VeriloVerilo|Legal

Data Processing Agreement

Last updated: February 4, 2026

This Data Processing Agreement ("DPA") forms part of the Service Agreement between Verilo, LLC ("Verilo", "Processor") and the entity executing the Service Agreement ("Client", "Controller") and governs the Processing of Personal Data by Verilo on behalf of the Controller in connection with the Verilo interview assessment platform.

This DPA is incorporated into and subject to the terms of the Service Agreement available at /legal/terms (the "Service Agreement"). In the event of any conflict between this DPA and the Service Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings ascribed to them in the Service Agreement.

  • "Controller" means the Client, the employer or organization that uses the Verilo platform and determines the purposes and means of Processing Personal Data.
  • "Processor" means Verilo, LLC, which Processes Personal Data on behalf of and under the instructions of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is Processed by Verilo in the course of providing the Services, including but not limited to interview audio recordings, candidate names, interviewer names, interview dates, and interview metadata.
  • "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, storage, transcription, anonymization, AI-based scoring, report generation, retrieval, consultation, use, disclosure, and deletion or destruction.
  • "Service Agreement" means the Terms of Service available at /legal/terms, together with any applicable order forms or statements of work executed between the parties.
  • "Sub-Processor" means any third party engaged by Verilo to assist in the Processing of Personal Data on behalf of the Controller.
  • "Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed by Verilo.
  • "Applicable Data Protection Law" means all laws and regulations relating to the Processing of Personal Data that apply to the parties, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable privacy or data protection legislation.

2. Scope of Processing

Verilo shall Process Personal Data solely for the purpose of providing interview assessment services to the Controller as described in the Service Agreement and in accordance with the Controller's documented instructions.

2.1 Categories of Data Subjects

Personal Data Processed under this DPA relates to the following categories of data subjects:

  • Job applicants and candidates who participate in interviews
  • Interviewers and other personnel of the Controller who are recorded during interview sessions

2.2 Types of Personal Data

The following types of Personal Data may be Processed:

  • Audio recordings of interviews
  • Candidate names and identifying information
  • Interviewer names
  • Interview dates, times, and scheduling metadata
  • Notes, scores, and other assessment-related data generated by or input into the platform

2.3 Duration of Processing

Processing shall continue for the term of the Service Agreement and any applicable data retention period as described in Section 9 (Return & Deletion). Anonymized data retained under Section 7 is not considered Personal Data and is not subject to the duration limitations of this DPA.

3. Processor Obligations

Verilo, as Processor, shall:

  1. Process on instructions. Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law. In such case, Verilo shall inform the Controller of that legal requirement before Processing, unless prohibited by law from doing so.
  2. Confidentiality. Ensure that all personnel authorized to Process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
  3. Security. Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 4 (Security Measures).
  4. Sub-Processors. Engage Sub-Processors only in accordance with the terms of Section 5 (Sub-Processors) and ensure that each Sub-Processor is bound by data protection obligations no less protective than those set out in this DPA.
  5. Data subject rights. Assist the Controller, taking into account the nature of the Processing, by implementing appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligation to respond to requests by data subjects exercising their rights under Applicable Data Protection Law.
  6. Incident response. Assist the Controller in ensuring compliance with data breach notification obligations under Applicable Data Protection Law, as described in Section 6 (Data Breach Notification).
  7. Deletion or return. At the choice of the Controller, delete or return all Personal Data upon termination of the Service Agreement, as described in Section 9 (Return & Deletion), and delete existing copies unless applicable law requires storage.
  8. Audit cooperation. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, as described in Section 10 (Audit Rights).

4. Security Measures

Verilo implements and maintains the following technical and organizational security measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage:

4.1 Encryption

  • At rest: All Personal Data is encrypted at rest using AES-256 encryption. Audio files stored in AWS S3 are protected by server-side encryption (SSE). Database records in Supabase are encrypted at rest using platform-managed encryption keys.
  • In transit: All data transmitted between clients, Verilo's infrastructure, and third-party services is encrypted using TLS 1.2 or higher.

4.2 Access Controls

  • Organization-scoped isolation: Verilo operates a multi-tenant architecture in which all database queries are filtered by organization identifier (org_id). No Controller can access another Controller's data.
  • Role-based access control: User authentication and authorization are managed through Clerk, providing organization-level role-based access control for all platform users.
  • Presigned URLs: All file access to stored audio recordings is mediated through time-limited presigned URLs. No direct access to the underlying storage buckets is permitted.

