1. Introduction

These Terms of Use ("Terms") govern your access to and use of the Veridox platform, API, and related services provided by Asset Protect Ltd, trading as Veridox, a company registered in England and Wales with company number 15214106 and registered office at 56 Manchester Road, Altrincham, WA14 4PJ ("we", "us", "our", or "Veridox").

By accessing or using any part of the Veridox platform, including via our website, dashboard, API, or third-party integration, you agree to be legally bound by these Terms. If you do not accept these Terms, you must not use Veridox.

These Terms apply to:

• All clients using the Veridox platform on a self-service or contracted basis;
• Developers integrating with the Veridox API;
• Resellers or partners accessing Veridox under a commercial arrangement;
• Any authorised user acting on behalf of a customer or organisation.

If you are entering into this agreement on behalf of a company or other legal entity, you represent that you have authority to bind that entity to these Terms.

2. Definitions

For the purposes of these Terms:

"Veridox" or "Platform" means the digital fraud detection service, including the Veridox API, dashboard, website, tools, underlying software, documentation, models, and any related services we provide.

"Client", "You", or "User" refers to the individual or legal entity accessing or using the Veridox Platform.

"Upload" means a single document, image, file, or record submitted to Veridox for analysis. Each file constitutes one upload, regardless of the number of pages.

"Output" means any result, report, analysis, or metadata returned by Veridox in response to an Upload.

"Client Data" means all documents, images, files, metadata, and other content provided by the Client to Veridox, including data derived from or associated with Uploads.

"API Key" means a unique identifier issued by Veridox to enable programmatic access to the Veridox API. API Keys are confidential credentials.

"Documentation" means any technical or user-facing guidance published by Veridox to explain how the Platform and API operate.

"Fair Usage" refers to the reasonable and commercially intended use of the Platform in line with Veridox's pricing model and technical constraints, as defined further in these Terms.

"Confidential Information" means any proprietary, technical, or commercial information disclosed by Veridox to the Client, either directly or indirectly, and not publicly available.

3. Access to the Platform

3.1 Account Registration

To access Veridox, you may be required to register an account and provide accurate, complete information. You are responsible for safeguarding your login credentials and any actions taken under your account. You must promptly notify us of any unauthorised use or suspected security breach.

3.2 API Access

To use the Veridox API, you must apply for an API Key via our designated registration process. API Keys are confidential and may only be used by the authorised account holder. You are responsible for any use of your API Key, whether by you or others. Veridox may revoke or suspend your API Key at any time for misuse or breach of these Terms. Veridox may apply rate limits or suspend access in accordance with API usage caps defined in the Documentation. Persistent overuse beyond your subscribed tier may result in additional charges or throttling.

3.3 Eligibility

You may only use Veridox if you are at least 18 years old and legally permitted to enter into binding contracts. If you are accessing Veridox on behalf of a company, you must have appropriate authority to bind the organisation to these Terms.

3.4 Authorised Use

You may access and use the Veridox Platform solely for lawful purposes and in accordance with these Terms. You may not:

• Use the Platform to process data in violation of applicable laws;
• Circumvent or attempt to circumvent rate limits, billing logic, or access controls;
• Interfere with or disrupt the integrity or performance of the Platform.

3.5 Trial Access and Evaluation

If Veridox grants you free or trial access, such access is provided "as is" without support, uptime guarantees, or warranties. Veridox reserves the right to terminate trial access at any time without notice.

4. Licence and Permitted Use

4.1 Grant of Licence

Subject to these Terms and payment of applicable fees, Veridox grants you a limited, non-exclusive, non-transferable, revocable licence to access and use the Platform and API solely for your internal business purposes.

4.2 Restrictions

You shall not:

• Modify, reverse engineer, decompile, disassemble, or create derivative works of the Platform;
• Use the Platform to develop, train, or support any competing service;
• Sell, resell, sublicense, or otherwise distribute the Platform or any Output without express written consent;
• Remove, obscure, or alter any proprietary notices or marks.

4.3 Reservation of Rights

All rights not expressly granted to you under these Terms are reserved by Veridox. Nothing in these Terms conveys any ownership of the Platform, underlying models, software, or other Intellectual Property to you. This includes any improvements, extensions, integrations, or custom features developed in collaboration with or at the request of a Client. Unless expressly agreed otherwise in writing, all rights in such developments shall remain solely with Veridox.

4.4 Outputs and Use

You may use Outputs for internal decision-making, investigations, or evidentiary purposes, provided you comply with applicable law and do not alter or misrepresent the origin or content of such Outputs. Veridox makes no warranty that Outputs are legally conclusive or admissible in any particular jurisdiction.

4.5 Feedback

You may provide suggestions, comments, or feedback relating to the Platform ("Feedback"). You grant Veridox a non-exclusive, royalty-free, perpetual, irrevocable licence to use such Feedback for any purpose, including to improve the Platform, without obligation or restriction.

