Data Processing Addendum
Verifical — Secure Document Sharing Platform
(Last updated: February 27, 2026)
1. Introduction and Scope
1.1. This Data Processing Addendum (“DPA”) forms part of the Terms and Conditions (“Agreement”) between VeroMotion s.r.o., a company registered in the Czech Republic under registration number 27170730, with its registered address at Karla Engliše 3208/5, Prague 5, 150 00, Czech Republic (“VeroMotion”, “Processor”) and the Customer (“Controller”) for the Verifical platform (“Service”).
1.2. This DPA applies to the processing of Personal Data by VeroMotion on behalf of the Customer in connection with the provision of the Service. It does not apply to Personal Data that VeroMotion processes as a Data Controller for its own operational purposes (as described in Section 8.2(a) of the Agreement).
1.3. This DPA is incorporated into the Agreement by reference and takes effect when the Customer accepts the Agreement. No separate signature is required.
1.4. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
2. Definitions
Terms not defined in this DPA have the meanings given in the Agreement. In addition:
“Data Protection Laws” means the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and any other applicable data protection or privacy legislation.
“Personal Data”, “Data Controller”, “Data Processor”, “Data Subject”, “processing”, and “Personal Data breach” have the meanings given in the GDPR or equivalent terms under applicable Data Protection Laws.
“Standard Contractual Clauses” (“SCCs”) means the standard contractual clauses for the transfer of personal data to third countries, as set out in the Annex to Commission Implementing Decision (EU) 2021/914.
“Sub-processor” means a third party engaged by VeroMotion to process Personal Data on behalf of the Customer.
3. Roles of the Parties
3.1. The Customer acts as the Data Controller and VeroMotion acts as the Data Processor with respect to Personal Data uploaded or processed through the Service by the Customer or its Authorized Users.
3.2. Where the Customer itself acts as a Data Processor on behalf of a third party, VeroMotion acts as a Sub-processor. The Customer warrants that it has obtained all necessary authorizations from the relevant Data Controller to engage VeroMotion as a Sub-processor.
4. Processing Instructions
4.1. VeroMotion shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. The Agreement and this DPA constitute the Customer’s initial instructions. Additional instructions may be agreed in writing.
4.2. VeroMotion shall inform the Customer if, in its opinion, an instruction infringes Data Protection Laws. VeroMotion is not obligated to independently assess the legality of the Customer’s instructions.
4.3. The details of processing (subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects) are described in Annex A.
5. Customer Obligations
5.1. The Customer is responsible for:
(a) ensuring it has a lawful basis for processing Personal Data and for any instructions given to VeroMotion;
(b) providing all required notices to, and obtaining all necessary consents from, Data Subjects;
(c) the accuracy, quality, and legality of Personal Data provided to the Service;
(d) complying with all applicable Data Protection Laws in connection with its use of the Service.
6. Confidentiality
6.1. VeroMotion shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7. Security Measures
7.1. VeroMotion shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to Data Subjects.
7.2. A description of the key security measures is set out in Annex B. VeroMotion may update these measures from time to time, provided that the overall level of security is not materially reduced.
8. Personal Data Breach Notification
8.1. VeroMotion shall notify the Customer without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data breach affecting Customer Data processed under this DPA.
8.2. The notification shall include reasonable details about the nature of the breach, to the extent known at the time of notification.
8.3. VeroMotion’s obligation to notify does not constitute an acknowledgment of fault or liability.
9. Sub-processors
9.1. The Customer provides general written authorization for VeroMotion to engage Sub-processors to assist in providing the Service. The current list of Sub-processors is available at https://verifical.com/subprocessors.
9.2. VeroMotion shall notify the Customer of any intended changes to its Sub-processors at least 30 days in advance by email to the address associated with the Customer’s Account.
9.3. The Customer may object to a new Sub-processor by notifying VeroMotion in writing within 30 days of receiving the notification. If VeroMotion cannot reasonably accommodate the objection, the Customer may terminate the affected part of the Service upon written notice. Previously accrued rights and obligations survive such termination.
9.4. VeroMotion shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA.
10. International Transfers
10.1. Customer Data is primarily stored within the European Union.
10.2. Where VeroMotion transfers Personal Data to a Sub-processor located outside the European Economic Area (“EEA”), VeroMotion shall ensure that the transfer is protected by appropriate safeguards in accordance with GDPR Chapter V, including:
(a) an EU adequacy decision covering the recipient country;
(b) the EU-US Data Privacy Framework (where applicable); or
(c) Standard Contractual Clauses (Module Two: Controller to Processor, or Module Three: Processor to Sub-processor, as applicable).
10.3. Where Standard Contractual Clauses apply, the information in Annex A and Annex B of this DPA shall serve as the annexes to the SCCs. VeroMotion is deemed the “data importer” and the Customer the “data exporter.”
11. Data Subject Rights
11.1. VeroMotion shall, to the extent technically feasible, assist the Customer in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws (including access, rectification, erasure, portability, restriction, and objection).
11.2. The Service provides self-service features that allow the Customer to access, correct, export, and delete Personal Data. The Customer shall use these features as the primary means of responding to Data Subject requests.
11.3. If the Customer is unable to fulfill a Data Subject request through the Service, the Customer may contact VeroMotion at info@verifical.com for additional assistance.
11.4. If a Data Subject request is made directly to VeroMotion, VeroMotion shall promptly inform the Customer and direct the Data Subject to contact the Customer.
12. Audit
12.1. VeroMotion shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws.
12.2. Upon written request (no more than once per year and with at least 30 days’ notice), VeroMotion shall respond to the Customer’s reasonable written questions or security questionnaires regarding its data processing practices and compliance with this DPA.
