Skip to content
Legal

Sub-processors

The current list of sub-processors that may handle personal data on behalf of VEREID.

Sub-processors

Effective Date: May 20, 2026 Version: 1.0 Controller / Processor: VEREID, a product of AIARCO Pty Ltd, ABN [TBD: counsel review], NSW, Australia.

This page lists every sub-processor that may handle personal data on behalf of VEREID or its B2B Customers. We will give 30 days' prior written notice of any addition or material change by (i) updating this page in git, (ii) emailing the DPO contact on each B2B account, and (iii) posting in the Customer dashboard. B2B Customers may object in writing; if VEREID cannot reasonably remedy the objection, the affected portion of the contract may be terminated for cause without penalty.

All transfers outside the data-subject's country of collection are protected by EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and where applicable APP 8 contractual binding. See PRIVACY_POLICY.md §6.


1. Infrastructure & storage

Sub-processorRoleData they receiveRegion(s)RetentionDPA / Terms URL
Amazon Web Services, Inc. (AWS)Primary cloud — compute (ECS Fargate), database (Aurora), object storage (S3), KMS, Secrets Manager, CloudFront, WAF, GuardDuty, CloudTrail, MacieAll categories — but encrypted at rest with VEREID-controlled KMS CMKs (data-and-secrets, pii-vault-and-audit)Primary: us-east-1. AU: ap-southeast-2 (Sydney). EU: eu-central-1 (Frankfurt) — activation gated on counsel sign-off (Hard Gate 6)Per PRIVACY_POLICY.md §7; backup snapshots 35 dayshttps://aws.amazon.com/service-terms/ + AWS DPA Addendum (Sep 2022) at https://aws.amazon.com/agreement/
Cloudflare, Inc.Edge WAF, CDN, bot management, DNSIP, user-agent, request URL, response code. PII payloads are TLS-terminated at Cloudflare under our Enterprise mTLS-to-origin pattern; the body is not inspected. Cookies pass through.Global PoPs (US-controller)30-day logs by defaulthttps://www.cloudflare.com/cloudflare-customer-dpa/

2. Verification & screening

Sub-processorRoleData they receiveRegion(s)RetentionDPA / Terms URL
AWS Rekognition (CompareFaces, DetectFaces)Face-match between selfie and document portraitSelfie frame + document portrait crop. Never stored by Rekognition for VEREID (we do not opt into the model-improvement programme; we use the --no-data-protection-opt-in configuration).Same region as the source bucket (region-pinned to data subject's region)Ephemeral — Rekognition does not retain images for VEREIDAWS DPA + AWS AI/ML opt-out terms
AWS Textract (AnalyzeID, AnalyzeDocument)Document OCR + MRZ extractionDocument imageSame region as the source bucketEphemeralAWS DPA
Sanctions-list & PEP vendorOFAC / EU / UK / UN / AU consolidated + PEP + adverse mediaName, DOB, country, document numberUS (vendor-side)Vendor query cache ≤24h; our hit record 7y[TBD: counsel review + vendor due diligence]

3. Billing

Sub-processorRoleData they receiveRegion(s)RetentionDPA / Terms URL
Stripe Payments Pty Ltd (AU acquiring), Stripe Payments Europe Ltd (EU acquiring) — under the existing AIARCO ASC Stripe LIVE accountCard processing, subscription billing, tax handling, invoicesCompany name, billing address, ABN/VAT, contact email, payment-card token (we never see PAN), product/price ID, metered-usage recordsUS controller; data localised in Stripe EU for EU customersStripe retains per its own retention policy; we keep our copy 7y for taxhttps://stripe.com/legal + https://stripe.com/dpa

4. Communications

Sub-processorRoleData they receiveRegion(s)RetentionDPA / Terms URL
Twilio Inc.SMS-OTP fallback factor for MFA, plus SMS for ID-verification invite linksMobile number (E.164), short message body (the OTP or one-line invite link with a tokenised URL)US controller, regional carrier routingMessage body purged immediately after delivery; metadata 13 monthshttps://www.twilio.com/legal/data-protection-addendum
Twilio SendGridTransactional email (signup verification, password reset, account-anti-phishing-coded notifications, DSR result links)Email address, subject, bodyUS controllerEngagement metadata 13 months; body not retained by SendGridhttps://www.twilio.com/legal/data-protection-addendum
Apple Push Notification service (APNs)iOS push to VEREID MobileDevice push token, payload (no PII beyond a notification text)US/Apple-controlledLifecycle of tokenhttps://www.apple.com/legal/internet-services/itunes/dev/stdeula/
Google Firebase Cloud Messaging (FCM)Android pushDevice push token, payloadUS/Google-controlledLifecycle of tokenhttps://firebase.google.com/terms/data-processing-terms

