Skip to main content

Verispect · Legal · v1.0-2026-05-06

Data Processing Agreement

Effective 2026-05-06.

1. Scope

This Data Processing Agreement (the “DPA”) supplements the Master SaaS Agreement between Verispect and Customer (the “MSA”) and governs Verispect’s processing of personal information on Customer’s behalf in connection with the Service. Capitalized terms not defined here have the meaning given in the MSA. In the event of a conflict between this DPA and the MSA with respect to data protection, this DPA controls.

2. Definitions

“Borrower NPI” means non-public personal information about a consumer as defined under the Gramm-Leach-Bliley Act (15 U.S.C. § 6809) and Regulation P, including names, Social Security numbers, dates of birth, financial account numbers, asset and income data, and consumer credit information. “Process” has the meaning given in 15 U.S.C. § 6809 and applicable state consumer-privacy laws.

3. Roles of the Parties

With respect to Borrower NPI submitted to the Service, Customer is the data controller (or, where applicable, the “business” under California consumer-privacy law) and Verispect is the data processor (or “service provider”). Verispect will Process Borrower NPI only on documented instructions from Customer, including instructions reflected in the configuration of the Service.

4. Processing Instructions

Customer instructs Verispect to Process Borrower NPI as necessary to (a) provide and maintain the Service; (b) prevent, detect, and respond to security incidents and fraud; (c) comply with Verispect’s legal obligations; and (d) carry out tasks Customer expressly initiates within the Service (such as document classification, e-signature delivery, lender submission, and Plaid-mediated bank verification). Verispect will not Sell or Share Borrower NPI as those terms are defined under the California Consumer Privacy Act.

5. Confidentiality

Verispect will require all personnel authorized to Process Borrower NPI to be subject to a duty of confidentiality and to receive appropriate training on the handling of Borrower NPI.

6. Security Measures

Verispect implements and maintains technical and organizational measures designed to protect Borrower NPI against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Specifically:

  • Encryption in transit (TLS 1.2 or higher) and at rest for borrower data stores.
  • Role-based access controls; per-broker tenancy isolation enforced at the application layer.
  • Multi-factor authentication, session liveness re-checks, device-binding alerts, and phishing-resistant passkeys for high-value flows (Plaid, sensitive document downloads).
  • Automated audit logging of access to Borrower NPI, including data export and disclosure-related events, retained for the period required by applicable law.
  • Regular vulnerability monitoring, dependency-update review, and breach-notification procedures.

7. Sub-Processors

Verispect engages sub-processors to provide the Service, including infrastructure, cloud storage, identity verification, vision OCR, e-signature, transactional email, and bank-data aggregation services. Customer authorizes Verispect’s use of the sub-processors listed at verispect.ai/sub-processors. Verispect will impose contractual data-protection obligations on each sub-processor that are no less protective than those set out in this DPA.

8. Plaid Flow-Down Terms

The Service integrates with Plaid, Inc. for borrower-permissioned bank-data and identity verification. Customer’s use of Plaid features is additionally subject to the Plaid End User Privacy Policy and Plaid’s flow-down customer terms (the “Plaid Flow-Down Terms”). Customer must accept the Plaid Flow-Down Terms inside the Verispect console before any Plaid feature is enabled. Customer’s Plaid Flow-Down Terms acceptance is recorded with the version, timestamp, IP, and user agent for audit replay.

9. Data Subject Requests

Verispect will provide reasonable assistance to enable Customer to fulfill Customer’s obligations to respond to data-subject requests (including borrower requests to access, correct, delete, or export their information). Customer is responsible for verifying the identity of requesters and for the underlying decision whether to grant the request.

10. Security Incidents

Verispect will notify Customer without undue delay after becoming aware of a confirmed Security Incident affecting Borrower NPI Processed under this DPA, and will provide information reasonably needed for Customer to meet its own notification obligations under applicable law.

11. Audits

Once per year, on at least thirty (30) days’ written notice, Customer (or an independent auditor of Customer’s choosing, subject to confidentiality) may audit Verispect’s compliance with this DPA. Verispect may satisfy this obligation by providing recent third-party audit reports (e.g., SOC 2 Type II or equivalent) when available.

12. Data Return and Deletion

Upon termination of the MSA, Customer may request return of its Borrower NPI in a portable format. Verispect will delete or anonymize Borrower NPI within ninety (90) days of termination, unless retention is required by applicable law or for the establishment, exercise, or defense of legal claims.

13. International Transfers

Verispect Processes Borrower NPI in the United States. Verispect does not transfer Borrower NPI outside the United States without Customer’s prior written consent.

14. Liability

The limitations of liability set out in the MSA apply to this DPA. Each party’s liability under this DPA is subject to those limitations.

Questions? Contact us at legal@verispect.ai. See also the Master SaaS Agreement, Privacy Policy, and Terms of Service.