Data Processing Agreement

Last Updated: April 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between Verdikt (“Processor,” “we,” “us”) and the entity accepting the Agreement (“Controller,” “Customer,” “you”). This DPA applies to the extent that Verdikt processes Personal Data on behalf of the Customer in connection with the Service.

By accepting the Terms of Service, you also accept this DPA. This DPA is incorporated by reference into the Agreement.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Agreement. In addition:

“Personal Data” means any information relating to an identified or identifiable natural person that Customer submits to the Service, including employee names, email addresses, business dilemmas, decision content, and any other data that constitutes “personal information” under CCPA or “personal data” under GDPR.
“Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction.
“Sub-Processor” means any third party engaged by Verdikt to process Personal Data on behalf of the Customer.
“Data Protection Laws” means all applicable data protection and privacy laws, including the California Consumer Privacy Act (CCPA, Cal. Civ. Code §1798.100 et seq.), the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), and any other applicable state or national data protection laws.
“Service Provider” has the meaning given in CCPA §1798.140(ag).

2. Scope & Roles

2.1 Relationship

For purposes of Data Protection Laws: Customer is the Controller (or “Business” under CCPA) and Verdikt is the Processor (or “Service Provider” under CCPA) of Personal Data submitted to the Service.

2.2 CCPA Service Provider Certification

Verdikt certifies that it:

Does not sell Personal Data and will not sell Personal Data collected on behalf of Customer.
Does not share Personal Data for cross-context behavioral advertising.
Does not retain, use, or disclose Personal Data for any purpose other than performing the Service as specified in the Agreement, or as otherwise permitted by CCPA §1798.140(ag)(2).
Does not combine Personal Data received from Customer with data received from other sources, except as permitted by CCPA.
Will comply with CCPA and grant Customer the right to take reasonable steps to ensure Verdikt uses Personal Data in a manner consistent with Customer’s CCPA obligations.
Will notify Customer if it determines it can no longer meet its CCPA obligations.

2.3 Categories of Personal Data

Verdikt processes the following categories of Personal Data on behalf of Customer:

Account Data: User names, email addresses, job titles, organization name
Session Content: Business dilemmas, decision queries, follow-up questions, and document uploads submitted by users
AI-Generated Outputs: Verdicts, action plans, artifacts, and advisor perspectives generated in response to Session Content
Usage Data: Session metadata, timestamps, feature usage, and interaction patterns
Organizational Intelligence Data (Team+ tiers): Encrypted decision summaries, outcome records, computed statistics, AI-generated intelligence narratives, and cached intelligence data (see Section 3.4)
Financial Context (Premium/Enterprise, admin-only): Revenue range, burn rate, funding stage, headcount — stored in access-controlled documents
Billing Data: Processed by Stripe as a Sub-Processor (see Section 6)

3. Processing Instructions

3.1 Purpose Limitation

Verdikt shall process Personal Data only for the following purposes:

Providing, operating, and maintaining the Service as described in the Agreement
AI-powered analysis and generation of business decision recommendations
Sending transactional communications (session notifications, billing alerts, account management)
Generating anonymized, aggregated analytics to improve the Service (no individual-level data)

3.2 Documented Instructions

Verdikt shall process Personal Data only on documented instructions from Customer, unless required by applicable law. If Verdikt is required by law to process Personal Data for another purpose, it will inform Customer of that legal requirement before processing (unless prohibited by law from doing so).

