Data Protection

Data Processing Agreement

Verdaio's DPA is drafted in accordance with GDPR Article 28 and covers all data processing activities on our platform. Request the full agreement to review and sign.

What our DPA covers

Enterprise-grade data protection

Our DPA addresses every requirement of GDPR Article 28, with clear commitments on security, sub-processors, breach notification, and your audit rights.

Processing scope and instructions

Clear definition of data types, processing purposes, retention periods, and documented instructions. Verdaio only processes data as instructed by the customer.

Technical and organisational measures

TLS 1.2+ encryption in transit, AES-256 at rest, Row-Level Security, scoped IAM access, input validation, and serverless infrastructure with no persistent servers.

Sub-processor transparency

Full list of authorised sub-processors with data location, purpose, and transfer safeguards. 30 days advance notice before any changes, with the right to object.

Breach notification

Notification to you within 48 hours of becoming aware of a data breach — enabling you to meet your own 72-hour obligation under GDPR Art. 33. Includes nature, scope, consequences, and remediation measures taken.

Audit rights

Annual audit rights with 30 days notice. Alternative: completed security questionnaire, certifications, or written compliance responses.

Data deletion and return

Delete or return all personal data within 30 days of termination. Data export available in JSON or CSV format before account closure.

Infrastructure

Built for EU data protection

EU-hosted infrastructureAWS eu-west-1 (Ireland) + Supabase eu-central-2 (Switzerland)
No training on your dataAI inputs are not used for model training (Anthropic API terms)
Encryption everywhereTLS 1.2+ in transit, AES-256 at rest, PCI DSS Level 1 for payments
Data minimisationAssessment inputs deleted immediately after processing. Reports delivered by email, not stored.
SCCs for international transfersStandard Contractual Clauses applied to all non-EEA sub-processors
Cookieless analyticsGA4 in cookieless mode with IP anonymisation. No tracking cookies.
Sub-processors

Authorised sub-processors

Full transparency on every third party that processes data on our platform. Changes are communicated 30 days in advance.

Sub-processor Purpose Location
Amazon Web Services EMEA SARL Hosting, compute, API routing EU Ireland
Supabase, Inc. Database, authentication EU Switzerland
InvoiceXpress (RUPEAL Lda) Invoice generation EU Portugal
Anthropic, PBC AI compliance analysis US SCCs
Stripe, Inc. Payment processing US SCCs
Resend, Inc. Transactional email US SCCs
Google LLC Analytics (cookieless) US SCCs

Current as of April 2026. An up-to-date list is maintained in our Privacy Policy.

Need our DPA?

Contact us to receive the full Data Processing Agreement for review and counter-signature. We typically respond within one business day.

Request our DPA

privacy@verdaio.ai