Legal

Data Processing Addendum

Last updated July 15, 2026. This page summarizes how Credorz processes customer personal data as a processor. Enterprise customers can execute the full Data Processing Addendum — contact us.

1. Purpose of this page

This is an overview of our data-processing posture for customers. It is not itself a binding DPA. Enterprise customers receive and execute the full Data Processing Addendum as part of their agreement; contact enterprise@credorz.com to start that process.

To execute a full DPA, request a security questionnaire, or discuss SCCs, email enterprise@credorz.com.

2. Roles

When you use Credorz under an enterprise agreement, the roles are typically as follows:

Controller (you)
You determine the purposes and means of processing your end-users' personal data — for example, the representatives, directors, and beneficial owners you submit for verification.
Processor (Credorz)
Credorz processes that data on your documented instructions, to run verification, issue Passports, and secure the platform.

3. Categories of data processed

As a processor, Credorz processes the following categories on your behalf:

  • Identity data — names, contact details, and roles of representatives and directors.
  • Ownership & UBO data — shareholder structures and beneficial-ownership calculations.
  • Verification documents — licenses, certificates, KYC/KYB packages, and supporting records.
  • Verification results — check outcomes, confidence scores, and AI-extraction provenance.
  • Operational metadata — access logs, audit events, and session data used to secure the platform.

4. Processing purposes

We process customer personal data only to:

  1. Provide the verification, Vault, Passport, and Trust Index services you subscribed to.
  2. Secure the platform and maintain the tamper-evident audit log.
  3. Meet legal and regulatory obligations that apply to Credorz as a processor and verification provider.

5. Subprocessors

We engage carefully selected subprocessors for infrastructure, storage, and AI processing. Each is bound by written agreements that meet our data-protection standards.

CategoryPurposeLocation
Cloud infrastructureApplication hosting and computeGoogle Cloud Platform
Relational databasePrimary data store (PostgreSQL)Managed Postgres (Supabase)
Object storageEncrypted document storage (Vault)Google Cloud Storage
AI processingDocument extraction and Twin Q&AGoogle Gemini
Enterprise customers receive an up-to-date subprocessor list and advance notice of material changes under their agreement.

6. Security measures

Technical and organizational measures we maintain include:

  • Field-level data classification governing what each viewer can read.
  • Encryption of documents in object storage; file bytes never stored in the database.
  • Revocable, device-labeled sessions validated on every request.
  • A tamper-evident, hash-chained audit log for every sensitive action.
  • Malware and file-type validation on every uploaded document.
  • Row-level security as a defense-in-depth floor on tenant data.

7. International data transfers

Where personal data is transferred outside its country of origin, we rely on appropriate safeguards such as standard contractual clauses (SCCs) and adequacy mechanisms. Enterprise customers can execute SCCs as part of their DPA.

8. Data subject requests

Because Credorz acts as a processor, data subject requests are typically handled by you as the controller. We will assist you in responding to requests — including access, rectification, and erasure — and will forward or action requests where appropriate. Contact privacy@credorz.com.

9. Breach notification

In the event of a personal-data breach affecting your data, Credorz will notify you without undue delay, describe what happened and its likely impact, and cooperate with your mitigation and any required regulator notifications.

10. Deletion & return

On termination, and subject to legal retention obligations (including KYC/AML record-keeping), we will delete or return customer personal data according to your agreement. Records we are legally required to retain are kept secure and used only for compliance.

11. Audits

Enterprise customers may audit our compliance with this DPA as set out in their agreement, including through independent third-party reports we make available (such as SOC 2 / ISO 27001 where applicable).