VeridexCore Data Processing Addendum
Effective Date: March 8, 2026 Version: 1.0 Entity: VeridexCore (operated by VeridexCore Inc.)This Data Processing Addendum ("DPA") supplements the VeridexCore Terms of Service and governs the processing of personal data by VeridexCore on behalf of the Customer.
1. Definitions
- "Personal Data" — Any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
- "Processing" — Any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
- "Controller" — The Customer, who determines the purposes and means of processing Personal Data.
- "Processor" — VeridexCore, which processes Personal Data on behalf of the Controller.
- "Sub-processor" — A third party engaged by VeridexCore to process Personal Data.
2. Scope of Processing
VeridexCore processes data solely as necessary to provide the Service:
| Data Category | Processing Purpose | Storage Location |
|---|---|---|
| SOP text content | Capability generation | Google Cloud Firestore (us-central1) |
| GitHub username | Authentication | In-memory (session only) |
| IP address | Rate limiting, abuse prevention | In-memory (not persisted) |
| Capability artifacts | Service delivery, verification | Google Cloud Firestore (us-central1) |
| Receipt events | Truth ledger emission | VeridexCore Firestore |
| Payment identifiers | Transaction processing | Stripe (no card data stored by VeridexCore) |
3. Customer Obligations
Customer shall:
- Ensure a lawful basis exists for processing any Personal Data submitted to the Service.
- Not submit sensitive or special category data (health, biometric, racial/ethnic origin) unless explicitly agreed in writing.
- Ensure SOPs do not contain Personal Data unless necessary and lawfully processed.
- Inform data subjects about processing where required by applicable law.
4. VeridexCore Obligations
VeridexCore shall:
- Process Personal Data only on documented instructions from the Customer (i.e., as necessary to provide the Service).
- Implement appropriate technical and organizational security measures.
- Not engage additional Sub-processors without prior notice to the Customer.
- Assist the Customer in responding to data subject requests where technically feasible.
- Notify the Customer without undue delay upon becoming aware of a Personal Data breach.
- Delete or return Personal Data upon termination of the Service, at Customer's election.
5. Sub-processors
VeridexCore uses the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure, Firestore | United States (us-central1) |
| Stripe, Inc. | Payment processing | United States |
| VeridexCore Inc. | Truth ledger, receipt persistence | United States (us-central1) |
| Vercel, Inc. | Landing page hosting | United States |
Changes to Sub-processors will be communicated to the Customer with reasonable advance notice.
6. Data Transfers
Personal Data is processed in the United States (Google Cloud us-central1 region). If Customer is located outside the United States, Customer consents to the transfer of data to the United States for processing.
Where required by applicable law (e.g., GDPR), VeridexCore will implement appropriate transfer mechanisms such as Standard Contractual Clauses.
7. Security Measures
VeridexCore implements the following security measures:
- HTTPS encryption for all data in transit.
- HMAC-SHA256 cryptographic integrity verification on all artifacts.
- Environment-variable-based secret management.
- Per-IP rate limiting on public endpoints.
- Firestore security rules restricting data access.
- No persistent storage of payment credentials.
8. Data Breach Notification
In the event of a Personal Data breach, VeridexCore will:
- Notify the Customer without undue delay (and in any event within 72 hours of becoming aware).
- Provide details of the nature of the breach, categories of data affected, and measures taken or proposed.
- Cooperate with the Customer and applicable authorities as required.
9. Data Retention and Deletion
- Capability artifacts and receipts are retained for the duration of the Service.
- Upon termination or Customer request, VeridexCore will delete Personal Data within 30 days, except where retention is required by law.
- Transparency log entries are subject to the VeridexCore retention policy.
10. Audit Rights
Customer may request documentation of VeridexCore's compliance with this DPA. VeridexCore will provide reasonable cooperation, including responses to written audit questionnaires. On-site audits require 30 days advance notice and are subject to confidentiality obligations.
11. Term
This DPA is effective for the duration of the Customer's use of the Service and survives termination to the extent necessary to complete processing obligations.
Document Control
| Version | Date | Status |
|---|---|---|
| 1.0 | 2026-03-08 | Active |