Data Processing Addendum

Where we process personal data on behalf of a customer (the controller), Verisoar — a trading name of Viral Reach Ltd — acts as processor under GDPR Art. 28. This addendum forms part of the agreement between us and sets out the parties' data-protection obligations.

Subject matter & duration

Age and identity verification for the duration of the customer's subscription.

Nature & purpose

One-time biometric comparison and document validation to produce an over-threshold age decision.

Categories of data & data subjects

  • Data subjects: the customer's end users who undergo verification.
  • Special-category biometric data (transient, not stored).
  • Document-derived date of birth (used to compute the result, not stored as raw DOB by default).
  • Pseudonymous identifiers: customer-supplied subject reference, salted IP hash.

Our obligations as processor

  • Documented instructions. We process personal data only on the controller's documented instructions, including for international transfers, unless required otherwise by law (in which case we notify you, where legally permitted).
  • Confidentiality. Personnel authorised to process the data are bound by confidentiality obligations.
  • Security. We implement the technical and organisational measures described below (GDPR Art. 32).
  • Assistance with data-subject rights. We provide tooling (access and erasure by subject reference) and reasonable assistance so you can respond to data-subject requests.
  • Breach notification. We notify you without undue delay after becoming aware of a personal-data breach, with the information you need to meet your Art. 33/34 obligations.
  • DPIA support. We assist with your data-protection impact assessments and prior consultations, taking into account the nature of processing and information available to us.
  • Return or deletion. At the end of the services, we delete or return personal data at your choice, save where storage is required by law. Verification media is never stored; minimal records are deleted on request or at the end of the retention period.
  • Audits. We make available the information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by you or your appointed auditor.

Sub-processors

You authorise us to engage the sub-processors below. We flow down equivalent data-protection obligations to each and remain liable for their performance, and we will give notice of intended changes so you can object.

  • Vercel Inc. (application hosting) — stores only the minimal result record, never verification media. Governed by the Vercel Data Processing Addendum.
  • Neon Inc. (managed Postgres database) — stores only the minimal result record, never verification media. Governed by the Neon Data Processing Addendum.
  • Stripe (billing only — never receives verification data).
  • RunPod, Inc. (EU/EEA data centres, stateless GPU compute): facial age estimation — live frames are analysed by our own age-estimation worker (MiVOLO) in memory and are not stored or used to train any model. The endpoint is pinned to EU/EEA data centres. RunPod's processing is governed by the RunPod Data Processing Agreement (which incorporates the EU Standard Contractual Clauses).
  • Amazon Web Services (EU region — Ireland, stateless): Rekognition for the 1:1 face match; Amazon Nova (Bedrock) plus Textract (DetectDocumentText, AnalyzeID, AnalyzeDocument) for document field extraction. All run in-region within AWS (no third-party model processing); images are processed in-memory and not stored. AWS's processing is governed by the AWS GDPR Data Processing Addendum (which incorporates the EU Standard Contractual Clauses) and the AWS Service Terms, under which generative-AI inputs/outputs are not used to train models or shared (AI services opt-out). AWS's own sub-processors are listed here.

International transfers

Verification processing is pinned to AWS's EU region and RunPod's EU/EEA data centres, and both application hosting (Vercel) and the minimal-record database (Neon) are in the EU (Frankfurt). Personal data therefore stays within the EEA. Any transfer outside the UK/EEA relies on an adequacy decision or the EU/UK Standard Contractual Clauses with appropriate safeguards, as reflected in the sub-processor DPAs linked above.

Security measures

  • In-memory-only biometric processing; data minimisation by design.
  • Encryption in transit; hashed API keys and IPs; tamper-evident audit log.
  • Documented retention and automated erasure.

Impact assessment

We maintain a Data Protection Impact Assessment (DPIA) for the biometric processing carried out as part of the Service. We will assist you with your own DPIAs and prior consultations as required by GDPR Art. 35–36, and a summary of our DPIA is available on request.