3.3 AI Processing

Customer acknowledges that the Service transmits Session Content to third-party AI providers (listed as Sub-Processors in Section 6) for analysis. Verdikt ensures:

AI providers do not use Customer data to train their models (zero-retention API agreements in place)
AI requests are ephemeral — prompts and responses are not stored by AI providers beyond immediate processing
No Customer data is shared between different Customer organizations

3.4 Organizational Intelligence Processing

For organizations on Team, Business, Premium, or Enterprise tiers, Verdikt performs additional processing of Session Content to provide Organizational Intelligence features:

Processing Activities:

Decision Ledger capture: After each session, an encrypted summary (dilemma snippet, verdict, category, stake level) is stored in the organization’s Decision Ledger using AES-256-GCM encryption with per-entry Associated Authenticated Data
Outcome tracking: Users may voluntarily record follow-up outcomes (action taken, rating, lessons learned). Outcome notes are encrypted server-side before storage — direct client writes to sensitive fields are blocked by Firestore security rules
Intelligence synthesis: PII-redacted decision summaries are transmitted to Google Gemini API to generate organizational intelligence narratives. Synthesis occurs on a scheduled basis (daily at 2 AM UTC), on company profile updates (5-minute debounce), and on first-time profile creation
Session injection: Cached intelligence is injected as context into future advisory sessions to improve recommendation relevance
Financial data processing (Premium/Enterprise): Administrator-provided financial indicators (revenue range, burn rate, funding stage, headcount) are incorporated into intelligence synthesis. Financial data is stored in a separate, access-controlled document readable only by organization administrators

Lawful Basis: Legitimate interest under GDPR Article 6(1)(f). Verdikt has conducted a legitimate interest balancing test and determined that this processing is proportionate and necessary for delivering the contracted Service:

Necessity: Intelligence synthesis is a core feature of Team+ tiers that directly improves advisory quality. Without organizational context, AI recommendations are generic and less valuable
Proportionality: Only encrypted summaries (truncated to 120 characters) are processed — full session transcripts and conversation histories are not used. PII is redacted before AI transmission
Data subject controls: Users have per-session opt-out via the “Share with company intelligence” toggle on the briefing screen. Organization administrators can disable intelligence entirely via organization settings
Data isolation: Intelligence data is strictly organization-scoped. No data is shared across organizations or used for cross-tenant analysis
Retention limits: Cached intelligence is automatically purged after 90 days of organizational inactivity. Decision Ledger entries are deleted upon organization deletion

Data Subject Rights: Users may exercise their right to object to intelligence processing (GDPR Article 21) by disabling the per-session toggle or by contacting privacy@getverdikt.com. Upon account deletion, the user’s Decision Ledger entries are anonymized (userId replaced with “deleted-user”) within the organization’s records.

4. Data Security

4.1 Security Measures

Verdikt implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

Encryption in transit: All data transmitted via TLS 1.2 or higher
Encryption at rest: All stored data encrypted using AES-256 (managed by Google Cloud)
Access controls: Role-based access, principle of least privilege, multi-factor authentication for administrative access
Infrastructure security: Hosted on Google Cloud Platform (SOC 2, ISO 27001 certified infrastructure)
Application security: Firestore security rules enforcing per-user and per-organization data isolation
Sensitive data handling: PII detection and redaction applied to Session Content before AI processing; client-side encryption for identified PII
Monitoring: Automated logging of data access events

4.2 Incident Response

In the event of a Personal Data breach, Verdikt will:

Notify Customer without undue delay and in any event within 72 hours of becoming aware of the breach
Provide sufficient detail about the breach to enable Customer to meet its own notification obligations
Take reasonable steps to contain, investigate, and remediate the breach
Cooperate with Customer and applicable authorities in investigating the breach

5. Data Subject Rights

5.1 Assistance

Verdikt will assist Customer in responding to requests from data subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection:

Data export (GDPR Article 20 / CCPA right to know): Upon written request to support@getverdikt.com, Verdikt will provide Customer’s Personal Data in a structured, commonly used, machine-readable format (JSON) within 30 days.
Account deletion (GDPR Article 17 / CCPA right to delete): Available via the “Delete Account” function in account settings, completing within 30 days.
Organization deletion: Admin-initiated cascade that permanently deletes all organization data, including Stripe customer records.

5.2 Deletion

Upon receiving a verified deletion request, Verdikt will delete or anonymize all Personal Data within 30 days, except where retention is required by law (e.g., tax records retained per IRS 26 USC §6501). Any legally retained data is anonymized (hashed identifiers only) and automatically purged after the statutory retention period.

