Legal
Data Processing Agreement
Effective date: March 31, 2026 · Governs use of Verdact API by EU/EEA customers or any customer processing personal data
Need a countersigned DPA?
Enterprise customers requiring a formally executed DPA should contact us. We'll respond within 2 business days.
1. Definitions
- Controller: The customer entity that determines the purposes and means of processing personal data (you)
- Processor: Verdact, which processes personal data on behalf of the Controller
- Data Subjects: Natural persons whose personal data appears in documents submitted to the Service
- Personal Data: Any information relating to an identified or identifiable natural person
- GDPR: EU General Data Protection Regulation 2016/679
2. Scope and Role
This DPA applies whenever the Controller submits documents containing personal data to the Verdact API. Verdact acts as a Processor under GDPR Article 28. Verdact's sub-processor role with Anthropic (Claude API) is covered in Section 6.
3. Processing Details
- Purpose: Detection and redaction of personally identifiable information from documents
- Duration: Per-request only — zero retention. Documents are never stored
- Categories of data: Names, email addresses, phone numbers, SSNs, financial data, and any other PII present in submitted documents
- Categories of data subjects: Any natural persons referenced in submitted documents
4. Processor Obligations
Verdact shall:
- Process personal data only on documented instructions from the Controller (i.e., API requests)
- Ensure that persons authorized to process data are bound by confidentiality
- Implement appropriate technical and organizational security measures (see Section 7)
- Assist the Controller in responding to data subject requests (DSARs) — noting that since no document data is retained, most DSARs are N/A
- Assist the Controller with GDPR obligations including security, breach notification, DPIAs, and prior consultations
- Delete or return all personal data upon termination (document data: never stored; account data: deleted within 30 days of request)
- Make available all information necessary to demonstrate compliance and allow for audits (Section 10)
5. Controller Obligations
The Controller shall:
- Ensure a lawful basis exists for submitting personal data to the Service
- Provide accurate instructions to Verdact via API requests
- Notify Verdact of any restrictions on processing personal data of specific categories
6. Sub-processors
The Controller grants general authorization for Verdact to engage the following sub-processors. Verdact will notify Controllers of material sub-processor changes with at least 30 days notice.
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | API hosting and database | US (EU-US DPF) |
| Anthropic | Contextual PII detection — text chunks only | US |
| Stripe | Payment processing | US (EU-US DPF) |
| Resend | Transactional email | US |
| Sentry | Error monitoring — no document content | US |
Each sub-processor is bound by data protection obligations equivalent to those in this DPA.
7. Technical and Organizational Security Measures
Technical
- TLS 1.2+ encryption in transit
- In-memory processing — no document persistence
- API keys stored as SHA-256 hashes only
- Rate limiting and request timeout controls
- Security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
Organizational
- Access to production systems limited to authorized personnel
- Incident response process with 72-hour breach notification commitment
- Regular security review of dependencies and infrastructure
8. Personal Data Breach Notification
In the event of a personal data breach affecting Controller data, Verdact will notify the Controller without undue delay and within 72 hours of becoming aware of the breach. Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
9. Data Deletion and Return
Document content is never stored — there is nothing to delete. Account data (email, key hash, usage logs) will be deleted within 30 days of account termination upon Controller request. Billing records are retained as required by law.
10. Audit Rights
The Controller may, with reasonable notice (at least 14 days) and at its own expense, audit Verdact's compliance with this DPA. Audits are limited to once per calendar year unless a breach has occurred. Verdact may satisfy audit requests by providing relevant third-party certifications or audit reports.
11. Governing Law
This DPA is governed by GDPR (EU) 2016/679 and, to the extent applicable, the UK GDPR. For conflict resolution, the governing law of the main Terms of Service applies.