Company logoHelp Centre
Visit veridox.ai

Data Processing Addendum

8 min. readlast update: 02.06.2026

1. Definitions

In this Data Processing Addendum ("DPA"):

  • "Controller" means the entity that determines the purposes and means of processing Personal Data;
  • "Processor" means the entity that processes Personal Data on behalf of the Controller;
  • "Personal Data" has the meaning given in applicable Data Protection Laws;
  • "Data Protection Laws" means all applicable privacy and data protection laws, including GDPR, UK GDPR, and other relevant legislation;
  • "Data Subject" means an identified or identifiable natural person;
  • "Sub-processor" means any Processor engaged by Veridox to process Personal Data.

2. Purpose and Scope

This DPA applies when Veridox processes Personal Data on behalf of the Client in the course of providing the Platform services. It supplements and forms part of the Terms of Use.

This DPA takes precedence over any conflicting provisions in the Terms of Use regarding data protection matters.

3. Roles of the Parties

3.1 Controller and Processor

The parties acknowledge that:

  • Client acts as Controller for Personal Data contained in documents uploaded to the Platform;
  • Veridox acts as Processor when processing such Personal Data to provide the services;
  • Each party may also act as Controller for Personal Data they collect directly.

3.2 Independent Controllers

For account information and usage data collected directly by Veridox, each party acts as an independent Controller and is responsible for their own compliance with Data Protection Laws.

4. Details of Processing

4.1 Categories of Data Subjects

Data subjects may include individuals whose information appears in documents uploaded for analysis.

4.2 Categories of Personal Data

Personal Data may include:

  • Names and contact information
  • Identification numbers
  • Financial information
  • Any other personal information contained in uploaded documents

4.3 Processing Activities

Veridox processes Personal Data to:

  • Analyse documents for fraud indicators
  • Extract metadata and technical information
  • Generate analysis reports and outputs
  • Provide platform services as described in the Terms

5. Client Obligations

As Controller, Client warrants and undertakes to:

  • Comply with all applicable Data Protection Laws;
  • Have lawful basis for processing and sharing Personal Data with Veridox;
  • Provide necessary notices to Data Subjects;
  • Obtain required consents where necessary;
  • Only upload Personal Data necessary for the intended analysis;
  • Implement appropriate technical and organisational measures;
  • Promptly notify Veridox of any data protection issues or Data Subject requests.

6. Veridox Obligations as Processor

Veridox undertakes to:

  • Process Personal Data only on documented instructions from Client;
  • Ensure processing staff are subject to confidentiality obligations;
  • Implement appropriate technical and organisational security measures;
  • Not engage Sub-processors without Client consent;
  • Assist with Data Subject rights requests;
  • Assist with security breach notifications;
  • Delete or return Personal Data upon termination;
  • Provide information necessary for compliance audits.

7. Security Measures

Veridox maintains appropriate technical and organisational measures including:

7.1 Technical Measures

  • Encryption of Personal Data in transit and at rest
  • Regular security testing and vulnerability assessments
  • Access controls and authentication systems
  • Secure development practices
  • Network security and monitoring

7.2 Organisational Measures

  • Staff training on data protection
  • Clear data handling procedures
  • Incident response plans
  • Regular security reviews
  • Third-party security certifications

8. Use of Sub-Processors

8.1 Authorised Sub-Processors

Client provides general authorisation for Veridox to engage Sub-processors for specific processing activities.

8.2 Sub-Processor Requirements

Veridox ensures that Sub-processors:

  • Provide sufficient guarantees of compliance
  • Are bound by data protection obligations equivalent to this DPA
  • Implement appropriate security measures
  • Are subject to regular compliance monitoring

8.3 Changes to Sub-Processors

Veridox will inform Client of any intended changes to Sub-processors, allowing Client to object to such changes.

9. Data Subject Rights

Veridox will assist Client in responding to Data Subject requests by:

  • Providing available information about processing activities
  • Implementing technical measures to facilitate rights exercise
  • Promptly forwarding any direct requests from Data Subjects
  • Assisting with data portability and correction requests
  • Supporting deletion requests within technical capabilities

10. Data Breach Notification

10.1 Incident Response

Veridox will:

  • Notify Client without undue delay upon becoming aware of a Personal Data breach
  • Provide available information about the nature and scope of the breach
  • Assist Client in assessing the risks and potential impact
  • Cooperate in breach investigation and remediation efforts
  • Implement measures to address the breach and prevent recurrence

10.2 Client Responsibilities

Client remains responsible for determining whether to notify Data Subjects and supervisory authorities as required by law.

