veriastra
Legal

GDPR & Compliance

Last updated July 15, 2026

Veriastra processes data that can be personal (emails, phone numbers, IP addresses). This page summarises how we support GDPR/UK-GDPR and similar regimes. It complements our Privacy Policy.

Controller / processor roles

For data you submit through the API about third parties (e.g. your customers), you are the controller and Veriastra is a processor acting on your instructions. You must ensure you have a lawful basis (e.g. legitimate interest, consent) before submitting such data. For our own website and account data, Veriastra is the controller.

Lawful basis

We process lookup inputs to perform the service you request (contract / your instructions) and maintain aggregate reputation and abuse-prevention signals (legitimate interest, balanced against individual rights via minimisation and retention limits).

Data subject rights

Individuals may request access, rectification, erasure, restriction, portability, or object to processing. Send requests to [email protected]. If we processed the data on a customer's behalf, we will refer the request to that customer (controller) and assist as processor.

Data minimisation & retention

We retain the minimum needed: result cache is short-lived, bulk job data ~30 days, IP reputation ~180 days, and we run automated purges on this schedule. We do not sell personal data or use lookup inputs for advertising.

Sub-processors

We use Cloudflare (DNS, TLS, CDN) and a dedicated hosting provider. Lookups query public infrastructure (DNS, DNSBLs, SMTP, public numbering data) only as needed to answer a request.

International transfers & security

Data is encrypted in transit (TLS). Where data crosses borders, we rely on appropriate safeguards. API keys are stored hashed and the Service runs isolated with least-privilege access.

Data Processing Agreement (DPA)

A DPA is available for business customers who need one. Request it at [email protected].