VinVerify
Run a VIN
Legal

Data Processing Agreement

For business customers subject to the GDPR, UK GDPR, or CCPA. This DPA forms part of the Terms of Service when applicable to your use of VinVerify.

Last updated February 14, 2026

1. Scope and roles

This Data Processing Agreement (“DPA”) applies to VinVerify’s processing of personal data on behalf of a business customer (“Customer”) in connection with the Services. Where the GDPR or UK GDPR applies, Customer is the controller and VinVerify is the processor. Where the CCPA/CPRA applies, Customer is the business and VinVerify is a service provider.

2. Definitions

Terms not defined here have the meanings given in the GDPR or CCPA, as applicable. “Customer Personal Data” means personal data Customer or its users submit to VinVerify in connection with the Services.

3. Subject matter and duration

  • Subject matter:VinVerify’s provision of vehicle history reports and related dashboard/API services to Customer.
  • Duration: the term of the underlying subscription or account, plus the retention periods set out in our Privacy Policy.
  • Nature & purpose: processing user account data, billing data, and VIN-based queries so VinVerify can deliver the Services.
  • Categories of data subjects:Customer employees, contractors, and end users who interact with the Services on Customer’s behalf.
  • Categories of personal data: account contact details, authentication credentials, billing identifiers, and IP/log data.

4. Customer instructions

VinVerify shall process Customer Personal Data only on Customer’s documented instructions, including with regard to transfers, unless required to do otherwise by applicable law. Customer’s instructions for processing are set out in this DPA, the Terms, and configuration choices Customer makes through the Services.

5. Confidentiality

VinVerify ensures that personnel authorized to process Customer Personal Data are under written confidentiality obligations and have received appropriate data-protection training.

6. Security

VinVerify maintains the following technical and organizational measures:

  • TLS 1.2+ for data in transit; AES-256 for data at rest.
  • Role-based access controls and least-privilege principles.
  • Continuous logging, monitoring, and alerting on production systems.
  • Annual third-party penetration testing and code review.
  • Background checks for personnel with production access, and hardware security keys for production sign-in.
  • A formal incident response plan with defined SLAs.

7. Sub-processors

Customer authorizes VinVerify to engage sub-processors to assist with delivery of the Services. Current sub-processors include:

  • Stripe, Inc., payment processing
  • Vercel, Inc., application hosting
  • Amazon Web Services, infrastructure and backups
  • Postmark / Resend, transactional email delivery
  • NMVTIS-approved data providers, vehicle history lookups

VinVerify will notify Customer of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving Customer an opportunity to object on reasonable data-protection grounds.

8. International transfers

Where required, VinVerify relies on the European Commission’s Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum for transfers of personal data outside the EEA / UK.

9. Data subject requests

VinVerify will assist Customer, taking into account the nature of the processing, in responding to requests from data subjects to exercise their rights under applicable law. Where data subjects contact VinVerify directly with requests relating to Customer Personal Data, VinVerify will forward the request to Customer without undue delay.

10. Personal data breaches

VinVerify will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting Customer Personal Data, and will provide the information Customer reasonably needs to comply with its own notification obligations.

11. Audits

VinVerify will make available to Customer all information necessary to demonstrate compliance with this DPA, including third-party audit reports (where available) and responses to reasonable security questionnaires no more than once per year, subject to confidentiality obligations.

12. Return or deletion

On termination of the Services, VinVerify will, at Customer’s choice, delete or return all Customer Personal Data within 90 days, except where retention is required by applicable law (e.g., tax records).

13. CCPA / CPRA

When acting as a service provider under the CCPA/CPRA, VinVerify will not (i) sell or share Customer Personal Data, (ii) retain, use, or disclose Customer Personal Data outside the direct business relationship, or (iii) combine Customer Personal Data with personal information VinVerify receives from other sources, except as expressly permitted by the CCPA.

14. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the underlying Terms of Service.

15. Acceptance

To countersign this DPA on behalf of your business, send a signed copy of these terms to legal@vinverify.example. VinVerify will return a counter-signed copy for your records.