Data Protection

VeriPlus implements comprehensive data protection measures to safeguard personal information and comply with global privacy regulations.

Data Collection

What We Collect

Identity Verification:

• Full name
• Date of birth
• Nationality
• Government ID document images
• Selfie/biometric images
• Residential address (optional)
• Email and phone (optional)

AML Screening:

• Name
• Date of birth
• Country of residence

KYT Crypto:

• Wallet addresses
• Blockchain network

Account Management:

• Organization name
• Contact information
• Billing details (via Stripe)

Technical Data:

• IP address
• User agent (browser/device)
• API request logs
• Session data

What We DON'T Collect

• Social Security Numbers
• Credit card numbers (handled by Stripe)
• Health information
• Biometric templates (only images)
• Political opinions
• Religious beliefs

Lawful Basis for Processing

VeriPlus processes personal data under these lawful bases:

Data Processing

Data Processor Role

VeriPlus acts as:

• Data Processor when you use our API (you are the Controller)
• Data Controller for your organisation's account data

Sub-Processors

We use these sub-processors:

Data Processing Agreements (DPAs) in place with all sub-processors.

Data Transfers

Intra-EU Transfers: No additional safeguards required

EU to US Transfers: Standard Contractual Clauses (SCCs)

Adequacy Decisions: We use providers in adequacy-recognised countries where possible

Data Storage

Storage Location

Primary Storage:

• EU customers: EU-West-1 (Ireland)
• UK customers: EU-West-1 (Ireland) or UK (London) upon request
• US customers: US-East-1 (Virginia) upon request

Backup Storage: Secondary EU region (Frankfurt)

Storage Duration

After Retention Period: Data automatically deleted

Data Deletion

Automatic Deletion:

// Temporary files
expiresAt: 24 hours after creation
 
// Upload URLs
expiresAt: 1 hour after generation
 
// Archived applicants
deletedAt: 5 years after last verification

Manual Deletion:

// Via API
DELETE /api/v3/applicants/:id
 
// Via Dashboard
Settings → Data Management → Delete Applicant

Permanent Deletion: Data overwritten (not just flagged)

Data Security

Encryption

At Rest: AES-256 encryption for all stored data

In Transit: TLS 1.3 for all API communication

Database: Encrypted fields for sensitive data

Access Controls

Who Can Access:

• Your organisation's authorised users
• VeriPlus support (with customer consent)
• Regulators (with legal obligation)

Not Accessible By:

• Other VeriPlus customers
• Third-party marketers
• Unauthorised employees

Access Logging: All access attempts logged

Backup Security

Encrypted Backups: All backups encrypted at rest

Access Controls: Restricted to senior engineering team

Testing: Monthly backup restoration tests

Data Subject Rights

Right to Access (Subject Access Request)

How to Request:

1. Email: [email protected]
2. Subject: "Subject Access Request"
3. Provide: Name, email, organisation

Response Time: 30 days

Provided Data:

• Copy of all personal data we hold
• Purpose of processing
• Categories of data
• Recipients of data
• Retention period

Right to Rectification

Correct Inaccurate Data:

PATCH /api/v3/applicants/:id
 
{
  "firstName": "Corrected Name",
  "email": "[email protected]"
}

Response Time: Immediate via API, or 30 days via email request

Right to Erasure ("Right to be Forgotten")

When Applicable:

• Data no longer necessary
• You withdraw consent
• Data processed unlawfully
• Legal obligation to delete

When NOT Applicable:

• Legal obligation to retain (5-year AML/KYC requirement)
• Ongoing legal claim

How to Request:

DELETE /api/v3/applicants/:id
 
// Or email [email protected]

Response Time: 30 days

Effect: All personal data permanently deleted (except legally required retention)

Right to Restriction

Restrict Processing:

• While accuracy is verified
• Processing is unlawful
• During legal claim

How to Request: Email [email protected]

Effect: Data stored but not processed (except with consent)

Right to Data Portability

Export Your Data:

GET /api/v3/applicants?export=json
 
// Returns all applicants in machine-readable JSON

Formats Available:

• JSON
• CSV
• PDF (for human-readable reports)

Scope: All data you've submitted to VeriPlus

Right to Object

Object to Processing:

• For marketing (automatic opt-out)
• For legitimate interest (requires justification)

How to Object: Email [email protected]

Effect: Processing stopped (unless compelling legitimate grounds)

Rights Related to Automated Decision-Making

Automated Decisions:

• Document authenticity check (AI)
• Face matching (AI)
• Risk scoring (ML)

Your Rights:

• Explanation of logic involved
• Right to human review
• Right to challenge decision

How to Exercise: Request manual review via dashboard or email

Data Breach Notification

Breach Response Plan

Detection: 24/7 security monitoring

Assessment: Within 24 hours

Notification to Authorities:

• DPA (Data Protection Authority): Within 72 hours
• Customers: Without undue delay

Notification to Data Subjects:

• If high risk: Direct notification
• Via email and dashboard alert

What We'll Tell You

• Nature of the breach
• Categories and approximate number of records affected
• Likely consequences
• Measures taken to mitigate
• Contact point for more information

Your Obligations

If you are the Data Controller:

• You may need to notify your customers
• You may need to notify your DPA
• We'll provide necessary information

Privacy by Design

Pseudonymization

Applicant IDs are randomly generated:

app_1234567890abcdef  // Not sequential, not predictable

Benefit: Breach of IDs alone doesn't reveal personal data

Data Minimization

Only Necessary Data Collected:

• Name, DOB required for verification
• Address optional (unless needed for AML)
• Phone optional

Auto-Deletion: Data deleted when no longer needed

Segregation

Data Segregated:

• Each organisation's data isolated
• No cross-organisation access
• Separate encryption keys

Cookies and Tracking

Cookies We Use

No Marketing Cookies: We don't use advertising or tracking cookies

Cookie Controls

// Manage cookie preferences
Settings → Privacy → Cookie Preferences
 
// Opt out of analytics
Settings → Privacy → Analytics: Off

Children's Privacy

Age Requirement: 18+ for creating accounts

Identity Verification of Minors:

• Allowed for compliance purposes
• Parental consent required (where applicable)
• No marketing to minors

Data Protection Officer (DPO)

Contact:

• Email: [email protected]
• Address: VeriPlus Ltd, Data Protection Officer, [Address]

Responsibilities:

• Ensure GDPR compliance
• Handle data subject requests
• Advise on data protection impact assessments
• Cooperate with supervisory authorities

Supervisory Authority

EU: Your local Data Protection Authority

UK: Information Commissioner's Office (ICO)

• Website: ico.org.uk
• Phone: 0303 123 1113

Right to Complain: You can lodge a complaint with supervisory authority if you believe your data protection rights have been violated.

Data Protection Impact Assessment (DPIA)

VeriPlus conducts DPIAs for:

• New processing activities
• Changes to existing processing
• High-risk processing

Last DPIA: [Date]

Findings: Available upon request

Transparency

Privacy Policy: veriplus.co.uk/privacy

Data Processing Agreement: veriplus.co.uk/dpa

Subprocessor List: veriplus.co.uk/subprocessors

Updates: You'll be notified of material changes

Best Practices for Customers

1. Be Transparent: Inform your customers you use VeriPlus
2. Update Privacy Policy: Mention VeriPlus as data processor
3. Get Consent: Where required for your processing
4. Honor Rights: Facilitate data subject rights requests
5. Minimise Data: Only send data required for verification
6. Delete Data: Delete verification data when no longer needed
7. Secure API Keys: Protect keys as you would passwords
8. Monitor Access: Review who in your organisation has access

Next Steps