Data Processing Agreement

1. Introduction

This Data Processing Agreement forms part of the agreement between Customer and Veritrellis where Veritrellis processes personal data on behalf of Customer as a processor.

This DPA applies to processing of personal data contained in Customer Content, including action request payloads, policy evaluation records, approval records, permit metadata, audit logs, workspace configuration, and integration metadata, to the extent such data is processed by Veritrellis on behalf of Customer.

2. Definitions

Terms such as “controller,” “processor,” “personal data,” “processing,” “data subject,” “personal data breach,” and “special categories of personal data” have the meanings given in the GDPR.

“Customer Personal Data” means personal data processed by Veritrellis on behalf of Customer under the agreement.

3. Roles

Customer is the controller of Customer Personal Data, or processor acting on behalf of another controller. Veritrellis is the processor of Customer Personal Data.

Customer is responsible for ensuring that it has a lawful basis for processing and for instructing Veritrellis to process Customer Personal Data.

4. Subject matter and duration

The subject matter of processing is the provision of Veritrellis as a permit-based authorization control plane for high-risk product and AI-agent actions.

The processing lasts for the duration of the agreement, plus any period required for deletion, return, backup expiry, legal compliance, security, dispute resolution, or audit obligations.

5. Nature and purpose of processing

Veritrellis processes Customer Personal Data to:

1. receive and process action requests;
2. validate schemas;
3. evaluate policies;
4. route and record approval decisions;
5. issue, store, retrieve, and verify permit metadata;
6. maintain audit logs;
7. operate workspaces and environments;
8. provide APIs, SDKs, connectors, and webhooks;
9. secure, monitor, troubleshoot, and maintain the service;
10. provide support where requested; and
11. comply with documented Customer instructions.

6. Categories of data subjects

Customer Personal Data may relate to:

1. Customer’s employees, contractors, administrators, users, and approvers;
2. Customer’s end users, customers, leads, vendors, accounts, or contacts;
3. individuals referenced in action requests or audit logs;
4. individuals involved in approval, review, or execution workflows; and
5. other individuals whose data is submitted by Customer.

7. Categories of personal data

Customer Personal Data may include:

1. names;
2. business email addresses;
3. user IDs and account IDs;
4. company, workspace, team, role, and approval-group data;
5. action request payload data;
6. transaction or business-action metadata;
7. policy evaluation outcomes;
8. approval decisions, comments, timestamps, and approver identity;
9. permit identifiers and permit metadata;
10. audit log entries;
11. API and technical metadata;
12. IP addresses and device metadata; and
13. other data submitted by Customer in action requests, policies, comments, or configurations.

8. Special-category and sensitive data

The service is not designed for unrestricted processing of special-category personal data, criminal-offence data, payment card data, health data, government identifiers, secrets, credentials, or regulated data.

Customer must not submit such data unless:

1. expressly permitted by the agreement or an order form;
2. strictly necessary for the supported use case;
3. legally authorized by Customer;
4. covered by appropriate safeguards; and
5. approved by Veritrellis where required.

Free-tier, sandbox, beta, and trial accounts must not be used for such data.

9. Customer instructions

Veritrellis will process Customer Personal Data only on documented instructions from Customer, including the agreement, product configuration, API calls, admin settings, support requests, and written instructions.

If Veritrellis believes an instruction infringes applicable data protection law, Veritrellis will inform Customer unless prohibited by law.

10. Confidentiality

Veritrellis will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.

11. Security measures

Veritrellis will implement appropriate technical and organizational measures designed to protect Customer Personal Data. Current measures are described in the Security Measures document and may include access controls, encryption, logging, backups, environment separation, least privilege, and incident response procedures.

12. Subprocessors

Customer authorizes Veritrellis to use subprocessors to provide the service. Current subprocessors are listed in the Subprocessor List.

Veritrellis will impose data protection obligations on subprocessors that are materially equivalent to those in this DPA, to the extent applicable to the services they provide.

Veritrellis may update subprocessors by updating the Subprocessor List or notifying Customer through reasonable means. Customer may object to a new subprocessor on reasonable data-protection grounds within 14 days after notice. If the parties cannot resolve the objection, Customer may terminate the affected service to the extent required.

13. International transfers

Where Customer Personal Data is transferred outside the EEA, Veritrellis will use appropriate safeguards, such as adequacy decisions, Standard Contractual Clauses, transfer risk assessments, and supplementary measures where required.

If Standard Contractual Clauses are required, the applicable module will be determined by the roles of the parties and incorporated by reference unless a separate transfer agreement is signed.

14. Assistance with data subject rights

Taking into account the nature of processing, Veritrellis will provide reasonable assistance to Customer in responding to data subject requests relating to Customer Personal Data.

If a data subject contacts Veritrellis directly regarding Customer Personal Data, Veritrellis may refer the request to Customer unless legally required to respond directly.

15. Assistance with compliance

Taking into account the nature of processing and information available to Veritrellis, Veritrellis will provide reasonable assistance with Customer’s obligations relating to security, personal data breach notification, data protection impact assessments, and prior consultation, where required by applicable data protection law.

Assistance beyond standard product functionality or standard documentation may be subject to reasonable fees.

16. Personal data breaches

Veritrellis will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.

The notice will include information reasonably available to Veritrellis, such as the nature of the breach, affected data, likely consequences, measures taken or proposed, and a contact point.

Customer is responsible for determining whether notifications to supervisory authorities or data subjects are required, unless Veritrellis is legally required to notify directly.

17. Deletion and return

Upon termination or expiry of the agreement, Veritrellis will delete or return Customer Personal Data in accordance with the agreement, product functionality, and Data Retention Policy, unless retention is required by law, security, backup integrity, dispute resolution, or legitimate business records.

Backups may persist for a limited period before automatic deletion or overwrite.

18. Audit

Veritrellis will make available information reasonably necessary to demonstrate compliance with this DPA, such as security documentation, subprocessor information, and written responses.

Customer may request an audit no more than once per year unless required by a supervisory authority or following a material security incident. Audits must be reasonable, limited in scope, conducted during business hours, subject to confidentiality, and must not compromise security or other customers’ data.

Veritrellis may satisfy audit requests through third-party reports, questionnaires, documentation, or remote review. On-site audits require prior written agreement and may be subject to reasonable fees.

19. Customer obligations

Customer represents and warrants that:

1. it has all rights, notices, consents, and lawful bases required to submit Customer Personal Data;
2. its instructions comply with data protection law;
3. Customer Personal Data is accurate, relevant, and limited to what is necessary;
4. it will not submit prohibited data;
5. it will configure the service securely;
6. it will maintain appropriate notices to its users and data subjects; and
7. it will comply with all applicable data protection laws.

20. Order of precedence

If there is a conflict between this DPA and the Terms of Service regarding processing of Customer Personal Data, this DPA controls.