4.3 Data Minimization

  • PII anonymization: Prior to AI-based scoring and analysis, interview data is passed through a PII anonymization pipeline that removes or redacts identifiable information from transcripts. The AI scoring models operate on anonymized content.

4.4 Infrastructure Security

  • Verilo's application is deployed on Vercel with automated security patching and monitoring.
  • Processing workloads run on dedicated AWS infrastructure with network isolation and access logging.
  • All internal service-to-service communication is authenticated using shared secrets transmitted over encrypted channels.

5. Sub-Processors

The Controller acknowledges and agrees that Verilo may engage Sub-Processors to assist in providing the Services, subject to the requirements of this Section.

5.1 Current Sub-Processors

The current list of Sub-Processors is maintained at /legal/sub-processors. As of the effective date of this DPA, Verilo engages the following Sub-Processors:

Sub-ProcessorPurpose
Amazon Web Services (AWS S3)File storage for audio recordings
SupabaseDatabase hosting and management
ClerkUser authentication and organization management
OpenAI (GPT-4o-mini)Anonymized summary generation
VercelApplication hosting and deployment
ResendTransactional email delivery

5.2 Notification of Changes

Verilo shall notify the Controller in writing at least thirty (30) days prior to engaging any new Sub-Processor or making any material change to an existing Sub-Processor arrangement. The notification shall include the identity of the proposed Sub-Processor, the nature of the Processing to be performed, and any relevant data protection information.

5.3 Objection Right

The Controller may object in writing to the appointment of a new Sub-Processor within thirty (30) days of receiving notification. If the Controller raises a reasonable objection and the parties are unable to resolve the matter within a further thirty (30) days, the Controller may terminate the affected Services under the Service Agreement without penalty, provided the termination relates solely to the Services that cannot be provided without the objected-to Sub-Processor.

5.4 Sub-Processor Obligations

Verilo shall ensure that each Sub-Processor is bound by a written agreement imposing data protection obligations no less protective than those contained in this DPA. Verilo remains fully liable to the Controller for the performance of each Sub-Processor's obligations.

6. Data Breach Notification

Verilo shall notify the Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of a Data Breach affecting Personal Data Processed under this DPA. The notification shall be made to the Controller's designated contact and shall include, to the extent reasonably available at the time:

  1. A description of the nature of the Data Breach, including the categories and approximate number of data subjects affected and the categories and approximate number of Personal Data records concerned.
  2. The name and contact details of Verilo's point of contact from whom additional information may be obtained.
  3. A description of the likely consequences of the Data Breach.
  4. A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

Verilo shall cooperate fully with the Controller in investigating and remediating the Data Breach and shall provide reasonable assistance with the Controller's obligations to notify supervisory authorities and affected data subjects, where required under Applicable Data Protection Law.

7. Anonymized Data

The Controller acknowledges and agrees that Verilo creates anonymized copies of interview audio recordings as part of the Services. The anonymization process is as follows:

  1. Isolation. Upon upload, audio recordings are copied to a fully isolated storage bucket that is logically and physically separated from the production environment. All associated metadata -- including organization identifiers, candidate identifiers, and job post linkage -- is stripped prior to storage in the isolated bucket.
  2. PII removal. During subsequent batch processing, any personally identifiable information contained within the audio content itself (such as names, addresses, or other identifiable speech) is identified and stripped from the recordings.
  3. Irreversibility. Following the completion of both stages, the anonymized data cannot be traced back to any specific candidate, interviewer, or organization. The anonymized recordings constitute fully de-identified data that is no longer Personal Data within the meaning of Applicable Data Protection Law.
Agreed Processing Activity

The creation, retention, and use of anonymized data as described in this Section constitutes an agreed Processing activity under this DPA. Anonymized data is retained indefinitely by Verilo for the purposes of machine learning model training, quality improvement, and research. Because anonymized data is no longer Personal Data, it is not subject to deletion requests, data portability rights, or the return and deletion obligations set forth in Section 9. Enterprise customers with specific data-handling requirements may negotiate custom terms regarding this processing activity as part of their service agreement.

