Data Processing Agreement
Effective Date: January 2026
1. Parties and Background
This Data Processing Agreement ("DPA") is entered into between:
Verkh, LLC ("Processor" or "Verkh"), a California limited liability company with its principal place of business at 4674 36th St, San Diego, CA 92116
and
Customer ("Controller" or "Customer"), the entity that has agreed to the Verkh Terms of Service.
This DPA supplements and forms part of the Terms of Service ("Agreement") between Verkh and Customer for the provision of DMARC email authentication monitoring and remediation services ("Services").
2. Definitions
In this DPA, the following terms have the meanings set forth below:
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Verkh on behalf of Customer in connection with the Services.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and any other applicable data protection legislation.
- "Sub-processor" means any third party engaged by Verkh to process Personal Data on behalf of Customer.
- "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
3. Scope and Nature of Processing
3.1 Categories of Personal Data
Verkh processes the following categories of Personal Data:
- Email addresses (for user accounts and DMARC report recipients)
- IP addresses (from DMARC aggregate reports)
- Domain names and DNS records
- User account information (name, organization)
- Usage data and analytics
3.2 Purpose of Processing
Verkh processes Personal Data solely for:
- Providing DMARC monitoring and reporting services
- Analyzing email authentication data to identify issues
- Generating remediation recommendations
- Creating shareable dashboards (Apex links) for vendor coordination
- Sending service notifications and alerts
- Account management and billing
3.3 Data Location
Personal Data is stored and processed in the United States, specifically in the US West region using Cloudflare's infrastructure. Verkh provides services globally but maintains primary data storage within the United States.
4. Data Retention
Verkh retains Personal Data in accordance with Customer's subscription tier:
| Subscription Tier | Granular Data | Aggregated Data |
|---|---|---|
| Free | N/A | 30 days |
| Starter | 30 days | 12 months |
| Pro | 90 days | 24 months |
| Enterprise | 12 months | Unlimited |
| Enterprise+ | Unlimited | Unlimited |
Upon termination of the Agreement, Verkh will delete Customer's Personal Data within 30 days, unless longer retention is required by law or requested by Customer for data export purposes.
5. Processor Obligations
Verkh agrees to:
- Process Personal Data only on documented instructions from Customer, unless required by applicable law
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational measures to ensure security of processing
- Assist Customer in responding to data subject requests
- Assist Customer in ensuring compliance with security, breach notification, and data protection impact assessment obligations
- Delete or return all Personal Data upon termination, at Customer's choice
- Make available information necessary to demonstrate compliance with this DPA
- Assist the Controller, upon request, with conducting data protection impact assessments and with prior consultation of the relevant supervisory authority where required under Data Protection Laws
- Not process Personal Data for its own purposes or for the benefit of any third party, nor combine Customer's Personal Data with other datasets it controls
6. Sub-processors
Customer authorizes Verkh to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure, compute, storage, CDN | United States |
| Stripe, Inc. | Payment processing | United States |
| Resend, Inc. | Transactional email delivery | United States |
| IPInfo, Inc. | IP geolocation and enrichment | United States |
| Google LLC | OAuth authentication, Analytics (GA4) | United States |
| GitHub, Inc. | OAuth authentication | United States |
Verkh will notify Customer of any intended changes to Sub-processors, giving Customer the opportunity to object. Verkh will ensure that all Sub-processors are bound by data protection obligations no less protective than those in this DPA.
7. Security Measures
Verkh implements appropriate technical and organizational measures to protect Personal Data, including:
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest
- Access Controls: Role-based access with OAuth 2.0 authentication
- Infrastructure Security: Cloudflare edge infrastructure with DDoS protection
- Audit Logging: Comprehensive logging of access and changes
- Rate Limiting: API rate limiting to prevent abuse
- Secure Development: Secure coding practices and regular security reviews
8. Data Subject Rights
Verkh will assist Customer in fulfilling data subject requests under applicable Data Protection Laws. This includes requests for:
- Access to Personal Data
- Correction of inaccurate Personal Data
- Deletion of Personal Data ("right to be forgotten")
- Data portability
- Restriction of processing
- Objection to processing
Customer is responsible for responding to data subject requests. Verkh will notify Customer promptly of any requests received directly.
9. Security Incidents
In the event of a Security Incident affecting Customer's Personal Data, Verkh will:
- Notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of the incident
- Provide sufficient information to enable Customer to meet any obligations under Data Protection Laws
- Take reasonable steps to mitigate the effects and minimize harm
- Cooperate with Customer in investigating and remediating the incident
10. International Data Transfers
Personal Data may be transferred to and processed in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, Verkh relies on the EU-U.S. Data Privacy Framework and, where applicable, the Standard Contractual Clauses (SCCs) adopted by the European Commission.
The parties agree that the SCCs are hereby incorporated by reference and shall apply to any transfer of Personal Data from the EEA to the United States. For purposes of the SCCs:
- Customer is the "data exporter"
- Verkh is the "data importer"
- Module Two (Controller to Processor) shall apply
11. Audits and Compliance
Verkh will make available to Customer, upon request, information necessary to demonstrate compliance with this DPA. Verkh will allow for and contribute to audits and inspections conducted by Customer or an auditor mandated by Customer, subject to reasonable advance notice and confidentiality requirements.
Customer may request a copy of relevant third-party certifications or audit reports held by Verkh.
12. Liability and Indemnity
Verkh acknowledges that it is a data processor under Applicable Data Protection Laws and agrees to be liable for its own breaches of this DPA and applicable data processing laws. Except as dictated by law, each party's overall liability under this DPA is subject to the limitations and exclusions set forth in the Master Services Agreement.
Verkh shall indemnify, defend, and hold harmless the Controller against any third-party claims, damages, losses, liabilities, penalties, and expenses (including reasonable legal fees) arising out of or relating to (i) any breach by the Processor of its obligations under this DPA; (ii) any processing outside the scope of the Controller's instructions; and (iii) or any unauthorized disclosure, access, or misuse of Personal Data by Verkh or its authorized Sub-processors. This indemnity is subject to the limitations and exclusions set forth in the Master Services Agreement, except to the extent that such limitations would conflict with obligations under applicable Data Protection Law.
13. General Provisions
13.1 Governing Law
This DPA shall be governed by the laws of the State of California, without regard to conflict of law principles.
13.2 Order of Precedence
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.
13.3 Term
This DPA shall remain in effect for as long as Verkh processes Personal Data on behalf of Customer.
13.4 Amendments
Verkh may update this DPA from time to time to reflect changes in legal requirements or our processing activities. Material changes will be communicated to Customer with reasonable advance notice.
13.5 Severability
If any part of this DPA is found invalid or unenforceable, the rest of the DPA will still apply. The invalid part will be replaced with something as close as possible to the original meaning and purpose.
13.6 Survival
The obligations in Sections 2 (Definitions), 5 (Processor Obligations), 7 (Security Measures), 9 (Security Incidents), 10 (International Data Transfers), 11 (Audits and Compliance), Section 12 (Liability and Indemnity) and this Section 13.6 will survive termination of this DPA and the Agreement for as long as Verkh holds or processes any Personal Data.
13.7 Entire Agreement
This DPA, together with the Master Services Agreement, is the complete agreement between the parties about data processing. It replaces any earlier discussions or agreements on this topic. If this DPA and the Agreement conflict on data protection issues, this DPA controls.
14. Contact Information
For questions regarding this DPA or to exercise any rights hereunder, please contact:
Verkh, LLC
4674 36th St
San Diego, CA 92116
Email: [email protected]
