Privacy Policy

This Privacy Policy explains how Veratum Inc. ("Veratum," "we," "us," or "our") collects, uses, processes, and protects information when you interact with our website, products, and services. As an AI compliance infrastructure company handling sensitive audit trail data, we maintain rigorous privacy and security standards.

1. Information We Collect

1.1 Contact Form and Communications

When you submit a contact form on our website or communicate with us directly, we collect:

• Name and email address
• Company name and industry
• Message content and inquiry details
• Any additional information you voluntarily provide

1.2 API Usage and Telemetry

When you use Veratum's APIs and services, we collect technical telemetry to maintain service quality and security:

• API endpoints accessed and usage frequency
• Request timestamps and duration
• HTTP status codes and error conditions
• IP address and user agent
• Aggregated performance metrics and feature usage

We do not collect the content of your audit trail data or AI decisions. Audit trail payloads are processed cryptographically and never stored by Veratum in plaintext form.

1.3 Audit Receipt Data

Veratum generates cryptographic audit receipts containing:

• Commitment hashes (not the original data)
• Timestamp information from our trusted timestamp provider
• Merkle tree proofs for tamper evidence

These receipts are designed so that Veratum cannot reconstruct the original AI decisions or sensitive data—only you can verify authenticity using your private key material.

1.4 Browser and Device Information

Like most websites, we automatically collect:

• Browser type, version, and operating system
• Pages visited and time spent
• Referrer information
• Anonymous usage analytics (no personally identifiable tracking)

2. Personally Identifiable Information (PII) Handling

2.1 Client-Side Redaction

Our platform includes built-in mechanisms for PII redaction:

• Customers can configure sensitive field patterns (e.g., email, phone, SSN) for automatic detection
• Matching data is hashed before commitment, preventing plaintext storage
• Only hash values and redaction metadata are retained

2.2 Commitment Schemes

Veratum uses cryptographic commitment schemes to audit AI decisions without storing plaintext information:

• Original data is committed to a hash function under your control
• We retain only the commitment (hash) and proof of commitment
• You retain decryption keys and can prove authenticity to regulators

2.3 No Plaintext Storage

Veratum never stores customer data in plaintext form. All sensitive information is:

• Either encrypted with customer-controlled keys, or
• Committed to through hashing, or
• Redacted according to customer configuration

Even Veratum employees cannot access the underlying data from stored audit trails.

3. How We Use Your Information

• Service Delivery: Providing audit trail infrastructure, API access, and compliance documentation
• Compliance and Regulatory: Assisting with EU AI Act, FTC AI guidance, and regulatory audit responses
• Security and Fraud Prevention: Detecting unauthorized access, preventing abuse, and maintaining system integrity
• Service Improvement: Analyzing aggregated telemetry to optimize performance and reliability
• Communication: Responding to inquiries, sending service updates, and security notices
• Legal Obligations: Complying with lawful requests from law enforcement or regulators

4. Data Retention

4.1 Contact Information

Contact form submissions and email inquiries are retained for 2 years, or until you request deletion.

4.2 API Telemetry

Usage logs and telemetry data are retained for 12 months for performance monitoring and security analysis. Aggregated analytics may be retained indefinitely.

4.3 Audit Trail Data

Retention is configurable per customer and jurisdiction:

• GDPR (EU): Default 7 years (excepting legally required retention), or shorter per data subject request
• HIPAA (US Healthcare): Minimum 6 years, configurable up to indefinite for compliance proof
• SEC/FINRA (Finance): Minimum 6 years, configurable per regulatory requirement
• Custom: Customers may configure shorter retention periods

You control deletion of audit trails through API or dashboard requests. Deletion triggers cryptographic proof-of-deletion logging.

4.4 Backup and Disaster Recovery

For service continuity, backup copies of audit trails may be retained for up to 90 days after deletion requests. After this period, data is purged from all systems including cold storage.

5. Third-Party Services and Data Processors

5.1 DigiCert Trusted Timestamps

Veratum uses DigiCert's timestamp authority to provide cryptographically verifiable timestamps in audit receipts. DigiCert receives:

• Commitment hashes (not original data)
• Timestamp request metadata

DigiCert Privacy Policy

5.2 AWS Cloud Hosting

Veratum's infrastructure is hosted on Amazon Web Services (AWS). AWS may process:

• Encrypted customer data and audit trails
• API telemetry and logs
• Database backups (encrypted)

All data is encrypted at rest and in transit. AWS does not have access to customer encryption keys. AWS Privacy Policy

5.3 Data Processing Agreements

For customers in GDPR jurisdictions, Veratum executes Data Processing Agreements (DPAs) with AWS and other subprocessors. You can request a complete list of subprocessors at any time.

