VerifyFlow

Data Processing Agreement (DPA)

Last updated: January 2025

1. Definitions

  • Controller: You (the VerifyFlow customer)
  • Processor: VerifyFlow
  • Sub-processors: Supabase, Stripe, Resend, Twilio
  • Personal Data: Officer names, emails, phone numbers, verification status

2. Scope and Purpose

This DPA governs VerifyFlow's processing of Personal Data on behalf of the Controller for the purpose of facilitating Companies House identity verification compliance.

3. Processor Obligations

VerifyFlow shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject requests
  • Assist with data breach notifications
  • Delete or return Personal Data upon termination (subject to legal retention)

4. Sub-processors

The Controller authorizes use of the following sub-processors:

  • Supabase Inc.: Database and infrastructure (US, GDPR compliant)
  • Stripe Inc.: Payment processing (US, GDPR compliant)
  • Resend: Email delivery (US, GDPR compliant)
  • Twilio Inc.: SMS delivery (US, GDPR compliant)

5. Data Security

Technical and organizational measures include:

  • Encryption in transit (TLS) and at rest (AES-256)
  • Row-level security (RLS) for multi-tenant data isolation
  • Access controls and authentication
  • Regular security audits
  • Incident response procedures

6. Data Subject Rights

VerifyFlow will assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability, objection) within 10 business days.

7. Data Breach Notification

VerifyFlow will notify the Controller of any Personal Data breach within 72 hours of becoming aware, providing details necessary for breach reporting obligations.

8. International Transfers

Data may be transferred to the United States. Transfers are safeguarded by Standard Contractual Clauses (SCCs) and sub-processor certifications.

9. Audit Rights

The Controller may audit VerifyFlow's compliance with this DPA upon reasonable notice, no more than once per year.

10. Term and Termination

This DPA remains in effect for the duration of the VerifyFlow subscription. Upon termination, Personal Data will be deleted within 30 days unless legal retention is required.

11. Governing Law

This DPA is governed by the laws of England and Wales and complies with UK GDPR.

12. Contact

Data Protection Officer: dpo@verifyflow.co.uk