Euverify Data Processing Addendum (DPA)

Last updated: January 9th, 2026

This Data Processing Addendum (“DPA”) forms part of the Agreement between Euverify (“Processor”) and the Customer (“Controller”), and reflects the parties’ agreement with respect to the processing of Personal Data under the EU General Data Protection Regulation (“GDPR”), UK GDPR, and other applicable data protection laws.

1. Definitions

Unless defined elsewhere, capitalised terms have the meanings set out below:

Controller, Processor, Personal Data, Processing, Subprocessor have the meanings given in the GDPR and UK GDPR.
Customer Data means Personal Data processed by Euverify on behalf of the Customer in connection with the Services.
Data Subject means an identified or identifiable natural person whose Personal Data is Processed under this DPA.

2. Roles of the Parties

Controller: Customer determines the purposes and means of processing Personal Data.
Processor: Euverify processes Personal Data on behalf of the Customer and in accordance with the Agreement and this DPA.

3. Scope and Purpose of Processing

Euverify will Process Customer Data to provide, maintain, and support the compliance services selected by the Customer, which may include:

Product compliance documentation and management,
GDPR Article 27 representative services,
Authorised Representative services,
Platform authentication, storage, and communication,
Support communications and related administrative processes.

The categories of Personal Data processed and the types of Data Subjects are described in Appendix A.

4. Obligations of Euverify (Processor)

Euverify shall:

Process Customer Data only on documented instructions from the Controller.
Ensure that personnel authorised to process Customer Data are bound by confidentiality obligations.
Implement appropriate technical and organisational measures to ensure the security of Personal Data (see Section 7).
Assist Customer in fulfilling its GDPR/UK GDPR obligations regarding:
- Data Subject rights (access, rectification, erasure, etc.);
- Security incident management and breach notification;
- Data Protection Impact Assessments (where applicable).
Not use Customer Data for any purpose other than to provide the Services.

5. Customer Obligations

Customer shall:

Provide documented instructions to Euverify regarding its processing of Personal Data.
Maintain appropriate legal bases to Process Personal Data under applicable law.
Ensure compliance with data protection transparency and notice requirements.

6. Subprocessors

The Controller hereby authorises Euverify to engage subprocessors to process Customer Data. A list of current subprocessors, including categories and purposes, is published at:

Subprocessor List — euverify.com/subprocessors

Euverify will notify the Customer of any changes to the subprocessor list with an opportunity to object as described in the Subprocessor List.

7. Security Measures

Euverify has implemented and will maintain appropriate technical and organisational safeguards, which may include, without limitation:

Encryption in transit and at rest,
Access control and authentication safeguards,
Data minimisation and segregation,
Regular security assessments,
Incident detection and response.

A more detailed summary of these measures is available upon request.

8. Cross-Border Data Transfers

Euverify may transfer Personal Data outside the EEA and/or UK to subprocessors or service providers. Such transfers will be governed by appropriate safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission and/or UK ICO,
Adequacy decisions where applicable.

Details of transfer mechanisms can be requested via info@euverify.com.

9. Data Retention

Euverify will retain Personal Data only for as long as necessary to fulfill the services under the Agreement, including reasonable termination and transition periods.

10. Data Subject Rights

Upon Customer’s request, Euverify will assist in responding to Data Subjects exercising their rights under GDPR/UK GDPR, including:

Access, rectification, restriction, erasure, and data portability requests.

Requests should be submitted to info@euverify.com with sufficient detail to identify the Data Subject and request.

11. Security Incidents and Breach Notification

Euverify shall:

Notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Data;
Provide reasonable details and cooperation to support Customer’s compliance with breach notification obligations.

12. Audit and Inspection

Upon reasonable request, Euverify shall make available information necessary to demonstrate compliance with this DPA. Where appropriate, such audits shall be subject to confidentiality restrictions and coordinated to minimise disruption to operations.

13. Term and Termination

This DPA shall remain in effect as long as Euverify processes Personal Data on behalf of the Customer. Upon termination of the Agreement, Euverify will, at Customer’s request, delete or return Customer Data unless retention is required by applicable law.

14. Limitation of Liability

Each party’s liability under this DPA shall be subject to any limitations and exclusions of liability set forth in the Agreement.

15. Governing Law and Jurisdiction

This DPA shall be governed by the law governing the Agreement. Any disputes arising in connection with this DPA shall be resolved in accordance with the Agreement’s dispute resolution terms.

Signature

By using Euverify services, the Customer agrees to the terms of this DPA.

Appendix A — Data Details

Category of Personal Data	Description
Contact data	Name, email, phone, address
Account information	Login identifiers, preferences
Customer communications	Support tickets, messages
Compliance data	Product regulatory data, certificates
Usage data	Platform activity logs and metadata

Types of Data Subjects	Examples
Customers’ personnel	Administrators and end users of the platform
Support contacts	Customer support requesters
Data subjects in compliance processes	Product owners and representatives