GDPR Compliance
Verify AI is built with privacy at its core. Our architecture gives you full control over how and where data is processed, making GDPR compliance straightforward whether you operate in the EU or serve EU customers.
Your Role, Our Role
You (Our Customer)
As the data controller, you determine the purposes and means of processing. You decide what images are submitted, what metadata is included, and how verification results are used.
- Define processing purposes
- Determine data retention needs
- Handle data subject requests
- Maintain records of processing
- Conduct DPIAs where required
Verify AI (Switch Labs)
As the data processor, we process personal data only on your instructions and in accordance with our Data Processing Agreement. We implement appropriate technical and organizational measures.
- Process data per your instructions
- Maintain security measures
- Notify you of data breaches
- Support your compliance obligations
- Delete data upon contract termination
How We Protect Your Data
GDPR compliance is not an afterthought — it is built into every layer of our architecture.
Privacy by Design
Our platform is built around data minimization, configurable retention, and clear controller/processor boundaries. You decide what is submitted, and we process it only under documented instructions.
Data Minimization
We only process and store the minimum data necessary. Verification images are retained only for the period required by your use case, with configurable retention policies and automatic deletion.
Encryption Everywhere
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). API keys are hashed and never stored in plaintext. Signed URLs for image access expire after one hour.
Regional Data Controls
Choose the storage region, retention window, and processing configuration that matches your legal and operational requirements. These controls help reduce transfer scope without overstating what runs locally.
Data Subject Rights
We provide APIs and dashboard tools to support right of access, right to erasure, right to rectification, and data portability requests. Your customers' data subjects can exercise their rights seamlessly.
Data Processing Agreements
We provide a comprehensive DPA that covers all GDPR Article 28 requirements, including processing purposes, data categories, sub-processor lists, security measures, breach notification, and deletion obligations.
Data Handling Options
Choose the deployment posture that matches your privacy requirements. The default hosted API supports encryption, configurable retention, and regional storage controls.
Managed Verification API
Images are transmitted securely to the VerifyAI API for analysis by hosted vision models. This is the standard mode used by the current SDKs and API.
- TLS 1.3 encryption in transit
- AES-256 encryption at rest
- Configurable retention periods
- Signed URLs expire in 1 hour
- Full audit trail of processing activity
- DPA-backed processor obligations
Regional and Retention Controls
Customers with stricter privacy requirements can reduce data exposure with regional deployment, shorter retention windows, and minimal metadata collection.
- EU-region deployment for storage services
- Standard Contractual Clauses with sub-processors
- Customer-controlled retention settings
- Minimize submitted metadata fields
- Use signed access for image retrieval
- Documented transfer and deletion workflows
Data Processing Register
A complete overview of the personal data we process, the legal basis for processing, and how long we retain it.
Sub-Processors
We maintain a transparent list of all sub-processors that may handle personal data depending on your deployment and storage configuration.
We will notify you of any changes to this list at least 30 days in advance, giving you the opportunity to object per our DPA.
Data Subject Rights
We provide the tools and processes to help you fulfill data subject rights requests from individuals whose data is processed through Verify AI.
Right of Access (Art. 15)
Export all verification data associated with a specific identifier through our API or dashboard. Responses include images, results, and metadata.
Right to Erasure (Art. 17)
Delete all verification data for a specific identifier via API call or dashboard. Deletion is permanent and propagated to all storage systems within 72 hours.
Right to Rectification (Art. 16)
Update or correct metadata associated with verifications. Verification results can be overridden with corrected compliance status through the API.
Right to Data Portability (Art. 20)
Export verification data in structured, machine-readable JSON format. Images can be exported with signed download URLs for bulk retrieval.
Right to Object (Art. 21)
We support your obligation to handle objections. Specific identifiers can be blocklisted to prevent future processing via the API.
Right to Restriction (Art. 18)
Verification data can be marked as restricted, preventing further processing while preserving it for legal obligations or dispute resolution.
International Data Transfers
When using cloud processing, data may be transferred outside the EEA. We ensure all transfers are protected by appropriate safeguards as required under GDPR Chapter V.
Transfer Mechanisms
All sub-processors have executed the EU Commission's 2021 Standard Contractual Clauses. These provide contractual guarantees that personal data transferred outside the EEA receives an equivalent level of protection.
We conduct transfer impact assessments for each sub-processor to evaluate the legal framework in the recipient country and any supplementary measures needed to ensure adequate protection.
For customers requiring data to remain within the EU, we offer EU-region deployment for database and image storage, reducing cross-border transfer exposure.
End-to-end encryption ensures that even during transit, data cannot be accessed by third parties. Images are encrypted before transmission and decrypted only within the processing environment.
Data Breach Notification
In the unlikely event of a data breach, we follow a strict notification process that meets or exceeds GDPR Article 33 requirements.
24 hrs
Maximum time to notify you after becoming aware of a breach involving your data
Full Report
Detailed breach report including nature, scope, affected data categories, and remediation steps
Ongoing
Continued communication and support as you assess impact and fulfill your own notification obligations
Technical and Organizational Measures
We implement comprehensive security measures as required by GDPR Article 32 to ensure the ongoing confidentiality, integrity, and availability of processing systems.
Access Control
- API key authentication with rate limiting
- Row-level security on all database tables
- Customer data isolation by customer ID
- Role-based access for internal staff
- Multi-factor authentication required for team access
Encryption
- TLS 1.3 for all data in transit
- AES-256 encryption for data at rest
- API keys hashed (never stored in plaintext)
- Webhook payloads signed with HMAC-SHA256
- Signed image URLs with 1-hour expiration
Monitoring & Logging
- Full audit trail of all API requests
- Real-time anomaly detection
- Automated alerting for suspicious activity
- Log retention for security analysis
- Regular penetration testing
Business Continuity
- Multi-provider AI fallback system
- Automated database backups
- Disaster recovery procedures
- 99.9% uptime SLA
- Geographic redundancy for storage
Request Our Data Processing Agreement
Our DPA covers all GDPR Article 28 requirements including processing scope, sub-processor management, security obligations, breach notification, audit rights, and data deletion. Available for all customers on paid plans.
Questions About Data Protection?
Our team is available to discuss your specific GDPR compliance requirements and help you choose the right processing configuration for your needs.
Data Protection Contact: privacy@switchlabs.dev
General Inquiries: hello@switchlabs.dev
Switch Labs LC · 434 Pine Street · San Francisco, CA 94158