Data Processing Addendum
Last updated July 15, 2026. This page summarizes how Credorz processes customer personal data as a processor. Enterprise customers can execute the full Data Processing Addendum — contact us.
1. Purpose of this page
This is an overview of our data-processing posture for customers. It is not itself a binding DPA. Enterprise customers receive and execute the full Data Processing Addendum as part of their agreement; contact enterprise@credorz.com to start that process.
2. Roles
When you use Credorz under an enterprise agreement, the roles are typically as follows:
- Controller (you)
- You determine the purposes and means of processing your end-users' personal data — for example, the representatives, directors, and beneficial owners you submit for verification.
- Processor (Credorz)
- Credorz processes that data on your documented instructions, to run verification, issue Passports, and secure the platform.
3. Categories of data processed
As a processor, Credorz processes the following categories on your behalf:
- Identity data — names, contact details, and roles of representatives and directors.
- Ownership & UBO data — shareholder structures and beneficial-ownership calculations.
- Verification documents — licenses, certificates, KYC/KYB packages, and supporting records.
- Verification results — check outcomes, confidence scores, and AI-extraction provenance.
- Operational metadata — access logs, audit events, and session data used to secure the platform.
4. Processing purposes
We process customer personal data only to:
- Provide the verification, Vault, Passport, and Trust Index services you subscribed to.
- Secure the platform and maintain the tamper-evident audit log.
- Meet legal and regulatory obligations that apply to Credorz as a processor and verification provider.
5. Subprocessors
We engage carefully selected subprocessors for infrastructure, storage, and AI processing. Each is bound by written agreements that meet our data-protection standards.
| Category | Purpose | Location |
|---|---|---|
| Cloud infrastructure | Application hosting and compute | Google Cloud Platform |
| Relational database | Primary data store (PostgreSQL) | Managed Postgres (Supabase) |
| Object storage | Encrypted document storage (Vault) | Google Cloud Storage |
| AI processing | Document extraction and Twin Q&A | Google Gemini |
6. Security measures
Technical and organizational measures we maintain include:
- Field-level data classification governing what each viewer can read.
- Encryption of documents in object storage; file bytes never stored in the database.
- Revocable, device-labeled sessions validated on every request.
- A tamper-evident, hash-chained audit log for every sensitive action.
- Malware and file-type validation on every uploaded document.
- Row-level security as a defense-in-depth floor on tenant data.
7. International data transfers
Where personal data is transferred outside its country of origin, we rely on appropriate safeguards such as standard contractual clauses (SCCs) and adequacy mechanisms. Enterprise customers can execute SCCs as part of their DPA.
8. Data subject requests
Because Credorz acts as a processor, data subject requests are typically handled by you as the controller. We will assist you in responding to requests — including access, rectification, and erasure — and will forward or action requests where appropriate. Contact privacy@credorz.com.
9. Breach notification
In the event of a personal-data breach affecting your data, Credorz will notify you without undue delay, describe what happened and its likely impact, and cooperate with your mitigation and any required regulator notifications.
10. Deletion & return
On termination, and subject to legal retention obligations (including KYC/AML record-keeping), we will delete or return customer personal data according to your agreement. Records we are legally required to retain are kept secure and used only for compliance.
11. Audits
Enterprise customers may audit our compliance with this DPA as set out in their agreement, including through independent third-party reports we make available (such as SOC 2 / ISO 27001 where applicable).