6. International Data Transfers

Veratum operates globally. When you use our service, your data may be transferred to, stored in, and processed in countries other than your country of residence. These countries may have data protection laws different from your home country.

For EU and UK Customers: Veratum relies on Standard Contractual Clauses (SCCs) to transfer personal data lawfully. We also conduct Transfer Impact Assessments (TIAs) for non-EEA transfers and implement supplementary safeguards such as encryption.

7. GDPR Rights for EU and UK Users

If you are subject to GDPR or UK GDPR, you have the following rights:

7.1 Right of Access

You may request a copy of all personal data we hold about you in a portable format.

7.2 Right to Rectification

You may request correction of inaccurate or incomplete personal data.

7.3 Right to Erasure ("Right to be Forgotten")

You may request deletion of personal data, except where retention is legally required for compliance purposes.

7.4 Right to Restrict Processing

You may request that we limit how we process your personal data.

7.5 Right to Data Portability

You may request your personal data in a structured, commonly-used, machine-readable format.

7.6 Right to Object

You may object to processing for direct marketing or profiling purposes.

7.7 Right to Lodge a Complaint

You may lodge a complaint with your local Data Protection Authority if you believe your rights are violated.

To exercise any of these rights, contact us at legal@veratum.ai with "GDPR Request" in the subject line. We will respond within 30 days.

8. CCPA and California Consumer Privacy Act

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request what personal information we collect and how we use it
• Right to Delete: Request deletion of personal information we have collected
• Right to Opt-Out: Opt out of "sale" or "sharing" of personal information (Veratum does not sell data)
• Right to Non-Discrimination: Receive equal service for exercising your privacy rights

To submit a CCPA request, email legal@veratum.ai with "CCPA Request" in the subject line.

9. Security and Encryption

9.1 Encryption Standards

• Data in transit: TLS 1.2+
• Data at rest: AES-256
• Cryptographic commitments: SHA-256 or stronger

9.2 Access Controls

Access to systems and data is restricted to authorized personnel with business need, subject to:

• Multi-factor authentication requirements
• Role-based access control (RBAC)
• Audit logging of all access

9.3 Incident Response

In the event of a security breach, Veratum will:

• Investigate the incident promptly
• Notify affected parties within 72 hours (GDPR requirement) or as otherwise required by law
• Provide details of the breach, affected data categories, and remediation steps

10. Cookies and Tracking

Our website uses minimal cookies:

• Essential cookies: Required for site functionality (authentication, CSRF protection)
• Analytics cookies: Anonymous usage analytics (no PII tracking)

We do not use third-party tracking pixels or behavioral advertising cookies. You can control cookies through your browser settings.

11. Children's Privacy

Veratum's services are intended for business and compliance professionals. We do not knowingly collect information from individuals under 13 years of age. If we become aware of such collection, we will delete it immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The "Last Updated" date at the top of this page indicates when we last revised the policy.

If we make material changes, we will notify you by email or by prominent notice on our website. Your continued use of our services constitutes acceptance of the updated policy.

13. Contact Us

14. Data Protection Officer (DPO)

Veratum designates our Data Protection Officer to oversee privacy compliance. For matters related to data protection laws (GDPR, CCPA, etc.), you may contact:

Email: legal@veratum.ai (Reference: "DPO Inquiry")

15. California Shine the Light Law

California residents may request information about the categories of personal information we share with third parties for their direct marketing purposes. To make such a request, contact legal@veratum.ai with "California Shine the Light" in the subject line.

16. Regulatory Compliance

Veratum is committed to compliance with:

• EU AI Act: Providing audit trail infrastructure for AI system transparency and accountability
• GDPR and UK GDPR: Data protection rights and lawful processing standards
• HIPAA: For healthcare customers, audit trail retention and access controls
• SOC 2 Type II: Security, availability, processing integrity, confidentiality, and privacy controls
• HIPAA BAA: Business Associate Agreements for healthcare providers