIPAA, GDPR, and sectoral data protection rules with minimal friction — we do not hold the regulated data itself, only cryptographically bound evidence that the regulated data was processed according to declared policy.

Residency — enforced at infrastructure, not policy

Regions in operation and roadmap

  • US regions: AWS us-east-1, us-west-2 for SaaS deployments. Private cloud deployments in customer AWS, Azure, GCP US regions.
  • EU regions: AWS eu-west-1, eu-central-1, eu-north-1 supported. Private cloud in Azure EU and GCP EU regions.
  • UK regions: AWS eu-west-2, Azure UK South / UK West. Sovereign handling specifically for UK customers with FCA, PRA, or ICO-facing obligations.
  • Africa regions: AWS af-south-1 (Cape Town), with additional AWS / local-sovereign deployments on roadmap for H2 2027 (notably Nigeria, Kenya, Ethiopia).

What residency enforcement means here

Residency is enforced at the infrastructure layer through tenant-region mapping in provisioning, IAM policies that prevent cross-region access, and transparency-log sharding by region. It is not a policy that could be violated by a misconfigured service — a US-region tenant's data cannot be stored, queried, or replicated out of US regions by construction.

Cross-region replication

Off by default. If a customer explicitly requests cross-region replication for disaster recovery or multi-region operations, it is enabled per-tenant with the replication scope cryptographically declared and auditable.

Data classification

Veridra's internal data classification scheme separates four tiers:

  • Public: marketing content, open-source code, published SBOMs, transparency log entries (for tenants who opt into public witnessing). No restriction.
  • Internal: engineering documentation, runbooks, governance artifacts. Employees and contractors with role assignment only.
  • Confidential: customer metadata, internal roadmaps, signing grant metadata. Employees with documented need-to-know.
  • Restricted: customer decision hashes, incident details, any data traceable to specific tenant operations. Strict need-to-know, access logged, access itself reviewed weekly.

Retention

Different data categories have different retention requirements:

  • Signed decision records: 7 years minimum (configurable longer for HIPAA, FDA SaMD, or specific regulatory requirements). Stored in the transparency log, append-only.
  • Audit logs: 7 years for regulatory alignment.
  • Operational logs: 1 year rolling.
  • Customer account metadata: lifetime of account + 30 days after termination.
  • Backups: 30 days rolling, encrypted at rest with keys separate from primary operations.
  • Transparency log: perpetual (append-only by design; individual entries are not removable, and this is the feature, not a defect).
Deletion under GDPR / CCPA / equivalents
The right to erasure, explained for a cryptographic evidence system
Customer-initiated deletion of personal data is honored within 30 days. Because Veridra's architecture hashes personal data at the SDK, the transparency log holds hashes — not personal data itself. Deletion of a customer account erases the metadata connecting a hash to a person. The hashes themselves remain in the append-only log, but are no longer linkable to a specific individual. This is a deliberate architectural choice to balance erasure rights with the cryptographic integrity of historical evidence. Legal counsel review has confirmed this approach is GDPR-compliant under the proper rights framework.

GDPR Article 22 specifically

Article 22 governs decisions based solely on automated processing that produce legal or similarly significant effects. Data controllers (your organization) are responsible for Article 22 compliance; Veridra is typically a processor. Our architecture supports controller obligations specifically: the signed decision record contains all the information needed to fulfill Article 22 rights (right to explanation, human review, and contestation), and the evidence packs are designed for data-subject disclosure under Article 15.

Data Processing Agreement (DPA)

Every customer receives a DPA at contract signing. The DPA specifies our processor role, subprocessor list, security measures, breach notification commitments, and data subject rights support. Our DPA is aligned with the European Commission Standard Contractual Clauses for transfers, and we maintain Transfer Impact Assessments for each jurisdiction we operate in.

Subprocessors
What we will not do
We do not add subprocessors without customer notification per DPA. We do not transfer EU personal data outside approved transfer mechanisms. We do not train AI models on customer data — ever. We do not use customer data for product analytics. We do not share customer data between tenants. These are contractual and architectural commitments, not marketing language.
Request DPA Security overview Privacy policy