Data Processing Agreement
Last updated: February 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Vereda AI ("Processor", "we", "us") and the organization using our services ("Controller", "you", "your"), as set forth in our Terms of Service. This DPA governs the processing of personal data by Vereda AI on behalf of the Controller.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws including GDPR, CCPA, and LGPD.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Sub-processor" means any third party engaged by Vereda AI to process Personal Data on behalf of the Controller.
"Data Subject" means the individual to whom Personal Data relates.
2. Scope and Purpose of Processing
Vereda AI processes Personal Data solely to provide engineering team performance management services, including:
- Team member profiles (names, roles, levels, team assignments)
- Performance data (check-ins, goals, action items, feedback)
- Standup submissions and summaries
- Integration data from connected services (Slack, GitHub, Jira)
- AI-generated insights and analytics
We process this data only as instructed by the Controller and only for the purposes of delivering the services described in our Terms of Service.
3. Controller Obligations
The Controller shall:
- Ensure a lawful basis exists for processing Personal Data through Vereda AI
- Provide any required notices to, and obtain any required consents from, Data Subjects
- Ensure that instructions given to Vereda AI comply with applicable data protection laws
4. Processor Obligations
Vereda AI shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Section 6
- Not engage Sub-processors without prior authorization from the Controller, as described in Section 7
- Assist the Controller in responding to Data Subject requests
- Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations
- Delete or return all Personal Data upon termination of services, at the Controller's election
- Make available information necessary to demonstrate compliance with this DPA
5. Data Subject Rights
Vereda AI will assist the Controller in fulfilling Data Subject requests including:
- Access: Providing copies of Personal Data upon request
- Rectification: Correcting inaccurate Personal Data
- Erasure: Deleting Personal Data when requested and legally permissible
- Portability: Exporting Personal Data in a structured, machine-readable format
- Restriction: Restricting processing when required by applicable law
Controllers can manage most Data Subject requests directly through the Vereda AI platform. For requests requiring additional assistance, contact us at info@vereda.ai.
6. Security Measures
Vereda AI implements the following technical and organizational measures to protect Personal Data:
- Encryption in transit: All data transmitted over TLS 1.2 or higher
- Encryption at rest: AES-256 encryption for stored data
- Access controls: Role-based access control (RBAC) with principle of least privilege
- Authentication: Secure authentication via Clerk with support for SSO
- Infrastructure: Hosted on SOC 2 compliant infrastructure in the United States
- Monitoring: Continuous monitoring and logging of system access
- Audit logging: Comprehensive audit trails for data access and modifications
For more details, see our Security page.
7. Sub-processors
The Controller authorizes Vereda AI to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Primary database hosting | United States |
| Render | Application hosting | United States |
| Clerk | Authentication and identity | United States |
| OpenAI | AI-powered insights and analysis | United States |
| Stripe | Payment processing | United States |
Vereda AI will notify the Controller before adding or replacing Sub-processors. The Controller may object to a new Sub-processor within 30 days of notification. If the objection cannot be resolved, the Controller may terminate the affected services.
8. Data Breach Notification
In the event of a Personal Data breach, Vereda AI will:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide sufficient information for the Controller to meet its obligations under applicable data protection laws
- Cooperate with the Controller to investigate, mitigate, and remediate the breach
- Document the breach, its effects, and the remedial action taken
9. International Data Transfers
Vereda AI processes all data within the United States. Where Personal Data originates from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs) as adopted by the European Commission
- EU-U.S. Data Privacy Framework, where applicable
10. Data Retention and Deletion
Upon termination of services, Vereda AI will, at the Controller's election:
- Return all Personal Data in a structured, machine-readable format
- Delete all Personal Data within 30 days, unless retention is required by law
- Provide written confirmation of deletion upon request
During active use, data is retained for as long as necessary to provide the services. Controllers can delete individual records at any time through the platform.
11. Audits
Vereda AI will make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including inspections, subject to:
- Reasonable prior written notice (at least 30 days)
- Audits conducted during normal business hours and no more than once per year
- Confidentiality obligations regarding any information obtained
12. Jurisdiction-Specific Terms
GDPR (European Economic Area)
For Personal Data subject to GDPR, Vereda AI acts as a Processor under Article 28. The Controller remains the Data Controller. This DPA satisfies the requirements of Article 28(3) of the GDPR.
CCPA (California)
For Personal Information subject to CCPA, Vereda AI acts as a Service Provider. We do not sell Personal Information and process it only for the business purposes specified in this DPA.
LGPD (Brazil)
For Personal Data subject to LGPD, Vereda AI acts as an Operator processing data on behalf of the Controller in accordance with applicable LGPD requirements.
13. Term and Termination
This DPA remains in effect for the duration of the Controller's use of Vereda AI services. Obligations relating to data deletion, confidentiality, and cooperation with audits survive termination.
14. Changes to This DPA
We may update this DPA to reflect changes in our practices or applicable law. Material changes will be communicated to Controllers with at least 30 days' notice. Continued use of our services after the effective date of changes constitutes acceptance of the updated DPA.
15. Contact
For questions about this DPA or to exercise data protection rights, contact us at:
See also our Privacy Policy and Terms of Service.