VeriSwarm
About
DocsPricingAgent Skill
LoginRegister
  1. Home
  2. /Legal
  3. /Dpa
VeriSwarm
AboutTrust CenterDocsAPIInvestorsAgent SkillOATS SpecStatusChangelogBlogPricingTermsPrivacySLADPA

Data Processing Agreement

Effective Date: March 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between VeriSwarm (“Processor”) and the customer entity identified in the applicable service agreement (“Controller”) for the provision of the VeriSwarm platform services.

This DPA sets out the terms under which the Processor processes personal data on behalf of the Controller in connection with the VeriSwarm platform, in compliance with applicable data protection laws including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).

1. Definitions

  1. “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the VeriSwarm platform.
  2. “Processing” means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
  3. “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  4. “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.

2. Scope and Roles

ControllerThe Customer. Determines the purposes and means of processing Personal Data through the VeriSwarm platform.
ProcessorVeriSwarm. Processes Personal Data solely on the Controller's behalf and in accordance with documented instructions.

3. Categories of Data Processed

The following categories of data may be processed through the VeriSwarm platform:

CategoryDescription
Agent eventsBehavioral events generated by AI agents, including tool calls, task completions, errors, and interactions. May contain personal data if agents process user-facing content.
Trust scoresComputed scores across identity, risk, reliability, and autonomy dimensions. Derived from event data.
PII tokensTokenized representations of personal data detected by Guard. Original PII is encrypted separately from tokens.
Conversation logsConversations between end-users and managed agents (Cortex runtime). May contain personal data.
API usage metadataRequest counts, timestamps, IP addresses, and authentication metadata associated with platform usage.
Account dataNames, email addresses, and organizational information provided during registration and workspace management.

4. Processing Purposes

The Processor processes Personal Data solely for the following purposes, as instructed by the Controller:

  1. Trust scoring— computing and maintaining agent trust scores based on behavioral events.
  2. Security scanning— detecting prompt injection, PII exposure, and other security threats via Guard.
  3. Policy enforcement— evaluating trust decisions (allow, review, deny) based on configured policy rules.
  4. PII tokenization— detecting and replacing personal data with opaque tokens before LLM processing.
  5. Audit logging— recording events in the Vault immutable ledger for compliance and audit purposes.
  6. Agent operations— facilitating managed agent conversations, knowledge retrieval, and integration execution via the Cortex runtime.
  7. Platform operations— billing, support, abuse prevention, and platform reliability monitoring.

5. Data Retention

Data retention periods are determined by the Controller's plan tier:

PlanDefault Retention
Free (Gate)7 days
Pro90 days
Max365 days
EnterpriseCustom (as agreed in service contract)

The Controller may request early deletion of data at any time via the API (GDPR deletion endpoint) or the platform dashboard. Upon account termination, all data is deleted within 30 days unless a longer retention period is required by law.

6. Sub-processors

The Processor engages the following sub-processors. The Controller consents to these sub-processors as of the effective date of this DPA. The Processor will notify the Controller at least 30 days in advance of adding new sub-processors.

Sub-processorPurposeData Location
Cloudflare, Inc.CDN, DDoS protection, DNS, and tunnel infrastructureGlobal (edge network)
Microsoft AzureLLM inference for Cortex agent runtime (Azure OpenAI Service)US East
Stripe, Inc.Payment processing and billingUS

Each sub-processor is bound by data processing terms no less protective than this DPA. The Processor remains liable for the acts and omissions of its sub-processors.

7. Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

MeasureImplementation
Encryption at restAES-256 / Fernet encryption for stored data and secrets
Encryption in transitTLS 1.3 for all API and web traffic
Access controlRole-based access control (RBAC) with tenant isolation. Three auth mechanisms: API keys, bearer tokens, session tokens.
Multi-factor authenticationMFA available for all user accounts
PII tokenizationGuard NER + regex detection replaces PII with opaque tokens before LLM processing. Original data stored encrypted separately.
Audit loggingAll administrative actions and data access logged. Vault provides hash-chained immutable records.
Tenant isolationOrganization → Tenant → Agent hierarchy with strict data boundaries. No cross-tenant data access.
Backup and recoveryDaily automated backups with 7-day rotation. Tested recovery procedures.
Security testingInternal red-teaming, prompt injection scanning, and adversarial testing of managed agents.

8. Data Subject Rights

The Processor will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

  • Right of access— Data export is available via the API (GET /v1/admin/gdpr-export) and the dashboard.
  • Right to erasure— GDPR deletion can be triggered via the API (DELETE /v1/admin/gdpr-delete) or the dashboard. Deletion propagates to all platform components including Vault records.
  • Right to rectification— Agent profiles and account data can be updated via API or dashboard.
  • Right to data portability— Full data export in machine-readable format (JSON) available to all plans.
  • Right to restriction— The Controller may suspend agent processing or disable specific modules at any time.

9. Breach Notification

In the event of a Personal Data breach, the Processor will:

  1. Notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach.
  2. Provide sufficient information to enable the Controller to meet its obligations under applicable data protection laws, including the nature of the breach, categories of data affected, approximate number of records, and measures taken to mitigate the breach.
  3. Cooperate with the Controller and any supervisory authority in investigating and remediating the breach.
  4. Document the breach in the Vault audit ledger, including a timeline of events, remediation actions, and root cause analysis.

10. International Transfers

Personal Data is currently processed and stored in US East. Where Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom:

  • The Processor relies on the EU-US Data Privacy Framework where applicable.
  • Standard Contractual Clauses (SCCs) are available upon request for transfers not covered by an adequacy decision.
  • The Processor conducts Transfer Impact Assessments (TIAs) for relevant transfers.
  • EU data residency options are planned and will be offered to Enterprise customers upon availability.

11. Audit Rights

The Controller may audit the Processor's compliance with this DPA. Audits are subject to the following conditions:

  • Audit requests must be submitted in writing with at least 30 days notice.
  • Audits are limited to once per calendar year unless a breach has occurred.
  • The Processor will make available relevant documentation, certifications, and audit reports. On-site audits are available to Enterprise customers.
  • The Controller bears the cost of any audit conducted by a third-party auditor.

12. Term and Termination

This DPA remains in effect for the duration of the Controller's use of the VeriSwarm platform. Upon termination:

  1. The Controller may export all data within 30 days of termination.
  2. The Processor will delete all Personal Data within 30 days of the export period, unless retention is required by applicable law.
  3. The Processor will provide written confirmation of deletion upon request.

13. Liability

Liability under this DPA is subject to the limitations set forth in the underlying service agreement between the parties. Each party is liable for damages caused by its own breach of this DPA or applicable data protection laws.

14. Contact

For questions about this DPA, data processing practices, or to exercise data subject rights:

  • Privacy inquiries: privacy@veriswarm.ai
  • DPA execution requests: legal@veriswarm.ai
  • Security incidents: security@veriswarm.ai
Download PDF

Request a signed copy of this DPA for your records.

Request PDF

Last updated: March 2026