Data Processing Agreement
Last updated: 19 April 2026
1. Parties
This Data Processing Agreement (“DPA”) is entered into between:
- Controller: Customer (“you”)
- Processor: Vertapass Ltd (“we”, “us”)
2. Scope
This DPA applies to the processing of personal data by Vertapass on behalf of the Customer in connection with the Vertapass sustainability disclosure platform.
3. Definitions
- Personal Data: As defined in GDPR Article 4(1)
- Processing: As defined in GDPR Article 4(2)
- Sub-processor: Any third party engaged by Vertapass to process Personal Data
4. Processor Obligations
Vertapass shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational measures
- Assist the Controller with data subject requests
- Delete or return all Personal Data upon termination
5. Sub-processors
Current sub-processors and the primary residency position we rely on today. Where a provider’s processing location depends on account configuration or service type, we say that explicitly rather than overstating EU residency.
| Name | Purpose | Residency notes |
|---|---|---|
| Google Cloud Platform | Infrastructure | EU (europe-west2) |
| Firebase | Authentication | United States for Firebase Authentication |
| Stripe | Payment processing | EEA and other regions depending on Stripe service and entity |
| SendGrid | Email delivery | International by default; EU-only where EU regionalisation is explicitly configured |
6. Security Measures
Encryption
- TLS 1.3 for data in transit
- AES-256 for data at rest
Access Control
- Role-based access control (RBAC)
- Multi-factor authentication
Monitoring
- Cloud Audit Logging
- Intrusion detection
Physical Security
- Google Cloud data center security and cloud-provider assurance controls
7. Data Breach Notification
We will notify you without undue delay after becoming aware of a personal data breach affecting Personal Data processed on your behalf, and will provide the information reasonably needed for your own GDPR reporting obligations.
8. Audits
You may conduct audits of our processing activities with 30 days’ written notice. Where available, we will provide relevant security documentation, including sub-processor materials and platform security information, to support reasonable diligence requests.
9. Data Subject Rights
Vertapass will assist you in fulfilling data subject requests under GDPR Chapter III, including requests for access, rectification, erasure, data portability, and objection.
10. Duration
This DPA applies for the duration of the service agreement and continues until all Personal Data has been deleted or returned.
Contact
For questions about this DPA, email privacy@vertapass.com.