VerefVeref

Legal

Data Processing Addendum

Last updated April 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Veref Ltd and the Customer for use of the Veref platform. It sets out how Veref processes personal data on behalf of the Customer under UK GDPR, EU GDPR, and other applicable data protection law.

Roles

The Customer is the data controller and Veref is the data processor for personal data processed on the Customer’s behalf. For Veref Passport records, the candidate is the primary data subject and retains ownership rights.

Scope and purpose

Veref processes personal data solely to provide the Service as described in the order form, and for the duration of the agreement plus any retention period the Customer configures.

Subprocessors

A current list of Veref’s subprocessors is maintained at veref.work/subprocessors. Veref notifies Customers of material subprocessor changes with at least 30 days’ notice.

Security

  • Encryption at rest (AES-256) and in transit (TLS 1.3).
  • Role-based access, MFA, and audit logging on all administrative actions.
  • Biometric templates stored separately from raw images; raw images deleted after template extraction.
  • SOC 2 Type II audit and ISO 27001 certification planned; timelines shared on request.

Data subject rights

Veref assists the Customer in responding to data subject access, rectification, erasure, restriction, portability, and objection requests within the timelines required under GDPR.

International transfers

Personal data is stored in the region selected by the Customer at onboarding (UK, EU, or US). Transfers outside the region rely on Standard Contractual Clauses and supplementary measures where required.

Breach notification

Veref notifies the Customer of any personal data breach without undue delay and in any event within 72 hours of becoming aware of the breach.

Audits

Customers may audit Veref’s processing under this DPA once per year, subject to reasonable notice and confidentiality terms. Once SOC 2 Type II is completed, the report will be available under NDA and will satisfy most audit requirements.

Return and deletion

On termination, Veref returns or deletes all personal data processed on the Customer’s behalf within 30 days, subject to legal retention obligations.

Execution

A counter-signed copy of this DPA is available on request by emailing legal@veref.work.

Questions?

Email legal@veref.work and a member of our team will respond within one business day.

Or book a call