Data processing addendum
Effective date: 2026-01-01. This DPA is incorporated by reference into the Veric Terms of Service when a customer processes personal data covered by the EU GDPR, UK-GDPR, Swiss FADP, or substantially similar laws.
1. Definitions
“Controller,” “Processor,” “Personal Data,” “Processing,” and related terms have the meanings set out in Article 4 of the GDPR.
2. Roles
Customer is the Controller. Veric acts as Processor for Customer’s findings data and as independent Controller for account and billing data strictly required to operate the service.
3. Scope and duration
Processing is limited to what is necessary to provide the service. Processing ends when the account is deleted, subject to the 30-day deletion window described in the Privacy Policy.
4. Subprocessors
The current list of subprocessors is maintained at /legal/subprocessors. Customer may subscribe to an RSS/email notification for changes by emailing legal@veric.dev.
5. Security measures
- TLS 1.2+ for all data in transit.
- Encryption at rest using Azure platform-managed keys.
- Role-based access with least privilege; admin actions are logged.
- SOC 2 Type I audit in progress (Q3 2026).
6. International transfers
Where Personal Data is transferred outside the EEA, Veric relies on the EU Commission’s Standard Contractual Clauses (Module Two), which are incorporated by reference here.
7. Data subject requests
Veric will assist Controller in responding to data subject requests within 10 business days.
8. Breach notification
Veric will notify Controller without undue delay (and in any case within 72 hours) after becoming aware of a Personal Data breach.
9. Audits
Customers on the Business plan or above may request a copy of Veric’s most recent SOC 2 report once available. On-site audits are available on request subject to mutual NDA.
10. Contact
Data protection queries: privacy@veric.dev.