Data Protection

Data Processing Agreement

Verdaio's DPA is drafted in accordance with GDPR Article 28 and covers all data processing activities on our platform. Request the full agreement to review and sign.

What our DPA covers

Enterprise-grade data protection

Our DPA addresses every requirement of GDPR Article 28, with clear commitments on security, sub-processors, breach notification, and your audit rights.

Processing scope and instructions

Clear definition of data types, processing purposes, retention periods, and documented instructions. Verdaio only processes data as instructed by the customer.

Technical and organisational measures

TLS 1.2+ encryption in transit, AES-256 at rest, Row-Level Security, scoped IAM access, input validation, and serverless infrastructure with no persistent servers.

Sub-processor transparency

Full list of authorised sub-processors with data location, purpose, and transfer safeguards. 30 days advance notice before any changes, with the right to object.

Breach notification

Notification to you within 48 hours of becoming aware of a data breach, enabling you to meet your own 72-hour obligation under GDPR Art. 33. Includes nature, scope, consequences, and remediation measures taken.

Audit rights

Annual audit rights with 30 days notice. Alternative: completed security questionnaire, certifications, or written compliance responses.

Data deletion and return

Delete or return all personal data within 30 days of termination. Data export available in JSON or CSV format before account closure.

Infrastructure

Built for EU data protection

EU-hosted infrastructureAWS eu-west-1 (Ireland) + Supabase eu-central-2 (Switzerland)
No training on your dataAI inputs are not used for model training (Amazon Bedrock service terms)
Encryption everywhereTLS 1.2+ in transit, AES-256 at rest, PCI DSS Level 1 for payments
Data minimisationAssessment inputs deleted immediately after processing. Generated reports retained in encrypted EU storage (S3, eu-west-1) for up to 48 hours to enable download, then automatically deleted.
SCCs for international transfersStandard Contractual Clauses + EU–US DPF applied to Stripe LLC (US) and to Google LLC (US, historic mailbox content only, subscription expiring 2027-04-03). Active controller-inbox email is hosted by Tutao GmbH in Germany. Other sub-processors operate within the EEA or under EU adequacy.
Privacy-first analyticsPlausible Analytics, EU-hosted. No cookies, no personal data, no IP addresses stored.
Sub-processors

Authorised sub-processors

Full transparency on every third party that processes data on our platform. Changes are communicated 30 days in advance.

Sub-processor Purpose Location
Amazon Web Services EMEA SARL Hosting, compute, API routing, AI compliance analysis (Amazon Bedrock, Claude model) EU Ireland
Supabase, Inc. Database, authentication EU Switzerland
InvoiceXpress (RUPEAL Lda) Invoice generation EU Portugal
Stripe Payments Europe, Limited
+ Stripe, LLC (US) as affiliate		 Payment processing EU Ireland
US SCCs + DPF
Tutao GmbH (Tuta Mail) Controller inbox hosting (@verdaio.ai email) since 2026-05-08 EU Germany, no international transfer
Google LLC (Google Workspace) (historic only) Retains pre-2026-05-08 mailbox content until subscription expires on 2027-04-03 US SCCs + DPF
Sendinblue SAS (Brevo) Transactional email EU France / Germany / GCP Belgium
Plausible Insights OÜ Privacy-first analytics EU Estonia

Current as of April 2026. An up-to-date list is maintained in our Privacy Policy.

A full Record of Processing Activities (ROPA) is maintained internally per Art. 30(1) GDPR and available to the supervisory authority (CNPD) and to qualifying customers on request via privacy@verdaio.ai.

Need our DPA?

Contact us to receive the full Data Processing Agreement for review and counter-signature. We typically respond within one business day.

Request our DPA

privacy@verdaio.ai