Data Processing Agreement

Effective: April 2026

Template DPA: This is Vertifile's standard Data Processing Agreement. Enterprise customers may request a custom DPA tailored to their specific regulatory and organizational requirements by contacting info@vertifile.com.

This Data Processing Agreement ("DPA") forms part of the agreement between Vertifile ("Processor") and the customer organization ("Controller") for the use of Vertifile's document verification and digital signature services. This DPA governs the processing of personal data by the Processor on behalf of the Controller in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and applicable data protection legislation.

1. Definitions

Controller: The entity that determines the purposes and means of processing personal data. In the context of this DPA, the Controller is the customer organization using Vertifile's services.
Processor: The entity that processes personal data on behalf of the Controller. In the context of this DPA, the Processor is Vertifile.
Data Subject: An identified or identifiable natural person whose personal data is processed. This includes users of the platform and individuals whose documents are verified through the service.
Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
Processing: Any operation or set of operations performed on personal data, whether by automated means or otherwise, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, or erasure.

2. Scope of Processing

Vertifile processes a limited set of personal data strictly necessary for the provision of its document verification and digital signature services. The Processor does not access, read, or analyze the content of any documents uploaded to the platform.

Data Processed

The following categories of personal data are processed:

Account data: Email address, full name, organization name
Document metadata: File name, cryptographic hash (SHA-256), timestamp of processing, MIME type

Data NOT Processed

Vertifile operates a blind processing architecture. The content of uploaded documents is never read, accessed, stored, or transmitted to Vertifile's servers. Only cryptographic hashes (one-way fingerprints) are generated and stored. Document content remains exclusively under the Controller's control at all times.

3. Processing Details

Purpose of Processing

Personal data is processed solely for the purpose of providing document verification and digital signature services, including the generation of cryptographic signatures, verification of document integrity, and maintenance of audit records.

Types of Personal Data

Account information: email address, full name, organization name
Document metadata: file name, SHA-256 hash, processing timestamp, MIME type
Usage data: number of documents processed, API call records

Categories of Data Subjects

Users of the Vertifile platform (individuals who create accounts)
Document signers and recipients whose documents are processed through the service

Duration of Processing

Personal data is retained for the duration of the Controller's active account. Upon account termination or deletion, all personal data associated with the account will be permanently deleted within 30 days, except where retention is required by applicable law or where cryptographic hashes have been anchored to a public blockchain (which cannot be reversed but contain no personal data).

4. Processor Obligations

Vertifile, as the Processor, undertakes the following obligations:

Documented instructions: Process personal data only on documented instructions from the Controller, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
Confidentiality: Ensure that all personnel authorized to process personal data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
Security measures: Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 5 of this DPA.
Sub-processor restrictions: Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. The Controller will be notified at least 30 days before any addition or replacement of sub-processors.
Data subject requests: Assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligation to respond to data subject requests for access, rectification, erasure, restriction, portability, and objection.
Data deletion or return: At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data.
Audit and compliance: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

5. Security Measures

Vertifile implements the following technical and organizational security measures to protect personal data:

Encryption in transit: All data transmitted between clients and Vertifile servers is encrypted using TLS 1.2 or higher.
Encryption at rest: Database connections to PostgreSQL (hosted on Neon) are encrypted. Data at rest is protected by the infrastructure provider's encryption mechanisms.
Dual digital signatures: Documents are signed using HMAC-SHA256 and Ed25519 dual-signature architecture, providing both integrity verification and non-repudiation.
Blind processing: Vertifile's core architecture ensures that document content is never read, analyzed, or accessed by the platform. Only cryptographic hashes are processed, making it technically impossible for the Processor to access document content.
Session security: Session data is managed using httpOnly, secure cookies with appropriate expiration policies. Session tokens are not exposed to client-side scripts.
Access controls: Principle of least privilege is applied to all system access. Administrative access is restricted and logged.
Security audits: Regular security assessments are conducted to identify and address vulnerabilities. Security practices are reviewed and updated on an ongoing basis.

6. Sub-processors

Vertifile engages the following sub-processors for the provision of its services. Each sub-processor is bound by data processing terms that provide at least the same level of protection as this DPA:

Neon (neon.tech) — PostgreSQL database hosting. Regions: United States and European Union.
Render (render.com) — Application hosting and infrastructure. Regions: United States and European Union.
Resend (resend.com) — Transactional email delivery (account notifications, verification emails). Region: United States.

The Controller will be notified at least 30 days prior to any changes to this list of sub-processors. The Controller may object to the appointment of a new sub-processor within 14 days of receiving notice. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected services.

7. International Data Transfers

Vertifile is based in Israel, which has been recognized by the European Commission as providing an adequate level of data protection (Commission Decision 2011/61/EU).

Where personal data is transferred to sub-processors located outside the European Economic Area (EEA) in jurisdictions that have not received an adequacy decision, such transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented by additional safeguards where necessary following a transfer impact assessment.

The Controller may request copies of the applicable SCCs and transfer impact assessments by contacting Vertifile at info@vertifile.com.

8. Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.

The notification shall include:

A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
The name and contact details of the Processor's point of contact for further information
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate fully with the Controller in investigating and remediating the breach, and shall take all reasonable steps to mitigate the effects and minimize any damage resulting from the breach.

9. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under the GDPR, including the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, and right to object. The Processor shall promptly notify the Controller of any data subject request received directly and shall not respond to such requests without the Controller's prior authorization, unless required by applicable law.

10. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying service agreement between the parties. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law.

11. Term and Termination

This DPA shall remain in effect for the duration of the Processor's processing of personal data on behalf of the Controller. Upon termination of the underlying service agreement, the Processor shall, at the Controller's election, either delete or return all personal data within 30 days, unless applicable law requires continued storage.

The obligations of confidentiality, data breach notification, and cooperation with respect to data subject requests shall survive the termination of this DPA.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Israel, without regard to its conflict of law principles, except to the extent that mandatory provisions of GDPR or other applicable data protection laws require otherwise.

13. Contact

For questions regarding this Data Processing Agreement, data protection practices, or to request a custom DPA, please contact:

Vertifile
Rishon LeZion, Israel
Email: info@vertifile.com
Website: vertifile.com

Custom DPA: Enterprise and regulated-industry customers may require additional terms, annexes, or modifications to this standard DPA. Vertifile is prepared to negotiate and execute custom data processing agreements that address specific compliance requirements. Please contact info@vertifile.com to initiate the process.