This DPA forms part of the Master Service Agreement (“Agreement”) between Customer and VeracityHub (“Processor”). Capitalized terms not defined here have the meanings assigned in the Agreement.
VeracityHub acts as a Processor (GDPR) and Service Provider/Contractor (CCPA/CPRA).
Customer acts as the Controller (GDPR) or Business (CCPA/CPRA).
VeracityHub processes personal data solely for the purpose of providing identity verification, phone number validation, CNAM, OTP, data append, reverse lookup, and soft pull identity matching services to Customer.
VeracityHub will not:
Sell personal data
Share personal data for cross-context behavioral advertising
Use personal data for its own purposes
Data provided by Customer may include:
Phone numbers
Names
Addresses
Email addresses
Identity attributes
Carrier/CNAM information
Soft pull match metadata (not full credit reports)
IP addresses (metadata only)
Any personal data transmitted by Customer through API or file upload
VeracityHub does not collect personal data directly from consumers.
VeracityHub shall:
Process personal data only on documented instructions from Customer.
Restrict access to personnel bound by confidentiality.
Maintain appropriate technical and organizational security measures.
Assist Customer with data subject requests (to the extent applicable).
Notify Customer of data breaches without undue delay.
Delete or return personal data at Customer’s request, except as required by law.
Not subcontract processing without written authorization.
Customer authorizes VeracityHub to engage subprocessors for:
Identity verification
CNAM/carrier lookup
Mobile OTP delivery
Soft pull identity matching
Cloud hosting
Logging and security
VeracityHub shall maintain written contracts with subprocessors imposing equivalent protections.
VeracityHub shall implement:
TLS encryption
Access controls & credential security
Network segmentation
Intrusion detection
Logging & auditing
Vendor security reviews
Secure key management
VeracityHub will assist Customer with:
Access
Rectification
Deletion
Restriction
Objection
VeracityHub does not respond to consumer requests directly because it does not have a relationship with end users.
When transferring data internationally, VeracityHub shall:
Use Standard Contractual Clauses
Provide appropriate safeguards
Maintain audit records
At termination, VeracityHub will:
Delete personal data from systems and short-term logs
Retain only what is legally required
Liability is governed by the Agreement.
This DPA lasts as long as VeracityHub processes data for Customer.