13. Data Retention and Deletion
13.1. VeroMotion shall process Personal Data for the duration of the Agreement and as necessary to provide the Service.
13.2. Upon termination or expiration of the Agreement, the Customer may request an export of its data within 30 days, as described in Section 18.1 of the Agreement. After this period, VeroMotion shall delete Personal Data from its systems, except where retention is required by applicable law.
13.3. VeroMotion may retain Personal Data in backup systems for a reasonable period following deletion from production systems. Such backup data shall remain subject to this DPA until permanently deleted.
14. Liability
14.1. The liability of each party under this DPA is subject to the limitations and exclusions set out in the Agreement, except to the extent that applicable Data Protection Laws prohibit such limitations.
15. Governing Law
15.1. This DPA is governed by the laws of the Czech Republic, consistent with Section 20 of the Agreement.
15.2. Where Standard Contractual Clauses apply, the SCCs shall be governed by the law of the EU Member State in which the data exporter is established, or if the data exporter is not established in the EU, by Czech law.
16. Term and Termination
16.1. This DPA takes effect when the Customer accepts the Agreement and terminates automatically upon termination or expiration of the Agreement.
16.2. Obligations relating to confidentiality, data deletion, and ongoing data protection survive termination of this DPA.
Annex A — Processing Details
A.1. List of Parties
| Data Exporter (Controller) | Data Importer (Processor) | |
|---|---|---|
| Entity | The Customer, as identified in the Account | VeroMotion s.r.o. |
| Address | As provided during Account registration | Karla Engliše 3208/5, Prague 5, 150 00, Czech Republic |
| Contact | Email address associated with the Account | info@verifical.com |
| Role | Data Controller (or Data Processor, where applicable) | Data Processor (or Sub-processor, where applicable) |
A.2. Description of Processing
| Details | |
|---|---|
| Subject matter | Processing of Personal Data in connection with the provision of the Verifical secure document sharing platform |
| Duration | For the term of the Agreement, plus any applicable data retention period |
| Nature of processing | Storage, retrieval, display, transmission, organization, and deletion of documents and associated metadata; optional AI-assisted processing (OCR, data extraction, classification) when enabled by the Customer |
| Purpose | To provide the Service as described in the Agreement, including secure document exchange, per-document discussions, archiving, and proof of delivery |
| Frequency | Continuous, for the duration of the Agreement |
A.3. Categories of Data Subjects
- The Customer’s employees and staff members
- The Customer’s clients (e.g., clients of an accounting firm)
- Invited Users (persons invited to a Company Workspace)
- Suppliers uploading documents to the Customer’s workspace
- Any other individuals whose Personal Data is contained in documents uploaded to the Service
A.4. Types of Personal Data
Depending on the documents uploaded by the Customer, Personal Data processed may include:
- Identity data: Names, dates of birth, personal identification numbers
- Contact data: Email addresses, phone numbers, postal addresses
- Financial data: Invoice details, bank account numbers, tax identification numbers, salary information, payment records
- Professional data: Employer name, job title, business registration numbers
- Authentication data: Email addresses and usernames used to access the Service
- Technical data: IP addresses, browser type, access timestamps, activity logs
- Document content: Any Personal Data contained within documents uploaded to the Service, the extent of which is determined by the Customer
A.5. Sensitive Data
VeroMotion does not require or request special categories of Personal Data. If such data is present in uploaded documents, the Customer is solely responsible for ensuring a lawful basis and appropriate safeguards.
A.6. Retention
Personal Data is retained for the duration of the Agreement. Following termination, the Customer has 30 days to export data. After this period, VeroMotion deletes Personal Data from production systems. Backup copies may be retained for a reasonable period and are deleted in accordance with VeroMotion’s backup rotation schedule.
Annex B — Technical and Organizational Measures
VeroMotion implements and maintains the following categories of security measures. These measures may be updated from time to time to reflect changes in technology and best practices, provided the overall level of protection is not materially reduced.
B.1. Access Control
- Role-based access control for all system components
- Unique user accounts with strong password requirements
- Optional two-factor authentication (TOTP) for Customer accounts
- Automatic session expiry after period of inactivity
- Principle of least privilege for internal access to Customer Data
B.2. Data Encryption
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using industry-standard algorithms
- Encrypted database connections
B.3. Infrastructure Security
- Hosting within European Union data centers (Hetzner, Germany)
- Network firewalls and intrusion detection
- Regular security updates and patch management
- Automated deployment through CI/CD pipelines with access controls
B.4. Data Separation
- Logical separation of Customer Data by Account and Company Workspace
- Database-level isolation to prevent cross-tenant data access
B.5. Backup and Recovery
- Regular automated backups of databases and stored files
- Backups stored in encrypted form in a separate storage location within the EU
- Periodic backup restoration testing
B.6. Logging and Monitoring
- Audit logging of access to Customer Data
- Monitoring of system availability and performance
- Alerting for security-relevant events
B.7. Personnel Measures
- Confidentiality obligations for all personnel with access to Customer Data
- Access to production systems limited to authorized personnel only
Annex C — Sub-processor List
The current list of Sub-processors authorized to process Personal Data on behalf of the Customer is maintained at https://verifical.com/subprocessors.
This list may be updated in accordance with Section 9 of this DPA. The Customer will be notified of any additions or changes at least 30 days in advance.
Contact
For questions about this DPA or data protection matters:
VeroMotion s.r.o.
Karla Engliše 3208/5
Prague 5, 150 00
Czech Republic
Email: info@verifical.com
Web: https://verifical.com
