Data processing agreement
Data Processing Agreement
The processor terms for client data handled by Verifire in connection with verified wallet infrastructure services.
Last updated: April 2026
1. Purpose and relationship to the main agreement
This Data Processing Agreement forms part of the agreement between Verifire B.V. and the relevant controller where Verifire processes personal data on behalf of a client in connection with verified wallet infrastructure services.
It is intended to reflect Article 28 GDPR requirements and to support lawful, well-documented processing arrangements for regulated digital finance environments.
2. Subject matter and scope of processing
Processing may relate to customer onboarding information, business contact data, workflow approval data, integration-related operational records, and other personal data processed as part of the agreed Verifire service scope.
The exact categories of data, data subjects, and processing operations depend on the service purchased and should be specified in the commercial agreement or implementation documentation.
3. Controller obligations
The controller is responsible for the lawfulness of the processing instructions given to Verifire, for establishing a valid legal basis, and for meeting transparency and regulatory obligations toward relevant data subjects and authorities.
4. Processor obligations
Verifire will process personal data only on documented instructions from the controller unless otherwise required by applicable law.
- Maintain appropriate confidentiality obligations for authorised personnel
- Implement technical and organisational measures appropriate to the risk
- Assist the controller where reasonably necessary with data subject rights and incident response
- Delete or return personal data upon termination as agreed, subject to retention obligations
5. Sub-processors and transfers
Where Verifire uses sub-processors, it will ensure that appropriate contractual protections are in place and that sub-processors are bound by data protection obligations materially comparable to those applicable to Verifire.
International transfers, if any, must be supported by appropriate safeguards such as adequacy decisions or standard contractual clauses where required.
6. Security and incident notification
Verifire applies security measures designed to protect personal data in line with the nature of the processing and the risks involved.
If Verifire becomes aware of a personal data breach affecting controller data, it will notify the controller without undue delay and provide available information reasonably necessary for the controller to assess and respond.
7. Assistance, audit, and accountability
Verifire will make available information reasonably necessary to demonstrate compliance with processor obligations and will support proportionate audit or assurance processes as agreed between the parties.
8. Final provisions
This DPA is governed by Dutch law, unless the main agreement provides otherwise. It remains in effect for as long as Verifire processes personal data on behalf of the controller under the relevant agreement.
This page is intended as a structured legal template and implementation-ready framework. Service-specific annexes, technical schedules, and processing descriptions may be added per client engagement.