Skip to content
Verbitas Docs

GDPR

GDPR

Verbitas processes personal data on behalf of customers under a Data Processing Agreement (DPA). This page summarises what data is processed, where it is stored, and how to exercise GDPR rights.

Data we process

Data you submit

DataPurposeStored
Asset files (when retention enabled)Provenance record storageHetzner Object Storage, eu-central-1
C2PA manifest assertions (e.g. creator, created_at)Manifest contentHetzner Object Storage + Postgres
API key email addressAccount managementPostgres, eu-central-1
Billing email + payment method tokenStripe billingStripe (EU data residency enabled)

Data we generate

DataDescriptionStored
Manifest digestsSHA-256 hashes of manifestsPostgres + anchor batch
Watermark IDs16-byte ULIDs; no contentPostgres
pHash fingerprintsPerceptual hashes; no contentPostgres
Audit log entriesAPI events (no asset content)Postgres
Anchor batch records32-byte Merkle roots onlyPostgres; Merkle root on Bitcoin/Arbitrum

What we never store

  • Prompt text for AI-generated content (only SHA-256 hash if you submit it)
  • Raw asset bytes for assets where retention.original_asset_days: 0 (the default)
  • API keys in plaintext (stored as hashed tokens)
  • PII in the audit log beyond what you explicitly include in manifest assertions

Data residency

All primary data is stored in Hetzner eu-central-1 (Nuremberg, Germany). The Postgres read replica is in Hetzner HEL1 (Helsinki, Finland). Object storage backup is in Wasabi EU region.

AWS KMS operations occur in eu-central-1. Stripe processes billing data with EU data residency.

On-chain data

The anchor batch submits exactly 32 bytes (a SHA-256 Merkle root) to Bitcoin (via OpenTimestamps) and Arbitrum One. The Merkle root is derived as:

SHA256("verbitas-anchor-v1" || manifest_digest)

The manifest digest is a hash, not a hash of personal data. The mapping from manifest digest to tenant/asset is stored only in Postgres, not on-chain.

GDPR Art. 17 (right to erasure): The Merkle root cannot be erased from a public blockchain. The on-chain data is opaque — it is 32 bytes with no PII. The mapping that would make it personally identifiable lives in Postgres and can be deleted.

Retention

DataRetention
ManifestsPer recipe manifest_days (30–2555 days)
Signed assetsPer recipe derived_asset_days (0 = not stored)
Original assetsPer recipe original_asset_days (0 = not stored, which is the default)
Audit log30 days (Free), 365 days (Growth), up to 7 years (Enterprise)
API keysUntil revoked or expired
Billing dataPer Stripe’s retention policy (minimum 7 years for financial records)

GDPR rights

To exercise a GDPR right, email [email protected] with your tenant ID and the specific right you are invoking.

RightProcess
Art. 15 — AccessWe provide a machine-readable export of your tenant data within 30 days
Art. 16 — RectificationContact [email protected] to correct account data
Art. 17 — ErasureManifest digest mappings are deleted. On-chain Merkle roots remain (opaque, no PII). Asset files and manifests are deleted per retention policy.
Art. 20 — PortabilityAudit log export is available via GET /v1/audit?format=ndjson at any time
Art. 21 — ObjectionContact [email protected]
Art. 22 — Automated decisionsVerbitas does not make automated decisions about data subjects

Data Processing Agreement

Enterprise customers can request a DPA at [email protected]. The DPA covers:

  • Purpose and legal basis for processing
  • Sub-processor list with data flows
  • Technical and organisational security measures
  • Breach notification procedure (72 hours per Art. 33)
  • Data subject rights procedures
  • Data residency guarantees

Sub-processors

See Compliance: Sub-Processors for the complete list.

Data Protection Officer

Verbitas has appointed a Data Protection Officer. Contact: [email protected].

Breach notification

Verbitas will notify affected customers of any security breach involving personal data within 72 hours of becoming aware of it, per GDPR Art. 33.