5. Upload Integrity & Acceptable Use

5.1 One Upload Per Document

Each Upload submitted to Veridox must represent a single, self-contained document or image intended for analysis. Submitting multiple unrelated documents or bundling files together into a single Upload to avoid charges is strictly prohibited.

5.2 File Size and Format

Uploads must comply with the technical specifications set out in our Documentation. Veridox reserves the right to reject, charge additional fees for, or process differently any files that exceed permitted size limits, contain unsupported formats, or cause system instability.

5.3 Prohibited Conduct

You agree not to:

• Manipulate the pricing structure by combining or mislabelling files;
• Attempt to bypass or interfere with the Platform's analysis logic, billing engine, or technical safeguards;
• Conduct penetration testing, scraping, or unauthorised system scans;
• Upload malicious content, including viruses or malware;
• Use Veridox to process unlawful, defamatory, or infringing materials;
• Permit any unauthorised third party to access or use your account or API Key.

5.4 Enforcement

Veridox reserves the right to:

• Flag or block suspect Uploads;
• Apply additional per-document fees for improperly bundled files;
• Suspend or terminate access in cases of repeated abuse or violation of these Terms.

6. Pricing and Billing

6.1 Per-Upload Model

Veridox charges on a per-upload basis, with volume-based pricing tiers published at [veridox.ai/pricing] or as otherwise agreed in writing. Each qualifying Upload is counted and billed in accordance with the tiered rate applicable during the billing period.

6.2 Minimum Monthly Billing

Unless otherwise agreed, a minimum monthly charge applies based on 50 Uploads per month. If fewer than 50 Uploads are submitted, the minimum charge still applies. Use of the API is also subject to usage limits and technical constraints as published in the Veridox API Documentation (veridox.ai/docs) or communicated via your account dashboard.

6.3 Billing Process

Usage is invoiced monthly in arrears based on actual Upload volume. Invoices are payable within 30 days of issue. Payment shall be made in the currency and method specified on the invoice or platform.

6.4 Taxes

All fees are exclusive of VAT and other applicable taxes, which will be added as required by law. You are responsible for any taxes, duties, or charges imposed in connection with your use of Veridox, excluding taxes on our income.

6.5 Late Payments and Disputes

Overdue invoices may incur a late fee of 5% per month or the maximum amount permitted by law. You must notify Veridox of any billing disputes within 15 days of invoice issuance. Undisputed amounts must be paid in full. Access may be suspended for non-payment.

7. Data Handling and Security

7.1 Data Processor Role

In providing the Platform, Veridox acts as a data processor on behalf of the Client, who is the data controller in respect of any personal data contained within Uploads. Veridox processes such data only for the purpose of providing the agreed services and in accordance with applicable data protection laws, including the UK GDPR.

7.2 Client Responsibilities

You are solely responsible for ensuring that you have a lawful basis for uploading and processing any personal data via Veridox, including obtaining all necessary consents or authorisations. You must not upload sensitive personal data unless strictly necessary and compliant with applicable legal obligations.

7.3 Data Storage and Retention

Uploaded files and associated analysis results are retained by Veridox for a period of 12 months from the date of Upload. During this time, you may access, export, or download your data. After the 12-month period, data is automatically and permanently deleted on a rolling basis.

7.4 Automatic Deletion

Unless otherwise agreed in writing, Veridox does not provide archival or extended storage. It is your responsibility to retrieve any data you wish to retain before the standard retention period expires. Veridox shall not be liable for any loss resulting from data deletion carried out in accordance with this policy.

7.5 Security Measures

Veridox implements commercially reasonable technical and organisational measures to protect Client Data, including encryption, access controls, and regular vulnerability assessments. While we strive to ensure security, no system is entirely immune from risk, and Veridox disclaims liability for unauthorised access beyond its reasonable control.

7.6 Data Processing Addendum

Where your use of the Platform involves the processing of personal data, our Data Processing Addendum ("DPA") forms part of these Terms. By using Veridox, you agree to the terms of the DPA, which governs our role as a data processor and your obligations as a data controller under applicable data protection laws.

8. Confidentiality and Feedback

8.1 Confidential Information

Both parties agree to maintain the confidentiality of any non-public, proprietary, or sensitive information disclosed during the use of the Platform. For Veridox, this includes system architecture, algorithms, pricing, and analysis methods. For the Client, this includes uploaded files, metadata, and analysis outputs.

8.2 Obligations

Confidential Information may not be disclosed to any third party without prior written consent, except to professional advisors or regulatory authorities on a need-to-know basis and subject to equivalent confidentiality obligations.

8.3 Exclusions

These confidentiality obligations do not apply to information that:

• Is or becomes publicly known through no fault of the receiving party;
• Was lawfully known before disclosure;
• Is independently developed without reference to the disclosing party's information;
• Is lawfully disclosed by a third party without restriction.

8.4 Duration

Confidentiality obligations survive termination of these Terms and remain in force for a period of six (6) years from the date of disclosure.

