Data Processing Addendum
Last updated: July 14, 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between the business customer (“Customer”) and Verrim LLC, an Arizona limited liability company (“Verrim”), for the Service, and applies when Verrim processes personal information contained in Customer’s uploaded certificates and related records (“Customer Data”) on Customer’s behalf. It is published here so security and legal reviews can answer their data questions without a request first. A countersigned copy is available at hello@verrim.com.
Roles
Customer is the controller (or “business” under the California Consumer Privacy Act) of Customer Data. Verrim is the processor (“service provider”): we process Customer Data only to provide, secure, and support the Service, and we do not sell it or use it for advertising. Verrim does not combine Customer Data with information from other sources except as needed to provide the Service, will notify Customer if it determines it can no longer meet its obligations under this DPA or applicable privacy law, and Customer may take reasonable steps to stop and remediate any unauthorized use of Customer Data.
Scope of processing
Processing covers storing certificate documents, reading and extracting their fields (including with AI-assisted tools), verifying permit numbers against state sources where supported, sending certificate requests and reminders at Customer’s direction, producing reports and audit trails, and matching ecommerce orders from Customer’s connected store against certificates. The data subjects are Customer’s business customers, their representatives, and Customer’s buyers; the data can include names, business addresses, tax and exemption identification numbers, and signatures.
Subprocessors
Verrim uses vetted subprocessors to run the Service: cloud hosting and storage, database infrastructure, AI document processing, transactional email delivery, payment processing, and product analytics. Each is bound by terms that limit its use of Customer Data to providing its service to us, and we do not allow our AI providers to use Customer Data to train their models. Our current subprocessor list is published at verrim.com/legal/subprocessors, and we will give notice before material changes.
Security measures
Data is encrypted in transit and at rest. Access is controlled through per-tenant authorization rules (row-level security), role-based access inside Customer’s workspace, optional two-step verification at sign-in, and audit logging of workspace activity. Integration credentials, such as store access tokens, are stored encrypted.
Assistance with requests
Taking into account the nature of the Service, Verrim will reasonably assist Customer in responding to data subject requests (access, correction, deletion, export), and will forward any request we receive directly to Customer rather than answering it ourselves.
Breach notification
If Verrim becomes aware of a breach affecting Customer Data, we will notify Customer without undue delay with the information we have, and keep Customer updated as we learn more.
Deletion and return
Items Customer deletes in the Service remain in Trash for 30 days for recovery, then are permanently removed along with their stored files. On termination, Verrim deletes or de-identifies Customer Data on the same schedule, except where the law requires longer retention. Customer can export certificates and records before closing the account.
Location
The Service is operated from the United States and Customer Data is hosted in the United States. Verrim serves US businesses and does not target data subjects outside the US.
Term
This DPA applies for as long as Verrim processes Customer Data and ends when that processing ends.
Contact
hello@verrim.com.
History
- July 6, 2026 — First published.
- July 11, 2026 — Subprocessor list published and linked.
- July 14, 2026 — Processor entity named following formation: Verrim LLC, an Arizona limited liability company.