6. Sub-Processors

6.1 Authorized Sub-Processors

Customer authorizes Verdikt to engage the following Sub-Processors. Each has a Data Processing Agreement in place with Verdikt:

Sub-Processor	Purpose	Data Processed	Location
Google Cloud Platform (Firebase)	Infrastructure, hosting, database, authentication	All Customer data	United States
Google Gemini API	Primary AI analysis engine	Session Content (redacted)	United States
Anthropic (Claude API)	Fallback AI analysis engine	Session Content (redacted)	United States
Stripe	Payment processing, subscription management	Billing Data (name, email, payment method)	United States
Brevo (Sendinblue)	Transactional email delivery	Email addresses, notification content	European Union / United States

6.2 Sub-Processor Changes

Verdikt will notify Customer at least 30 days in advance of engaging any new Sub-Processor, via email to the organization admin address. Customer may object to the new Sub-Processor by notifying Verdikt within 15 days of receipt. If Verdikt cannot reasonably accommodate the objection, Customer may terminate the affected Service.

6.3 Sub-Processor Obligations

Verdikt ensures that each Sub-Processor is bound by data protection obligations no less protective than those in this DPA, including:

Processing Personal Data only for the specified purpose
Implementing appropriate security measures
Deleting or returning Personal Data upon termination
Allowing for and contributing to audits by Verdikt or Customer

7. Data Transfers

All Personal Data is processed within the United States. For customers subject to GDPR or other international data protection laws, Verdikt relies on:

Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
Sub-Processor compliance with the EU-US Data Privacy Framework where applicable

8. Audits

8.1 Audit Rights

Customer may audit Verdikt’s compliance with this DPA by:

Requesting Verdikt’s most recent security assessment or SOC 2 report (available upon request under NDA)
Submitting written questions about Verdikt’s data processing practices, which Verdikt will respond to within 30 days
Conducting an on-site or remote audit, at Customer’s expense, with at least 30 days’ written notice (limited to once per year unless a breach has occurred)

8.2 Cooperation

Verdikt will make available to Customer all information necessary to demonstrate compliance with this DPA and Data Protection Laws, and will cooperate with any audit or inspection conducted by Customer or a mandated auditor.

9. Data Retention & Return

9.1 During the Agreement

Verdikt retains Personal Data for the duration of the Agreement, plus a 30-day grace period following termination to allow for data export.

9.2 Upon Termination

Upon termination of the Agreement, Verdikt will:

Upon written request, provide Customer’s data in a machine-readable format (JSON) within 30 days of termination
After the 30-day period, permanently delete all Personal Data from active systems
Delete Personal Data from backup systems within 90 days
Provide written confirmation of deletion upon Customer request

9.3 Exceptions

Verdikt may retain anonymized audit records (containing only hashed identifiers, no raw PII) for the minimum period required by applicable law (e.g., 6 years for IRS tax record requirements under 26 USC §6501). The specific legal basis is documented for each retained record.

10. Liability

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement. This DPA does not limit either party’s liability for breaches of Data Protection Laws to the extent such limitation is prohibited by applicable law.

11. Term & Modifications

11.1 Term

This DPA remains in effect for as long as Verdikt processes Personal Data on behalf of Customer.

11.2 Modifications

Verdikt may update this DPA to reflect changes in Data Protection Laws or processing practices. Material changes will be notified to Customer at least 30 days in advance. Continued use of the Service after the effective date constitutes acceptance of the updated DPA.

12. Contact

For questions about this DPA or to exercise any rights under it, contact:

Email: support@getverdikt.com
Support: support@getverdikt.com
Address: 1317 Edgewater Dr #6656, Orlando, FL 32804

This DPA is incorporated into and forms part of the Verdikt Terms of Service. By accepting the Terms of Service, Customer agrees to the terms of this DPA.