Data Processing Agreement
Last updated: July 16, 2026
Roles
For device signals processed through your API keys, you are the data controller and Veriprint is the data processor. We process signals only to compute visitor identifiers and risk flags on your instruction (an API call is the instruction), and for no other purpose.
Scope of processing
Categories of data: browser signals, IP address, derived geolocation and ASN, and the resulting visitorId. No names, emails, or content. Data subjects are your end users. Duration follows your plan's retention window (7 to 90 days, custom on Scale), after which records are deleted.
Our commitments
Signals are encrypted in transit and at rest, never shared across customers, and accessible only to engineers with an operational need. We assist with data-subject requests via the deletion API, notify you of a personal-data breach without undue delay, and list all subprocessors (currently: cloud hosting and email delivery) with 30 days notice before changes.
Signature
This page summarizes the DPA. For a countersigned copy, including Standard Contractual Clauses for transfers outside the EEA, email [email protected].