This Data Processing Addendum ("DPA") forms part of the agreement between VerifyPage, Inc. ("VerifyPage", "Processor") and the customer ("Customer", "Controller") for the use of VerifyPage's services. This DPA reflects the parties' agreement regarding the processing of personal data subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.
1. Definitions
"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in the GDPR. "Customer Data" means personal data that Customer or its end users transmit to or through the services.
2. Processing details
Subject matter: Provision of the VerifyPage services as described in the Agreement.
Duration: The term of the Agreement, plus the data retention periods set out in the Privacy Policy.
Nature and purpose: Hosting, storage, transmission, and processing of documents and associated metadata to provide the contracted services.
Categories of Personal Data: Identification data (name, email), professional information (employer, role), authentication data, document content (variable by Customer use case), usage logs, and IP addresses.
Categories of Data Subjects: Customer's employees, contractors, clients, end users, and other third parties whose data is uploaded by or shared with Customer.
3. Customer instructions
VerifyPage will process Customer Data only on documented instructions from Customer, including transfers of Personal Data to a third country, unless required to do so by applicable law. VerifyPage will inform Customer of such legal requirement before processing, unless prohibited by law.
4. Confidentiality
VerifyPage ensures that personnel authorized to process Customer Data are bound by confidentiality obligations and receive appropriate training.
5. Security measures
VerifyPage implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in our Trust Center. These measures include encryption of data in transit and at rest, pseudonymization where applicable, regular testing of security controls, incident response procedures, and access controls based on least privilege.
6. Sub-processors
Customer authorizes VerifyPage to engage sub-processors. A current list is maintained in the Trust Center. VerifyPage will notify Customer at least 30 days in advance of any intended changes (additions or replacements). Customer may object on reasonable grounds within 30 days; if the parties cannot resolve the objection, Customer may terminate the affected services with a pro-rata refund.
VerifyPage imposes data protection obligations on its sub-processors that are no less protective than those in this DPA.
7. Data Subject rights
VerifyPage will, to the extent legally permitted, assist Customer in responding to requests from Data Subjects exercising their rights under applicable law (access, rectification, erasure, restriction, portability, objection). Customer is responsible for responding to Data Subject requests; VerifyPage provides tools within the service to facilitate this and will respond to assistance requests within 10 business days.
8. Personal Data breach
VerifyPage will notify Customer without undue delay (and in any case within 48 hours) after becoming aware of a Personal Data Breach affecting Customer Data, providing information sufficient for Customer to meet its own notification obligations under applicable law.
9. Data Protection Impact Assessment
VerifyPage will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out.
10. Audit rights
VerifyPage will make available to Customer all information necessary to demonstrate compliance with this DPA. Customer may, no more than once per year and at its own expense, conduct an audit by reviewing VerifyPage's most recent SOC 2 Type II report, ISO/IEC 27001 certificate, and answering reasonable written questions. On-site audits are available to Enterprise customers under additional terms.
11. International transfers
Where VerifyPage processes Personal Data of EU/EEA, UK, or Swiss Data Subjects in a country that has not received an adequacy decision from the relevant authority, the parties agree that such transfers shall be governed by:
- The Standard Contractual Clauses (Module 2: Controller to Processor) adopted by the European Commission in Commission Implementing Decision (EU) 2021/914, incorporated by reference into this DPA, for transfers from the EU/EEA;
- The UK International Data Transfer Addendum to the EU SCCs, for transfers from the UK;
- The Swiss FDPIC-approved version of the SCCs, for transfers from Switzerland.
VerifyPage self-certifies under the EU-US Data Privacy Framework, the UK Extension, and the Swiss-US DPF where applicable.
12. Return or deletion of data
Upon termination of the services, VerifyPage will, at Customer's choice, delete or return all Customer Data, including existing copies, unless retention is required by applicable law. Deletion will be completed within 30 days from production systems and 90 days from backups, with written confirmation provided on request.
13. Liability and order of precedence
Each party's liability under this DPA is subject to the limitations of liability in the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA controls with respect to processing of Personal Data.
14. Governing law
This DPA is governed by the laws of the Commonwealth of Massachusetts, USA, except that, where required by applicable law, this DPA is governed by the law of the country of the relevant Data Subjects.
15. Contact
Data Protection Officer: dpo@verifypg.com
Privacy queries: privacy@verifypg.com
Security incidents: security@verifypg.com