Back to HomeVeriGlob Logo

Data Processing Addendum

Last Updated: January 22, 2025

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Master Service Agreement, Terms of Service, or other written agreement ("Principal Agreement") between Veriglob Ltd. ("Veriglob," "Processor," "we," or "us") and the customer entity identified in the Principal Agreement ("Customer," "Controller," or "you").

This DPA reflects the parties' commitment to comply with applicable data protection laws, including the UK General Data Protection Regulation ("UK GDPR"), the EU General Data Protection Regulation 2016/679 ("EU GDPR"), and other applicable data protection legislation (collectively, "Data Protection Laws").

Privacy-First Architecture: Veriglob's decentralized identity protocol is designed with privacy by design and data minimization principles. We enable self-sovereign identity (SSI) where users control their own data, and verification occurs without centralizing personal information.

2. Definitions

In this DPA, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings given in the Principal Agreement or Data Protection Laws.

  • "Controller" means the entity that determines the purposes and means of Processing Personal Data.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
  • "Decentralized Identifier" or "DID" means a globally unique, self-sovereign identifier that does not require a centralized registration authority and is cryptographically verifiable.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
  • "Processor" means an entity that Processes Personal Data on behalf of the Controller.
  • "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.
  • "Services" means the Veriglob identity verification platform, APIs, and related services provided under the Principal Agreement.
  • "Sub-processor" means any third party engaged by Veriglob to Process Personal Data on behalf of Customer.
  • "Verifiable Credential" means a tamper-evident credential with authorship that can be cryptographically verified.

3. Scope and Processing Roles

3.1 Scope of Processing

This DPA applies to the Processing of Personal Data by Veriglob in connection with providing the Services. Due to our self-sovereign identity architecture, the nature and extent of Personal Data Processing is intentionally minimized.

3.2 Processing Roles

The parties acknowledge and agree that:

  • Customer as Controller: Customer acts as the Controller for Personal Data submitted to or processed through the Services.
  • Veriglob as Processor: Veriglob acts as a Processor when Processing Personal Data on behalf of Customer to provide the Services.
  • End Users as Controllers: In the self-sovereign identity model, end users (Data Subjects) retain control over their own identity data and credentials stored in their personal wallets.

3.3 Self-Sovereign Identity Principles

Veriglob's architecture is built on self-sovereign identity (SSI) principles, which fundamentally changes the data processing paradigm:

  • User-Controlled Data: Personal Data and Verifiable Credentials are stored in the user's own wallet, not on Veriglob servers.
  • Selective Disclosure: Users choose what information to share with verifiers, often using zero-knowledge proofs.
  • Decentralized Identifiers: DIDs are pseudonymous identifiers that do not inherently contain Personal Data.
  • No Central Data Store: Veriglob does not maintain a central database of user identity information.

4. Details of Processing

4.1 Categories of Data Subjects

  • Customer's employees and authorized users
  • Customer's end users who interact with the verification services
  • Individuals whose identity is being verified

4.2 Categories of Personal Data

The Personal Data Processed depends on Customer's configuration and use case. Categories may include:

Data CategoryProcessed By VeriglobStorage Location
Decentralized Identifiers (DIDs)Yes (pseudonymous)Distributed ledger / User wallet
Verifiable CredentialsTransit onlyUser's personal wallet
Verification ProofsYes (temporary)Memory only, not persisted
Account InformationYesVeriglob infrastructure
API Usage LogsYesVeriglob infrastructure

4.3 Third-Party Verification Providers

Important Notice Regarding External Verification Services:

When Customer opts to use third-party identity verification providers (such as Governments, Employers, Dojah, Onfido, Veriff, Jumio, or similar services) through the Veriglob platform:

  • Data Remains with Provider: Personal Data submitted for verification (such as government IDs, biometric data, or proof-of-address documents) is transmitted directly to and stored by the third-party provider.
  • Veriglob Does Not Store: Veriglob does not store, retain, or have access to the underlying identity documents or biometric data processed by these providers.
  • Credential Issuance Only: Veriglob receives only the verification result (pass/fail and relevant claims) to issue a Verifiable Credential to the user.
  • Separate Data Controller: Each third-party verification provider acts as an independent Data Controller for the data they process, subject to their own privacy policies and DPAs.

