Skip to main content
Legal & trust

Data Processing Addendum

Last updated on April 24, 2026.

Draft for counsel review. Engage data-protection counsel before this language goes live.

1. Scope and parties

This Data Processing Addendum ("DPA") applies when Verdaxi processes personal data on behalf of a customer ("Customer") under the Verdaxi Terms of Service or other agreement ("Agreement"). It supplements the Agreement and forms part of it.

2. Roles

Customer is the controller of personal data submitted to the Service. Verdaxi is the processor. Each party will comply with applicable data protection laws in its respective role.

3. Subject matter and duration

Verdaxi will process personal data on Customer's behalf for the purpose of providing the Service, for the duration of the Agreement and any applicable retention period.

4. Categories of data and data subjects

Categories of personal data: identity data (name, email, phone), employment data (role, employment dates, training records), and any other personal data Customer chooses to upload to the Service.

Categories of data subjects: Customer's employees, contractors, and other personnel; Customer's customers (where Customer chooses to associate them with compliance records).

5. Verdaxi obligations

Verdaxi will:

  • Process personal data only on Customer's documented instructions
  • Ensure persons authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures (described in our Security overview)
  • Engage sub-processors only under written agreements with equivalent obligations (current list at /legal/sub-processors)
  • Assist Customer with data subject requests and security incident notifications
  • Delete or return personal data on termination, subject to applicable legal retention requirements
  • Make available information necessary to demonstrate compliance, including audits with reasonable notice

6. Sub-processors

Customer authorizes Verdaxi to engage the sub-processors listed at /legal/sub-processors. We will give at least 30 days' notice (via email or in-app) before adding a new sub-processor; Customer may object in good faith.

7. Security incidents

Verdaxi will notify Customer without undue delay (and within 72 hours of confirmation where reasonably possible) of any confirmed security incident affecting Customer's personal data, providing reasonable detail about the incident and remediation.

8. International transfers

Personal data is processed in the United States. For Customers in jurisdictions requiring additional safeguards, Verdaxi will execute Standard Contractual Clauses or equivalent transfer mechanisms on request.

9. Audits

Customer may audit Verdaxi's compliance with this DPA on reasonable advance notice (at least 30 days), no more than once annually except in response to a confirmed incident, at Customer's cost, conducted in a manner that does not unreasonably interfere with Verdaxi's operations.

10. Term

This DPA remains in effect for the duration of the Agreement and any applicable retention period.

11. Contact

Data-protection inquiries: [email protected].