Veracly
DPA

Data Processing Addendum.

This addendum applies whenever Veracly processes personal data on your behalf as a processor under GDPR Article 28 or equivalent laws.

Last updated: 2026-04-26

This document is being finalized by our counsel.

The structure and intent below reflect what each section will cover. Until counsel signs off the final wording, treat this as informational only — not as a legally-binding policy. For specific questions in the interim, write to legal@veracly.app.

The DPA forms part of your agreement with Veracly. Where you are the controller and we are the processor, this document sets out the contractual terms required by GDPR and other applicable data protection laws.

  1. 01

    Parties and roles

    Customer is the controller; RR Sols Pty Ltd (Veracly) is the processor. Roles can shift for specific processing activities — set out per activity.

  2. 02

    EU and UK GDPR representatives

    RR Sols Pty Ltd has appointed Prighter EU Rep GmbH (Schellinggasse 3/10, 1010 Vienna, Austria) as its representative under Article 27 GDPR, and Prighter Ltd (20 Mortlake Mortlake High Street, London, SW14 8JN, United Kingdom) as its representative under Article 27 UK GDPR. Data subject requests may also be submitted via https://app.prighter.com/portal/11399422438 (reference ID-11399422438).

  3. 03

    Subject matter and duration

    This DPA applies to personal data that Veracly processes on the Customer's behalf in connection with the Veracly scanning and reporting service. The personal data processed includes: (a) personal data contained in or reasonably derivable from the publicly accessible web pages that the Customer designates for scanning; (b) the email address of the individual who initiates each scan; and (c) any personal data the Customer uploads or provides in connection with the service. Categories of data subjects: website visitors whose data is captured by client-side trackers on the scanned pages; the Customer's authorised users. Duration: processing continues for as long as the Customer has an active account and for up to 12 months after the last scan, after which scan data and associated personal data are deleted per the retention schedule.

  4. 04

    Scope and instructions

    Veracly processes personal data solely on documented instructions from the Customer, as set out in the service agreement and this DPA. Veracly will not process personal data for any purpose other than providing the service — including for Veracly's own commercial purposes. If Veracly is required by law to process personal data for another purpose, it will inform the Customer unless prohibited by law. Veracly will immediately notify the Customer if, in Veracly's opinion, an instruction would infringe GDPR or other applicable data protection law.

  5. 05

    Subprocessors

    Veracly has the Customer's general authorisation to engage subprocessors. The current list of authorized subprocessors is published at veracly.app/subprocessors. Veracly will notify the Customer at least 14 days before engaging a new subprocessor (unless shorter notice is required to address an emergency security issue). The Customer may object to a new subprocessor within 10 days of notice; Veracly will work in good faith to address the objection, but if no alternative can be found, either party may terminate the service without penalty. Veracly enters into written data processing agreements with each subprocessor on terms at least as protective as this DPA.

  6. 06

    Technical and organizational measures

    Veracly implements and maintains appropriate technical and organisational measures (TOMs) to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures include: encryption of personal data in transit (TLS 1.2+) and at rest (AES-256); role-based access controls with the principle of least privilege; audit logging of access to personal data; multi-factor authentication for all staff accessing production systems; and a formal incident response procedure. A detailed Annex II (Technical and Organisational Measures) is available on request by emailing legal@veracly.app. Veracly reviews and updates these measures at least annually and on any material change.

  7. 07

    Data subject rights

    When Veracly receives a request from a data subject exercising their rights (access, rectification, erasure, restriction, portability, or objection), Veracly will forward the request to the Customer within 5 business days. Veracly will assist the Customer by providing available information and, where technically feasible, by fulfilling deletion or export requests for personal data Veracly holds on the Customer's behalf. Veracly will not respond directly to data subjects on the Customer's behalf without the Customer's prior written consent, except as required by law.

  8. 08

    Personal data breaches

    Veracly will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer data. The notification will include: (a) the nature of the breach, categories and approximate number of data subjects and records concerned; (b) likely consequences; and (c) measures taken or proposed to address the breach. Veracly will cooperate with the Customer and provide further information as it becomes available. The Customer is responsible for notifying the relevant supervisory authority and data subjects where required by applicable law.

  9. 09

    International data transfers

    Personal data is stored in the European Union (Frankfurt) for EU/EEA customers and in the United States (Virginia) for US customers. Where Veracly transfers personal data to a country outside the EEA or UK that does not benefit from an adequacy decision, the transfer is subject to Standard Contractual Clauses (SCCs) in the form approved by the European Commission (2021/914) or the UK International Data Transfer Agreement (IDTA), as applicable. Copies of applicable SCCs or IDTAs are available on request. Veracly conducts a transfer impact assessment before transferring personal data to high-risk destinations.

  10. 10

    Audits and inspections

    Upon the Customer's written request (no more than once per 12-month period, and with at least 30 days' notice unless a material breach is reasonably suspected), Veracly will provide the Customer or its appointed auditor with access to information necessary to demonstrate compliance with this DPA. Veracly may satisfy this obligation by providing current third-party audit reports (SOC 2, ISO 27001, or equivalent) where available. Any on-site audit will be conducted during normal business hours, subject to confidentiality obligations, and at the Customer's cost.

  11. 11

    Termination and data return

    On termination or expiry of the service agreement, Veracly will, at the Customer's election, delete or return all personal data processed on the Customer's behalf, within 30 days of the Customer's written request, unless applicable law requires continued retention. Veracly will certify in writing that deletion has been completed. After the 12-month retention period described in the Privacy Policy, personal data remaining in Veracly's systems will be automatically deleted.

Verified representation

Click a badge to verify our Article 27 EU and UK representative appointment via Prighter.

GDPR Certification: Art 27 representation by PrighterUK-GDPR Certification: Art 27 representation by Prighter

powered by Prighter

Questions about this document?

Talk to our legal contact.

If you're a customer, prospect, or DPO with a specific question — or you've spotted something we should fix — drop a line and we'll route it to the right team.

legal@veracly.appOpen the contact form