5. Observability & analytics

Sub-processorRoleData they receiveRegion(s)RetentionDPA / Terms URL
PostHog Inc.Product analytics — pseudonymous user behaviour, feature flagsPseudonymous device ID, event name, event properties (no PII by SDK rule). Email only after sign-in and only where local consent permits.EU region for EEA / UK subjects; US region otherwise13 monthshttps://posthog.com/dpa
Sentry (Functional Software Inc.)Error / crash monitoringStack trace, request ID. PII scrubbed at SDK (beforeSend hook + server-side denylist).US controller90 dayshttps://sentry.io/legal/dpa/

6. Developer & support

Sub-processorRoleData they receiveRegion(s)RetentionDPA / Terms URL
GitHub, Inc. (Microsoft)Source control + Issues for engineeringNo production PII. Code only.US controllerPer Microsoft DPAhttps://docs.github.com/en/site-policy/privacy-policies/github-data-protection-agreement
Vercel Inc.Hosting for marketing site (vereid.com) and dashboard surfacesPublic marketing pageviews; tenant-scoped dashboard render context (no PII payloads beyond display name)US controller, EU edgePer Vercel DPAhttps://vercel.com/legal/dpa

7. Excluded / not used

For clarity, the following are not sub-processors of VEREID:

  • Auth0 / Okta (we are a competitor product).
  • Persona / Onfido / Sumsub (we run our own verification pipeline).
  • Klaviyo, HubSpot, Salesforce, Segment, Mixpanel (intentionally not used; PostHog only).
  • Any AI training-data broker.

8. Subject-matter and duration of each processing

The subject-matter and duration of processing carried out by each sub-processor mirrors the relevant rows in RoPA.md. The duration is the lifetime of the relevant VEREID product and ends on the earlier of (a) Customer termination, (b) VEREID terminating the sub-processor, or (c) statutory retention expiry.


9. Due-diligence posture for every sub-processor

Before onboarding any sub-processor and at least annually thereafter we collect and review:

EvidenceWhy we require it
Latest SOC 2 Type II report or ISO 27001 certificateIndependent assurance of the vendor's security programme
Signed DPA incorporating EU SCCs (2021/914 — Module 2 or 3 as applicable)Lawful basis for cross-border transfers from EEA
UK IDTA (or UK Addendum to the EU SCCs)Lawful basis for transfers from the UK
Sub-processor list and 30-day change notification commitmentOnward-transfer transparency
Breach-notification SLA ≤ 72 hoursTo meet our own GDPR Art. 33 and AU NDB obligations
Data-residency commitment for the regions we useCustomer commitments
Sub-processor's own AI-training opt-out attestation (where applicable)Customer commitment that we do not train models on their data
Insurance evidence (cyber liability, E&O)Recovery cushion
Vendor exit plan and data-export formatAvoidance of vendor lock-in

The completed file per vendor is held in our compliance vault and referenced from our SOC 2 control catalogue.

10. Sub-processor objection process for B2B Customers

  1. We post the addition or change at this URL and email each Customer's listed DPO contact at least 30 days before activation.
  2. The Customer may, within 14 days of the notification, lodge a written objection to legal@vereid.com setting out the specific concern (residency, sub-processor identity, processing scope).
  3. We respond within 7 days describing whether we can reasonably remedy (e.g. alternative region, alternative vendor for that Customer, additional contractual clause).
  4. If we cannot reasonably remedy and the objection is reasonable, the Customer may terminate the affected portion of the contract for cause without penalty and we will assist with data export per the DPA termination clause.

11. AIARCO group entities

VEREID is operated by AIARCO Pty Ltd (AU). Other AIARCO group entities — including the AIARCO ASC operating entity that holds the Stripe LIVE account — are intra-group recipients and not third-party sub-processors. Intra-group transfers are governed by the AIARCO Intra-Group Data Transfer Agreement (IGDTA) [TBD: counsel review].

12. Change history

DateVersionChangeApprover
2026-05-201.0Initial publicationDPO

[TBD: counsel review — final sanctions vendor selection; confirm Rekognition opt-out flag works as documented; confirm Vercel role classification; confirm IGDTA wording for AIARCO group transfers.]