8. CCPA Service Provider Terms

To the extent that the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), applies to the Processing of Personal Data under this DPA, the following additional terms shall apply:

  1. Verilo is a "Service Provider" as defined under CCPA and Processes Personal Data on behalf of the Controller for the business purposes specified in the Service Agreement.
  2. Verilo shall not retain, use, or disclose Personal Data for any purpose other than the specific business purposes set forth in the Service Agreement, except as otherwise permitted by CCPA.
  3. Verilo shall not sell or share (as those terms are defined under CCPA) Personal Data received from or on behalf of the Controller.
  4. Verilo shall not combine Personal Data received from the Controller with personal information received from or on behalf of another person or collected from its own interactions with consumers, except as expressly permitted by CCPA.
  5. Verilo shall cooperate with the Controller in responding to verifiable consumer requests made pursuant to CCPA, including requests to know, delete, correct, or opt out of the sale or sharing of personal information.
  6. Verilo shall ensure that all Sub-Processors engaged in the Processing of Personal Data subject to CCPA are contractually bound by equivalent CCPA Service Provider obligations. These obligations flow down through the entire Sub-Processor chain.
  7. Verilo shall notify the Controller if it determines that it can no longer meet its obligations under CCPA and shall take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

9. Return & Deletion

The Controller may export its data from the Verilo platform at any time during the term of the Service Agreement through the platform's built-in export functionality or by contacting Verilo support.

9.1 Post-Termination

Upon termination or expiration of the Service Agreement, Verilo shall:

  1. Provide the Controller with a thirty (30) day window to export all Personal Data from the platform.
  2. Following the expiration of the export window, delete all Personal Data in Verilo's possession and in the possession of any Sub-Processors, except where retention is required by applicable law.
  3. Anonymized copies of data created in accordance with Section 7 (Anonymized Data) are expressly excluded from the deletion obligations of this Section, as such data is no longer Personal Data.

9.2 Certification

Upon the Controller's written request following deletion, Verilo shall provide written certification confirming that all Personal Data has been deleted in accordance with this Section, specifying the date of deletion and the categories of data deleted.

10. Audit Rights

The Controller has the right to audit Verilo's compliance with the obligations set forth in this DPA, subject to the following conditions:

  1. Notice. The Controller shall provide Verilo with reasonable written notice of at least thirty (30) days prior to any proposed audit, specifying the scope, duration, and start date of the audit.
  2. Frequency. Audits shall be limited to no more than once per twelve (12) month period, unless a Data Breach has occurred or the Controller is required to conduct an audit by a supervisory authority.
  3. Alternative evidence. Verilo may, at its discretion, satisfy audit requests by providing the Controller with a current SOC 2 Type II report, ISO 27001 certification, or equivalent independent third-party audit report. Where such reports reasonably address the Controller's audit concerns, the Controller shall accept them in lieu of conducting an on-site audit.
  4. Conduct. Audits shall be conducted during normal business hours, shall not unreasonably interfere with Verilo's operations, and shall be subject to reasonable confidentiality obligations. The Controller may engage a qualified, independent third-party auditor, subject to Verilo's prior written approval (not to be unreasonably withheld).
  5. Costs. The Controller shall bear all costs and expenses associated with the audit, including Verilo's reasonable internal costs of cooperating with the audit, unless the audit reveals a material non-compliance by Verilo with its obligations under this DPA, in which case Verilo shall bear the costs of the audit.

11. Term & Termination

This DPA shall become effective on the date the Controller enters into the Service Agreement and shall remain in effect for as long as Verilo Processes Personal Data on behalf of the Controller. The obligations imposed on Verilo under this DPA shall survive the termination or expiration of the Service Agreement until all Personal Data has been deleted or returned in accordance with Section 9 (Return & Deletion).

Either party may terminate this DPA for cause if the other party materially breaches its obligations under this DPA and fails to cure such breach within thirty (30) days of receiving written notice. In the event of termination, the provisions of Sections 7, 9, 10, and 11 shall survive.

12. Contact

For all inquiries, requests, or notices related to this Data Processing Agreement, please contact:

Verilo, LLC
Data Protection Inquiries
Email: privacy@verilo.co

All notices under this DPA shall be in writing and shall be deemed duly given when delivered by email with confirmation of receipt, or when sent by certified mail to the address specified in the Service Agreement.