This DPA forms part of the Agreement between Customer (Controller) and VeriCite (Processor) for processing of personal data under GDPR, UK GDPR, and equivalent laws.
1. Roles
Customer is the Controller; VeriCite is the Processor. For end-user data submitted to a tenant deployment, VeriCite acts strictly on Customer’s documented instructions.
2. Scope of processing
Subject matter, duration, nature, and purpose are described in Annex I. Categories of data subjects and personal data are listed there. VeriCite processes only what’s necessary to deliver the service.
3. Sub-processors
Current list at /legal/subprocessors. We provide 30 days notice for changes. Customer may object on reasonable grounds.
4. Security measures
Annex II describes technical and organizational measures: encryption (TLS 1.3 in transit, AES-256 at rest), per-tenant key isolation, role-based access controls, audit logging, employee training, and the SOC 2 control set.
5. International transfers
Standard Contractual Clauses (2021/914) Module Two apply for EEA/UK transfers. Region-pinning available: data stays in the chosen region for at-rest storage and primary processing.
6. Data subject requests
VeriCite assists Customer in responding within statutory windows. Tools to search, export, and delete data subject content are available in the admin console.
7. Audits
Customer may audit annually with reasonable notice; or rely on the SOC 2 Type II report, HITRUST CSF mapping, and architecture brief, all available under NDA.
8. Incident response
Notification within 72 hours of confirmed breach affecting Customer Data. Includes nature, scope, affected data subjects (where determinable), measures taken, and contact for the incident.