Legal · Team tier

Data Processing Agreement

Last updated April 13, 2026

This Data Processing Agreement ("DPA") forms part of the Verify Terms of Service between magpiexyz-lab ("Processor") and the Team-tier subscriber ("Controller"). It governs processing of personal data under GDPR Article 28.

1. Subject matter

Processor processes personal data on behalf of Controller solely to provide the Verify fact-check orchestration service described in the Terms.

2. Duration and termination

This DPA remains in force for the duration of Controller's Team subscription plus 30 days for deletion cycles. Upon termination, Processor will delete or return all personal data within 30 days.

3. Nature and purpose

Processor processes submitted URLs, media, and text strings through detection providers and synthesizes a probabilistic verdict. Personal data is limited to: Controller admin/member email addresses, submitted content that may incidentally contain personal data about third parties, and audit logs.

4. Sub-processors

Controller authorizes the following sub-processors. Processor will give 30 days' notice of additions and will provide a right to object.

  • Supabase (EU, Frankfurt) — database, auth, storage
  • Vercel (EU, fra1) — hosting, edge network
  • PostHog (EU) — product analytics
  • Anthropic— Claude API for synthesis. Data handling per Anthropic's published API usage policies.
  • Stripe — payment processing
  • Resend — transactional email
  • Reality Defender, Sensity, TinEye, InVid, Google Fact Check Tools — detection providers, called per check

5. Security measures

  • Encryption in transit (TLS 1.3) and at rest
  • Row-level security on every database table
  • Service-role keys never exposed to the client
  • Rate limiting on all authenticated endpoints
  • Stripe webhook signature verification via constant-time compare
  • Cron endpoints gated by rotating bearer secrets

6. Data subject rights

Processor will assist Controller in responding to data-subject requests (access, rectification, erasure, portability, objection) without undue delay. Controller admin can trigger member-level erasure via the account panel; Processor guarantees hard-purge within 30 days via the daily dsr-purge cron.

7. Breach notification

Processor will notify Controller of any personal-data breach without undue delay and within 72 hours of becoming aware, with all information required under GDPR Article 33(3).

8. International transfers

Processing takes place primarily in the EU. Where sub-processors operate outside the EU (e.g., Anthropic US), transfers are covered by Standard Contractual Clauses (2021/914) and supplementary measures.

9. Contact

DPO and privacy queries: hello@magpiexyz.io