4.4 Purpose of Processing

Veriglob Processes Personal Data solely for the following purposes:

  • Providing the identity verification and credential issuance Services
  • Maintaining and improving the security and performance of the Services
  • Generating anonymized and aggregated analytics
  • Complying with legal obligations
  • Responding to Customer support requests

4.5 Duration of Processing

Processing shall continue for the duration of the Principal Agreement. Upon termination, Veriglob shall delete or return Personal Data as specified in Section 11.

5. Processor Obligations

5.1 Processing Instructions

Veriglob shall:

  • Process Personal Data only on documented instructions from Customer, unless required by applicable law
  • Inform Customer if, in Veriglob's opinion, an instruction infringes Data Protection Laws
  • Ensure that persons authorized to Process Personal Data are bound by confidentiality obligations

5.2 Security Measures

Veriglob implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3)
  • Pseudonymization through DIDs and cryptographic techniques
  • Access controls and authentication mechanisms
  • Regular security testing and vulnerability assessments
  • Incident response and business continuity procedures
  • Employee security training and background checks

5.3 Certifications and Compliance

Veriglob maintains the following certifications and compliance standards:

  • SOC 2 Type II
  • ISO 27001
  • GDPR compliance program
  • Regular third-party security audits

6. Sub-processors

6.1 Authorization

Customer provides general authorization for Veriglob to engage Sub-processors to assist in providing the Services. Veriglob shall:

  • Maintain a list of current Sub-processors available upon request
  • Notify Customer of any intended changes to Sub-processors at least thirty (30) days in advance
  • Ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA

6.2 Current Sub-processors

Veriglob currently uses the following categories of Sub-processors:

CategoryPurposeLocation
Cloud InfrastructureHosting and compute servicesEU, UK, US (customer choice)
Monitoring ServicesPerformance and error monitoringEU, US
Customer SupportTicket management and supportEU

6.3 Objection Right

Customer may object to a new Sub-processor by notifying Veriglob in writing within fourteen (14) days of receiving notice. If Customer's objection is based on reasonable data protection concerns and the parties cannot reach a resolution, Customer may terminate the affected Services without penalty.

7. Data Subject Rights

7.1 Assistance with Requests

Veriglob shall assist Customer in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

7.2 Self-Sovereign Identity and Data Subject Control

Enhanced Data Subject Control: Veriglob's self-sovereign identity architecture inherently supports Data Subject rights:

  • Access: Users have direct access to their credentials in their personal wallet.
  • Portability: Credentials are stored in standard formats and can be exported at any time.
  • Erasure: Users can delete credentials from their wallet; DIDs can be deactivated.
  • Restriction: Users choose when and with whom to share their credentials.

7.3 Direct Requests

If Veriglob receives a request directly from a Data Subject, Veriglob shall promptly notify Customer (unless prohibited by law) and shall not respond directly unless authorized by Customer or required by law.

8. Security Incidents

8.1 Notification

Veriglob shall notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Security Incident affecting Personal Data. The notification shall include:

  • Description of the nature of the incident
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of records affected
  • Likely consequences of the incident
  • Measures taken or proposed to address the incident

8.2 Cooperation

Veriglob shall cooperate with Customer in investigating the Security Incident, mitigating its effects, and meeting any applicable notification obligations under Data Protection Laws.

