> Effective July 8, 2026

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between VerifiedDR ("Processor", "we") and the customer accepting our Terms of Service ("Controller", "you") whenever you use VerifiedDR to process personal data on behalf of your business, agency, or clients. It applies automatically to business use, no signature is required. If you need a countersigned copy, email contact@verifieddr.com.

1. Subject Matter And Duration

We process personal data to provide the VerifiedDR service: domain authority monitoring, reports, alerts, partnerships, and the API, for the duration of your use of the service, plus the deletion window described in section 7.

2. Nature And Purpose Of Processing

Hosting, storage, transmission, analysis, and display of the data you submit to the service; sending the emails and webhook notifications you configure; and processing payments.

3. Categories Of Data And Data Subjects

Data subjects: your team members who hold accounts, and contacts whose details you submit (for example partnership recipients). Data categories: names, email addresses, account identifiers, OAuth tokens for integrations you connect, usage data, billing records, and the content of messages you send through the service. Domain metrics (DR, TrueDR, backlinks, traffic) relate to websites, not identified persons.

4. Our Obligations

We process personal data only on your documented instructions (the service configuration and our agreement), ensure persons authorized to process it are bound by confidentiality, and assist you, insofar as possible, with data subject requests and your obligations under GDPR Articles 32–36. We notify you without undue delay after becoming aware of a personal data breach affecting your data.

5. Security

Technical and organizational measures include encryption in transit (TLS) for all traffic, encryption at rest with our infrastructure providers, role-gated admin access, hashed credentials, scoped API tokens, per-route rate limiting, and rolling encrypted backups. Payment card data is handled entirely by Stripe and never touches our systems.

6. Subprocessors

You authorize the subprocessors listed on our subprocessors page. We impose data protection obligations on each subprocessor equivalent to this DPA and remain liable for their performance. We update that page before adding or replacing a subprocessor; you may object on reasonable data protection grounds by email, and if we cannot resolve the objection you may terminate the affected service.

7. Deletion And Return

You can export your data at any time from settings (JSON) and delete your account there too, which erases personal data from production immediately and from rolling backups within weeks. Records we must keep under law (payment records held by Stripe) are retained for the statutory period only.

8. International Transfers

Where a subprocessor processes personal data outside the EEA, the transfer is covered by the EU-U.S. Data Privacy Framework or the European Commission's Standard Contractual Clauses, as noted per vendor on the subprocessors page. To the extent a transfer from you to us requires them, the SCCs (Module 2, Controller to Processor) are incorporated into this DPA by reference.

9. Audit

We make available the information reasonably necessary to demonstrate compliance with this DPA, this page, our privacy policy, and security documentation on request to contact@verifieddr.com.