11. Data Transfers and International Safeguards

When Personal Data is transferred outside the European Economic Area, Veridox ensures appropriate safeguards are in place:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where applicable
  • Binding Corporate Rules for intra-group transfers
  • Additional technical and organisational measures as needed

12. Audit and Inspection Rights

Veridox will provide Client with information necessary to demonstrate compliance with this DPA. Upon reasonable request and with appropriate notice, Veridox will allow audits by Client or independent auditors, subject to:

  • Reasonable advance notice (at least 30 days)
  • Appropriate confidentiality protections
  • Minimal disruption to Veridox operations
  • Client covering reasonable costs

13. Return or Deletion of Data

Upon termination of the services or upon Client request, Veridox will:

  • Delete all Personal Data processed on Client's behalf
  • Provide confirmation of deletion upon request
  • Return Personal Data in a commonly used format if requested
  • Ensure Sub-processors also delete Personal Data

Veridox may retain Personal Data if required by law, provided it continues to protect the data and limits further processing.

14. Liability and Indemnity

Each party's liability for data protection violations shall be governed by applicable Data Protection Laws. The liability limitations in the Terms of Use apply except where prohibited by law.

15. Duration and Termination

This DPA remains in effect for the duration of the Terms of Use and any period during which Veridox processes Personal Data on Client's behalf.

16. Governing Law and Jurisdiction

This DPA is governed by the same law as the Terms of Use. Data protection matters shall be governed by the applicable Data Protection Laws of the relevant jurisdiction.

17. Contact Details

For data protection matters under this DPA:

Data Protection Officer
Asset Protect Ltd (trading as Veridox)
56 Manchester Road
Altrincham, WA14 4PJ
United Kingdom
Email: dpo@veridox.ai

Acceptable Use Policy

Last updated: 15 July 2025

1. Introduction

This Acceptable Use Policy ("AUP") defines permitted and prohibited uses of the Veridox platform. It supplements our Terms of Use and applies to all users of our services.

Violation of this AUP may result in suspension or termination of your access to the Platform.

2. Permitted Use of the Platform

You may use the Veridox platform to:

  • Detect fraud and authenticate documents for legitimate business purposes
  • Analyse documents you own or have permission to analyse
  • Integrate our API into your applications according to our documentation
  • Use our platform for compliance and risk management activities
  • Conduct research using your own data

3. Prohibited Conduct

3.1 Illegal Activities

You may not use the Platform to:

  • Violate any applicable laws or regulations
  • Facilitate fraud or other criminal activities
  • Infringe intellectual property rights
  • Violate privacy laws or process personal data unlawfully
  • Engage in money laundering or terrorist financing

3.2 Harmful Content

Do not upload content that:

  • Contains malware, viruses, or malicious code
  • Is defamatory, abusive, or harassing
  • Promotes violence or illegal activities
  • Contains child exploitation material
  • Violates export control laws

3.3 Technical Misuse

You must not:

  • Attempt to reverse engineer or hack the Platform
  • Use automated tools to access the Platform except via our API
  • Overwhelm our systems with excessive requests
  • Share API keys or credentials with unauthorised parties
  • Attempt to bypass security measures or usage limits

4. Security and System Integrity

4.1 Account Security

You must:

  • Keep your account credentials secure and confidential
  • Use strong passwords and enable two-factor authentication
  • Notify us immediately of any suspected security breaches
  • Regularly review and audit account access

4.2 Responsible Use

You agree to:

  • Use the Platform only for its intended purposes
  • Respect other users and our systems
  • Report any technical issues or vulnerabilities responsibly
  • Cooperate with our security investigations

5. Fair Usage and Resource Limits

5.1 Usage Limits

Usage must comply with the limits specified in your subscription plan. Excessive use that impacts system performance or other users may result in throttling or suspension.

5.2 Commercial Use

The Platform is intended for legitimate business use. Reselling or providing Platform access to third parties requires a separate agreement.

5.3 Testing and Development

Use our sandbox environment for testing and development. Do not use production systems for testing purposes.

6. Consequences of Breach

6.1 Enforcement Actions

Violation of this AUP may result in:

  • Warning notices and requests to cease prohibited activities
  • Temporary suspension of Platform access
  • Permanent termination of your account
  • Legal action for serious violations
  • Cooperation with law enforcement agencies

6.2 Investigation

We reserve the right to investigate suspected violations and may access account information and usage data as necessary for such investigations.

7. Changes to This Policy

We may update this AUP from time to time. Material changes will be communicated through email or platform notifications. Continued use of the Platform after changes constitutes acceptance of the updated policy.

For questions about this Acceptable Use Policy, contact us at support@veridox.ai.

Was this article helpful?