Data Processing Agreement (DPA)
Last updated: 5 June 2026 · Effective: 5 June 2026 · Version 1.0
On this page
- Scope & roles
- Definitions
- Nature, purpose & duration of processing
- Processor obligations
- Technical & organisational measures
- Sub-processors
- Data-subject requests
- Breach notification
- Assistance to controller
- Audit rights
- International transfers
- Return / deletion of data
- Liability
- Term & termination
- Annex I — Processing details
- Annex II — Security measures
- Annex III — Sub-processors
1. Scope & roles
This Data Processing Agreement ("DPA") is entered into between Vera Soft ("Processor", "VeraDNS") and the customer identified in the applicable Order Form or website registration ("Controller", "Customer"). It forms an integral part of the Terms of Service.
For website enquiries on veradns.io the controller is Vera Soft itself; this DPA applies whenever VeraDNS acts as a processor of personal data on behalf of the Customer — for example, when a Customer transmits personal data to support@veradns.io as part of a support case.
The VeraDNS Platform is deployed within Customer's own infrastructure; in normal operation VeraDNS does not receive Customer's DNS query data or production logs.
2. Definitions
Terms used in this DPA have the meaning given in the EU GDPR and the Thailand PDPA, including "personal data", "processing", "controller", "processor", "sub-processor", "data subject" and "personal data breach".
3. Nature, purpose & duration of processing
See Annex I for the categories of data subjects, types of personal data, purpose, nature and duration of processing.
4. Processor obligations
VeraDNS will:
- Process personal data only on documented instructions from the Controller, including the Terms of Service, the applicable Order Form and tickets opened via support channels.
- Ensure persons authorised to process personal data are bound by confidentiality.
- Implement the security measures in Annex II.
- Not transfer personal data to third countries except as permitted under Section 11.
- Inform the Controller without undue delay if an instruction would, in VeraDNS's opinion, infringe applicable data-protection law.
5. Technical & organisational measures
VeraDNS implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including the measures listed in Annex II.
6. Sub-processors
The Controller authorises VeraDNS to engage the sub-processors listed in Annex III. VeraDNS will give at least 30 days' notice of new sub-processors. The Controller may object on reasonable data-protection grounds; the parties will work in good faith to resolve the objection, failing which the Controller may terminate the affected service for convenience.
7. Data-subject requests
VeraDNS will assist the Controller, by appropriate technical and organisational measures, in responding to requests from data subjects to exercise their rights under applicable law (access, rectification, erasure, restriction, portability, objection).
8. Breach notification
VeraDNS will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting the Controller's data, and will provide all information reasonably needed for the Controller to comply with its notification obligations.
9. Assistance to controller
VeraDNS will assist the Controller in ensuring compliance with security, breach-notification, DPIA and prior-consultation obligations, taking into account the nature of processing and the information available.
10. Audit rights
VeraDNS will make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and PDPA s.40 and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable notice (at least 30 days) and during normal business hours. Audits may be satisfied by third-party reports (e.g. SOC 2 Type II or ISO 27001 certifications) where available.
11. International transfers
Where VeraDNS transfers personal data outside the EEA / Thailand, it will rely on a valid transfer mechanism, such as the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) or PDPC-approved equivalents, together with supplementary measures where required by Schrems II / equivalent jurisprudence.
12. Return / deletion of data
On termination, VeraDNS will, at the Controller's choice, return or delete all personal data processed on the Controller's behalf within 90 days, unless retention is required by law.
13. Liability
Each party's liability under this DPA is governed by the liability provisions of the underlying Terms of Service.
14. Term & termination
This DPA enters into force on the Effective Date and continues for as long as VeraDNS processes personal data on behalf of the Controller.
Annex I — Processing details
Categories of data subjects
- Customer's authorised personnel and end-users whose data is shared with VeraDNS during support interactions.
- Visitors to
veradns.iowho submit a trial or contact form.
Types of personal data
- Identifiers: name, work email, phone (optional).
- Organisational data: company, role, company size.
- Free-text content provided in enquiries or support tickets.
- Server logs: IP address, user agent, request metadata (≤ 30 days).
Special categories
None expected. The Controller agrees not to submit special-category data (Art. 9 GDPR) through VeraDNS support channels unless specifically authorised in writing.
Frequency & duration
Continuous for the term of the agreement; deleted on termination per Section 12.
Purpose
Provide the VeraDNS service, respond to enquiries, ensure security and abuse prevention, comply with legal obligations.
Annex II — Technical & organisational security measures
- Encryption: TLS 1.2+ in transit; AES-256 at rest where applicable.
- Access control: Role-based, MFA-enforced; least-privilege principle.
- Network: Segmented production environments; firewalled administrative access.
- Logging: Centralised security and audit logs with retention controls.
- Vulnerability management: Continuous dependency scanning; periodic third-party penetration testing.
- Personnel: Background checks where lawful; security awareness training; contractual confidentiality.
- Incident response: Documented playbooks; 24/7 on-call rotation; tabletop exercises.
- Backup & resilience: Encrypted backups; tested restoration procedures.
- Physical security: Production hosting in ISO 27001 / SOC 2 certified data centres.
Annex III — Sub-processors
The current list of sub-processors is maintained at veradns.io/sub-processors (link will be available before paid GA). Categories currently engaged include:
- Cloud hosting / CDN — for the marketing website.
- Email delivery (mail host SMTP) — for delivering website form submissions and transactional emails to our inbox.