This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between VeriStay Ltd ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data in connection with the Services.
Note: This DPA is incorporated by reference into the Terms and Conditions. By using the Services, you agree to this DPA. For executed copies or custom enterprise terms, contact info@veristay.app.
In this DPA:
You are the Controller of Personal Data uploaded to or processed through the Services. VeriStay acts as your Processor when processing Personal Data on your behalf.
The categories of Personal Data processed may include:
Data subjects may include:
VeriStay will process Personal Data only:
Your use of the Services constitutes your instructions for processing. Additional instructions must be provided in writing and may be subject to additional fees if they require changes to the Services.
VeriStay implements appropriate technical and organisational measures to protect Personal Data, including:
You provide general authorisation for VeriStay to engage Sub-processors to assist in providing the Services. VeriStay will:
VeriStay engages the following Sub-processors. The list is current as of the Effective Date and may be updated in accordance with section 5.3. Production data is hosted primarily in the United Kingdom and European Economic Area; transfers to US-based providers are protected by the UK ICO Standard Contractual Clauses (SCCs) and supplementary safeguards.
Core platform infrastructure (production SaaS):
| Sub-processor | Purpose | Location |
|---|---|---|
| UpCloud Ltd | Managed Kubernetes, PostgreSQL and S3-compatible object storage (primary hosting for all Customer Data) | UK / EU (London — uk-lon1) |
| CloudAMQP (84codes AB) | Managed RabbitMQ message broker | EU (London region, AWS eu-west-2) |
| Auth0 (Okta, Inc.) | Authentication and identity management | EU (Frankfurt tenant region) |
| Cloudflare, Inc. | DNS resolution; Turnstile bot protection on signup forms | Global (with SCCs) |
| GitHub, Inc. (Microsoft Corp.) | Container image registry (GHCR) for operational images. No Customer Data is stored. | US / Global (with SCCs) |
AI processing:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | Claude vision and language models — secondary / fallback provider for Deep AI damage detection; primary provider for Huginn property summaries and Review Agent | US (with SCCs) |
| Google LLC / Google Cloud EMEA Limited | Vertex AI — Gemini 2.5 Flash vision model for Deep AI damage detection and inventory analysis (primary Deep AI provider when enabled) | EU (europe-west4, Belgium, or europe-west3, Frankfurt) |
| Microsoft Corporation (Azure AI Vision) | Computer Vision — documented fallback provider for damage detection | EU (configurable region) |
| OpenAI, L.L.C. | Chat language model — documented fallback when self-hosted models are unavailable | US (with SCCs; data not used for model training) |
Payments, communications and operations:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing (PCI DSS Level 1) | EU / UK / US (with SCCs) |
| Resend, Inc. | Transactional email delivery | US (with SCCs) |
| Functional Software, Inc. (Sentry) | Error and crash monitoring (mobile app and backend services) | EU (eu.sentry.io region) |
| Grafana Labs | Metrics, logs and traces (observability) — where deployed | EU |
| Stadia Maps, Inc. | Map tile rendering in mobile app | EU |
| Google LLC (Fonts) | Web typography (CSS and font files); requesting browser IP visible to Google | Global (with SCCs) |
Marketing website only (veristay.app — not the production SaaS):
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Corporation (Azure Static Web Apps) | Hosts the public marketing website | Global CDN |
| Google LLC (Analytics, Tag Manager) | Website analytics on the marketing site (consent-gated) | US (with SCCs) |
VeriStay will notify you at least 30 days before engaging a new Sub-processor. If you have a reasonable objection, you may notify us within 14 days. If we cannot resolve the objection, you may terminate the affected Services.
VeriStay will assist you in responding to requests from data subjects exercising their rights under Data Protection Laws, including:
Where possible, you can fulfil requests using self-service features in the Services. For requests requiring our assistance, contact info@veristay.app.
VeriStay will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting your data.
Notification will include (to the extent known):
VeriStay will cooperate with you and provide reasonable assistance to fulfil your breach notification obligations to supervisory authorities and data subjects.
Personal Data is primarily stored and processed in the United Kingdom and European Economic Area.
Where transfers occur outside the UK/EEA, VeriStay ensures appropriate safeguards through:
VeriStay will retain Personal Data for the duration of the agreement and in accordance with your retention settings in the Services.
Upon termination of the agreement:
VeriStay will make available information necessary to demonstrate compliance with this DPA and allow for audits.
VeriStay does not currently hold a SOC 2 attestation. Pursuing SOC 2 Type II certification is on our roadmap; once issued, we will make audit reports available under NDA. In the interim, we will respond to customer security questionnaires and provide our own internal security documentation on request.
For Enterprise customers, on-site audits may be conducted with at least 30 days' notice, during business hours, no more than once per year, and subject to confidentiality requirements. Audit costs are borne by the Customer.
VeriStay will provide reasonable assistance if you are required to conduct a Data Protection Impact Assessment (DPIA) in relation to your use of the Services.
VeriStay ensures that persons authorised to process Personal Data:
This DPA remains in effect for as long as VeriStay processes Personal Data on your behalf. Termination of the main agreement automatically terminates this DPA.
Each party's liability under this DPA is subject to the limitations set out in the Terms and Conditions.
For questions about this DPA or to request an executed copy:
VeriStay Ltd — Data ProtectionVeriStay is built with privacy and security at its core. Need an executed DPA or have questions?
Get in Touch