Legal

Data Processing Agreement

Last updated: May 2026

This Data Processing Agreement ("DPA") forms part of the Verixa Terms of Service between Verixa ("Processor") and the customer ("Controller") and applies whenever Verixa processes personal data on the Controller's behalf in connection with the service.

1. Definitions

"Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Sub-processor" have the meanings given in the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"). "Applicable Data Protection Law" means the GDPR, UK GDPR, and the California Consumer Privacy Act (CCPA) as amended.

2. Scope and roles

The Controller appoints Verixa as a Processor to Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries.

3. Processor obligations

4. Sub-processors

The Controller provides general authorization for Verixa to engage the sub-processors listed at /subprocessors. Verixa will give 30 days' prior notice of any intended addition or replacement of sub-processors. Each sub-processor is bound by data protection terms no less protective than this DPA.

5. International transfers

Where Personal Data of EEA, UK, or Swiss Data Subjects is transferred outside the EEA, the transfer is governed by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), with the UK Addendum and Swiss FDPIC Annex as applicable, incorporated by reference and completed as follows: Module 2 (Controller-to-Processor), Clause 7 docking permitted, Clause 11(a) optional independent dispute resolution not selected, governing law of the Controller's EEA establishment, courts of the same Member State.

6. Audits

Verixa makes available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28, including the SOC 2 Type II report of the underlying hosting platform when available. The Controller may, no more than once per year and on 30 days' notice, request an additional audit conducted by a mutually agreed independent auditor under reasonable confidentiality terms.

7. Deletion and return

On termination, Verixa will, at the Controller's choice, delete or return all Personal Data within 30 days, except to the extent retention is required by law (e.g., tax, audit-trail integrity). Self-service export is available at any time via the account data-export tool.

8. CCPA

Where the Controller is a "business" and Verixa is a "service provider" under the CCPA, Verixa will not sell or share Personal Data, will not retain, use, or disclose it for any purpose other than performing the service, and will not combine it with Personal Data received from other sources except as permitted by 11 CCR § 7050(b).

9. Acceptance

This DPA is accepted automatically upon acceptance of the Verixa Terms of Service by the Controller. A counter-signed PDF is available on request at privacy@verixaai.com.

Need a counter-signed copy or a custom amendment for procurement? Email legal@verixaai.com.