Data Processing Agreement
Effective April 20, 2026
This Data Processing Agreement (“DPA”) supplements our Terms of Service and Privacy Policy. It describes how Optivus Corporation Private Limited(“Processor”) processes personal data on behalf of your organization (“Controller”) when you use Veritas.
This DPA applies automatically to all Veritas customers. If your organization needs a signed, negotiated DPA (for enterprise procurement, GDPR, or DPDP compliance), please route the request through your Veritas account administrator.
1. Roles and scope
Under applicable data protection law (including the EU GDPR, UK GDPR, and India’s Digital Personal Data Protection Act 2023), you are the Controller (or Data Fiduciary) of personal data your organization uploads or generates through Veritas. Optivus Corporation Private Limited is the Processor (or Data Processor) and processes personal data only as instructed by you through your use of the Service.
2. Nature and purpose of processing
- Subject matter: Providing the Veritas SaaS product as described in our Terms of Service.
- Duration: For as long as your organization uses the Service, plus retention periods defined in the Privacy Policy.
- Nature: Hosting, storing, indexing, analyzing, and generating content based on your organization’s uploaded materials and user inputs.
- Purpose: Content generation, knowledge graph construction, learning path delivery, administrative functions, and billing.
- Categories of data subjects: Your employees, contractors, and (where applicable) your customers whose information you upload.
- Categories of personal data: Names, email addresses, job titles, profile images, and any personal data contained in documents you choose to upload.
3. Sub-processors
You authorize Optivus Corporation Private Limited to engage the sub-processors listed below, each of which is contractually bound to appropriate confidentiality and security obligations. We remain responsible for their performance of data protection obligations.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Clerk (Clerk, Inc.) | Authentication, user/org identity | United States |
| OpenAI | Language model inference, embeddings | United States |
| MongoDB Atlas | Primary application database | Configurable (US / EU / APAC) |
| Neo4j AuraDB | Knowledge graph database (select tenants) | Configurable |
| Amazon Web Services (S3) | Object storage for documents and images | Configurable |
| Razorpay | Payment processing | India |
| Twilio SendGrid | Transactional email | United States |
| Firecrawl | Website crawling during onboarding | United States |
If we engage a new sub-processor or replace an existing one, we will update this page and notify account administrators by email at least 14 days in advance, giving you the opportunity to object.
4. Security measures
Optivus Corporation Private Limited maintains the following technical and organizational measures:
- Encryption of personal data in transit (TLS 1.2+) and at rest.
- Tenant isolation via separate per-organization databases.
- Role-based access controls for internal administrative functions.
- Audit logging of privileged operations.
- Regular dependency and vulnerability updates.
- Access to production systems restricted to authorized personnel under need-to-know.
- Incident response procedures for security events.
5. Data subject rights
We will assist you, at your reasonable request, in responding to requests from data subjects exercising their rights under applicable law (access, correction, deletion, portability, objection, restriction). Most rights can be fulfilled directly by Controller administrators using the Service’s built-in user management and account-deletion tools. For requests that require our assistance, please raise them through your Veritas account administrator.
6. Breach notification
In the event of a personal data breach affecting your organization’s data, we will notify you without undue delay after becoming aware of it (within 72 hours where feasible), providing the information you need to meet your own notification obligations under applicable law.
7. Audits
Controllers may audit compliance with this DPA once per year, at their own cost, by written request submitted through their Veritas account administrator at least 30 days in advance. We may satisfy audit requirements by providing our most recent third-party attestations, security documentation, or by arranging a remote review.
8. Return and deletion of data
On termination of your organization’s account, at your choice:
- You may export your data using the Service’s export tools before deletion (subject to what the Service offers at the time).
- We will delete or anonymize your personal data within 30 days of account closure, except where retention is required by law (e.g., billing records for 7 years).
9. International data transfers
Where personal data is transferred across borders to our sub-processors, we rely on appropriate transfer mechanisms (Standard Contractual Clauses, adequacy decisions, or equivalent) as required by applicable law.
10. Liability
Liability under this DPA is subject to the limitation of liability clause in the Terms of Service.
11. Changes
We may update this DPA from time to time. Material changes will be announced to account administrators by email at least 14 days before taking effect. The latest version always lives at this URL.
12. Contact
Optivus Corporation Private Limited is registered in New Delhi, India. For now, please route data-protection inquiries through your Veritas account administrator; a dedicated contact address will be published here in a future revision.