9. International Data Transfers

9.1 Transfer Mechanisms

Where Personal Data is transferred outside the UK or EEA, Veriglob shall ensure appropriate safeguards are in place, including:

  • Transfers to countries with adequacy decisions
  • UK International Data Transfer Agreement (IDTA)
  • EU Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules where applicable

9.2 Standard Contractual Clauses

Where required, the parties agree to execute the applicable Standard Contractual Clauses, which shall be incorporated into this DPA by reference. For transfers from:

  • EU: Commission Implementing Decision (EU) 2021/914 SCCs
  • UK: UK IDTA or UK Addendum to EU SCCs

9.3 Data Residency Options

Customer may specify data residency requirements in the Principal Agreement. Veriglob offers data processing in the following regions: European Union, United Kingdom, United States, and Asia Pacific.

10. Audits and Compliance

10.1 Audit Rights

Veriglob shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits. Customer may:

  • Review Veriglob's SOC 2 Type II reports and other certifications
  • Submit written audit questionnaires (up to annually)
  • Conduct or commission an on-site audit with reasonable notice (at Customer's expense)

10.2 Audit Procedures

On-site audits shall be conducted during normal business hours with at least thirty (30) days' prior written notice. Customer shall ensure that auditors are bound by confidentiality obligations and that audits do not unreasonably disrupt Veriglob's operations.

11. Data Return and Deletion

11.1 Upon Termination

Upon termination or expiration of the Principal Agreement, Veriglob shall, at Customer's election:

  • Return all Personal Data to Customer in a standard, machine-readable format; and/or
  • Delete all Personal Data within thirty (30) days, unless retention is required by applicable law

11.2 Certification

Upon request, Veriglob shall provide written certification of the deletion of Personal Data.

11.3 User-Controlled Data

Note: Verifiable Credentials and identity data stored in end users' personal wallets are controlled by those users and are not subject to Veriglob's deletion obligations. Users may delete their own credentials at any time through their wallet application.

12. Data Protection Impact Assessments

Veriglob shall provide reasonable assistance to Customer in conducting Data Protection Impact Assessments (DPIAs) where required under Data Protection Laws. This assistance may include:

  • Information about Veriglob's processing activities and security measures
  • Technical documentation regarding the Services
  • Consultation on privacy-enhancing features of the self-sovereign identity architecture

13. Liability

Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Principal Agreement. Nothing in this DPA shall limit either party's liability for:

  • Death or personal injury caused by negligence
  • Fraud or fraudulent misrepresentation
  • Any liability that cannot be limited or excluded by applicable law

14. General Provisions

  • Precedence: In the event of conflict between this DPA and the Principal Agreement regarding data protection matters, this DPA shall prevail.
  • Amendments: This DPA may only be modified by a written instrument signed by both parties.
  • Severability: If any provision of this DPA is found invalid or unenforceable, the remaining provisions shall continue in full force.
  • Governing Law: This DPA shall be governed by the laws specified in the Principal Agreement.
  • Entire Agreement: This DPA, together with the Principal Agreement, constitutes the entire agreement between the parties regarding data protection.

15. Contact Information

For questions regarding this Data Processing Addendum or data protection matters:

Veriglob Ltd. - Data Protection

Data Protection Officer: dpo@veriglob.com

Privacy Inquiries: privacy@veriglob.com

Website: https://veriglob.com/privacy-policy

Annex A: Technical and Organizational Security Measures

A.1 Encryption

  • Data at rest: AES-256 encryption
  • Data in transit: TLS 1.3
  • Key management: Hardware Security Modules (HSMs) for cryptographic operations
  • End-to-end encryption for credential presentations

A.2 Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication required for all staff
  • Principle of least privilege
  • Regular access reviews and deprovisioning

A.3 Network Security

  • Web Application Firewall (WAF)
  • DDoS protection
  • Network segmentation
  • Intrusion detection and prevention systems

A.4 Physical Security

  • SOC 2 certified data centers
  • 24/7 security monitoring
  • Biometric access controls
  • Environmental controls and redundancy

A.5 Operational Security

  • Regular vulnerability scanning and penetration testing
  • Security incident response procedures
  • Business continuity and disaster recovery plans
  • Employee security awareness training
  • Background checks for personnel with data access
← Back to Home