Legal

Data Processing Agreement

Last updated: July 16, 2026

Roles

For device signals processed through your API keys, you are the data controller and Veriprint is the data processor. We process signals only to compute visitor identifiers and risk flags on your instruction (an API call is the instruction), and for no other purpose.

Scope of processing

Categories of data: browser signals, IP address, derived geolocation and ASN, and the resulting visitorId. No names, emails, or content. Data subjects are your end users. Duration follows your plan's retention window (7 to 90 days, custom on Scale), after which records are deleted.

Our commitments

Signals are encrypted in transit and at rest, never shared across customers, and accessible only to engineers with an operational need. We assist with data-subject requests via the deletion API, notify you of a personal-data breach without undue delay, and list all subprocessors (currently: cloud hosting and email delivery) with 30 days notice before changes.

Signature

This page summarizes the DPA. For a countersigned copy, including Standard Contractual Clauses for transfers outside the EEA, email [email protected].