Data Processing Agreement
Effective date: April 1, 2026 | Last updated: April 12, 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between the customer ("Controller") and Verifex ("Processor"), operated by Sadat Nazarli, and supplements the Terms of Service.
2. Subject Matter and Duration
The Processor processes personal data on behalf of the Controller for the purpose of providing sanctions screening services via the Verifex API. Processing begins upon the Controller's first API call and continues for the duration of the service agreement, plus the applicable audit log retention period (up to 10 years for Enterprise plans).
3. Nature and Purpose of Processing
Verifex processes personal data solely to screen names against global sanctions, PEP, and enforcement lists and return match results. Processing includes name normalization, fuzzy matching, phonetic analysis, and automated adjudication recommendation.
4. Types of Personal Data
- Full names of screened individuals or entities
- Dates of birth (when provided)
- Nationalities or countries of residence (when provided)
- Entity types (person, company, vessel)
- Screening results, confidence scores, and risk assessments
- API request metadata (timestamps, IP addresses, API key identifiers)
5. Categories of Data Subjects
- Customers of the Controller
- Transaction counterparties
- Beneficial owners of entities
- Any individuals or entities the Controller submits for screening
6. Obligations of the Processor
- Process personal data only on documented instructions from the Controller
- Ensure that persons authorized to process data have committed to confidentiality
- Implement appropriate technical and organizational security measures (see Section 8)
- Assist the Controller in responding to data subject access requests
- Delete or return all personal data upon termination, subject to legal retention requirements
- Make available all information necessary to demonstrate compliance with this DPA
7. Sub-Processors
The Processor uses the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| IONOS SE | Infrastructure hosting (VPS, database) | Frankfurt, Germany (EU) |
| Lemon Squeezy (Lemon Squeezy LLC) | Payment processing and subscription management | United States |
| Resend Inc. | Transactional email delivery | United States |
| DeepSeek (via API) | LLM cascade verification for ambiguous matches only | China (API only, no data stored) |
| Anthropic, PBC | LLM entity resolution for ambiguous sanctions pairs (Claude API, no data stored beyond request) | United States |
| GLEIF (Global LEI Foundation) | Legal Entity Identifier reference data for UBO chain resolution (public registry, no personal data) | Basel, Switzerland (public data) |
| OpenCorporates Ltd | Corporate registry data for beneficial ownership mapping (entity data only, no personal data transferred) | United Kingdom |
The Processor will notify the Controller at least 14 days before adding a new sub-processor. The Controller may object by written notice within that period.
8. Technical and Organizational Measures
- Data encrypted in transit (TLS 1.3)
- Data encrypted at rest (AES-256 disk encryption)
- API keys hashed with SHA-256 (never stored in plaintext)
- User passwords hashed with bcrypt (12 rounds)
- Immutable audit logs with cryptographic hash chaining
- Role-based access control with principle of least privilege
- Daily database backups to separate storage
- Network-level firewall with explicit allow-listing
- Input validation on all API endpoints (Zod schema validation)
- Regular dependency vulnerability scanning
9. International Data Transfers
Primary data processing occurs in the European Union (IONOS Frankfurt, Germany). Where personal data is transferred to sub-processors in the United States, such transfers are governed by EU Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914). The Controller may request copies of the executed SCCs by contacting hello@verifex.dev.
10. Data Retention
| Plan | Audit Log Retention |
|---|---|
| Free | None (real-time only) |
| Startup ($49/mo) | 90 days |
| Growth ($99/mo) | 1 year |
| Scale ($249/mo) | 5 years |
| Enterprise ($499/mo) | 10 years (OFAC compliant) |
Upon contract termination, data is deleted within 30 days unless longer retention is required by law or the applicable audit retention period.
11. Breach Notification
The Processor will notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach, in accordance with Article 33 of the GDPR. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
12. Audits
The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an independent auditor mandated by the Controller, upon reasonable notice (at least 30 days) and during normal business hours.
13. Contact
For questions about this DPA, data processing practices, or to request executed SCCs, contact us at hello@verifex.dev.