VeriVeri.io — AI Trust & Verification Platform
Version 1.0 Last updated: 8 April 2026 Effective date: 8 April 2026
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", "Controller") and Northloop Group AB, organisation number 559579-7787, Sweden ("VeriVeri", "Processor") for the use of the VeriVeri.io API and related services (the "Service").
This DPA governs VeriVeri's processing of personal data on behalf of the Customer pursuant to GDPR Article 28. It supplements the Terms of Service and Privacy Policy.
This DPA applies when the Customer submits personal data to VeriVeri's API on behalf of third parties (data subjects). In this context, the Customer is the data controller and VeriVeri is the data processor.
This DPA does not apply to data VeriVeri collects as a controller (e.g., Customer account data), which is governed by the Privacy Policy.
| Element | Description |
|---|---|
| Subject matter | Processing of claims submitted via the VeriVeri API |
| Duration | For the term of the Customer's use of the Service, plus the applicable retention period |
| Nature and purpose | Automated verification of submitted claims; returning verdicts, confidence scores, and performance metrics |
| Types of personal data | Any personal data contained within claims submitted by the Customer (determined by the Customer) |
| Categories of data subjects | Determined by the Customer; may include the Customer's customers, employees, or other individuals whose data appears in submitted claims |
VeriVeri shall:
(a) Process personal data only on the Customer's documented instructions. Each API call constitutes an instruction. If VeriVeri becomes aware that an instruction infringes GDPR or other applicable data protection law, VeriVeri will promptly inform the Customer. VeriVeri does not automatically screen API requests for legal compliance — this obligation applies when VeriVeri has actual knowledge of a potential infringement.
(b) Ensure that all personnel authorised to process personal data are bound by obligations of confidentiality.
(c) Implement appropriate technical and organisational security measures, as described in the Privacy Policy (Section 9).
(d) Not engage additional subprocessors without maintaining an up-to-date list (see Section 5). VeriVeri will notify the Customer of intended changes to subprocessors at least 30 days in advance, giving the Customer the opportunity to object.
(e) Assist the Customer in fulfilling data subject requests (access, rectification, erasure, restriction, portability, objection) by providing appropriate technical and organisational measures.
(f) Notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting the Customer's data, including the nature of the breach, categories of data subjects affected, likely consequences, and measures taken to address it.
(g) Provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities where required under GDPR Articles 35 and 36.
(h) Upon termination or upon the Customer's request, delete all personal data processed on the Customer's behalf within 30 days, unless EU or Swedish law requires continued storage. The Customer may request an export in a structured, machine-readable format before deletion.
(i) Make available information necessary to demonstrate compliance with these obligations and allow for audits by the Customer or a mandated third-party auditor, subject to reasonable notice (at least 30 days) and confidentiality obligations. The Customer shall bear its own audit costs.
(j) Maintain records of processing activities as required by GDPR Article 30(2).
The Customer shall:
(a) Ensure it has a valid legal basis under GDPR Art. 6 (and, where applicable, Art. 9) for all personal data submitted via the API.
(b) Inform data subjects about the processing, including VeriVeri's involvement as a processor, in accordance with GDPR Art. 13 or 14.
(c) Not submit special category data (GDPR Art. 9) — including health data, biometric data, genetic data, political opinions, religious beliefs, trade union membership, sexual orientation, or data revealing racial or ethnic origin — without a separate written agreement with VeriVeri and a valid legal basis.
Current subprocessors:
| Subprocessor | Service | Data Processed | Location |
|---|---|---|---|
| Google Cloud Platform | Infrastructure hosting, database, AI/ML processing | All stored and processed data, verification requests | Global (region varies by availability) |
| Firebase Authentication (Google) | User authentication | Auth credentials | EU |
| Microsoft Azure | Infrastructure hosting, AI/ML processing | Verification requests and results | Global (region varies by availability) |
VeriVeri will notify the Customer at least 30 days before adding or replacing a subprocessor. If the Customer objects on reasonable data protection grounds, the parties will discuss in good faith. If no resolution is reached, the Customer may terminate the Service.
Note: Stripe, Inc. processes payment and billing data as described in the Privacy Policy but does not process personal data submitted via the API and is therefore not listed as a subprocessor under this DPA.
VeriVeri uses globally distributed infrastructure to provide the Service. Verification requests may be processed in regions outside the EEA, including the United States. All international transfers are protected by:
Enterprise customers requiring EU-only data residency should contact us for a custom agreement.
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service, except that neither party may limit its liability for breaches of GDPR Article 82 (compensation to data subjects).
This DPA remains in effect for the duration of the Customer's use of the Service. Obligations relating to data deletion (Section 3(h)) and confidentiality survive termination.
By using the VeriVeri API to submit personal data, the Customer enters into this DPA. For Enterprise customers requiring a countersigned copy, contact alex@hejalex.com.
Northloop Group AB Org. nr 559579-7787 Birger Jarlsgatan 99b, 1201, 113 56 Stockholm, Sweden alex@hejalex.com