8.5 Feedback

Any feedback, suggestions, or recommendations you provide to Veridox regarding the Platform may be used by us for product development, marketing, or commercial purposes. You agree that such feedback is provided on a non-confidential basis and may be freely used without obligation or attribution.

9. Service Availability and Support

9.1 Availability

Veridox aims to provide reliable access to the Platform but does not guarantee uninterrupted or error-free service. The Platform is provided on an "as available" basis and may be subject to delays, outages, or disruptions beyond our control.

9.2 Maintenance

We may perform scheduled maintenance or emergency updates to ensure system performance and security. Where feasible, we will provide advance notice of planned maintenance that may impact availability. Veridox is not liable for any downtime or data unavailability during such periods.

9.3 Support

Standard support is available via email at help@veridox.ai during UK business hours (9:00 to 17:00 GMT, Monday to Friday, excluding public holidays). Veridox does not offer guaranteed response times unless specified in a separate support agreement. Requests are triaged and prioritised at our discretion.

10. Warranties and Disclaimers

10.1 As-Is Provision

The Platform is provided "as is" and "as available", without warranty of any kind. Veridox expressly disclaims all implied warranties, including but not limited to merchantability, fitness for a particular purpose, and non-infringement.

10.2 Accuracy and Outputs

While Veridox strives to produce accurate and reliable analysis, we do not guarantee that any Output will be correct, complete, or fit for any particular use. All results should be independently reviewed by qualified professionals before being relied upon in any legal, regulatory, or investigative context. All Outputs are generated using probabilistic AI models and may include false positives, false negatives, or partial findings. You are solely responsible for reviewing and verifying all Outputs before relying on them for any investigative, legal, or commercial purpose.

10.3 No Legal Advice

Use of the Platform does not constitute legal advice. Veridox is not a law firm and does not offer legal services. Any reports, analyses, or outputs generated through the Platform are for informational purposes only and should not be construed as a substitute for legal or forensic expert opinion.

10.4 Jurisdictional Limitations

Veridox makes no representations that its services comply with the evidentiary rules or admissibility requirements of any particular jurisdiction. It is your responsibility to determine the suitability of Veridox Outputs for use in legal or regulatory proceedings.

10.5 Automated Analysis Disclaimer

You acknowledge that the Platform uses automated, AI-based methods to analyse uploaded content. Outputs are not reviewed by humans and are not definitive evidence of fraud or authenticity. Use of the Platform does not constitute a substitute for professional investigation, legal advice, or forensic assessment.

11. Limitation of Liability

11.1 Liability Cap

To the fullest extent permitted by law, Veridox's total aggregate liability to you for any claims arising out of or relating to these Terms or your use of the Platform, whether in contract, tort (including negligence), or otherwise, shall be limited to the greater of:

(a) £1,000; or

(b) the total amount paid by you to Veridox in the three (3) months preceding the event giving rise to the claim.

11.2 Exclusion of Certain Damages

Veridox shall not be liable for any indirect, incidental, special, exemplary, or consequential damages, including but not limited to loss of profits, loss of data, business interruption, reputational harm, or procurement of substitute services, even if advised of the possibility of such damages.

11.3 Basis of Bargain

You acknowledge that the limitations of liability set out in this clause are a fundamental part of the bargain between you and Veridox and are reflected in the pricing of the services.

11.4 Force Majeure

Veridox shall not be liable for any failure or delay in performance resulting from causes beyond its reasonable control, including but not limited to natural disasters, war, acts of terrorism, cyberattacks, internet or cloud service provider failures (including third-party hosting such as AWS), power outages, government action, or labour disputes. In such events, Veridox will use reasonable efforts to resume service as soon as practicable but shall not be held in breach of these Terms for any resulting disruption.

12. Indemnification

12.1 Your Responsibility

You agree to indemnify, defend, and hold harmless Veridox, its directors, officers, employees, agents, and affiliates from and against any and all claims, liabilities, damages, losses, costs, or expenses (including reasonable legal fees) arising out of or related to:

• Your misuse of the Platform or breach of these Terms;
• Any violation of data protection laws or intellectual property rights resulting from your Uploads or use of the Platform;
• Any third-party claim arising from your use of Veridox, including claims from individuals whose data was processed without proper legal basis or consent.

12.2 Process

Veridox will promptly notify you of any such claim, and you will cooperate fully in the defence. Veridox reserves the right to assume exclusive control of any matter otherwise subject to indemnification by you, in which case you agree to assist in asserting any available defences.

13. Suspension and Termination

13.1 Suspension

Veridox may suspend your access to the Platform, API, or account without notice if:

(a) you breach these Terms or applicable law;

(b) your account becomes overdue by more than 30 days;

(c) your use of the Platform causes a material threat to system integrity, performance, or security; or

(d) suspension is necessary to comply with a legal obligation or court order.

13.2 Termination by Either Party

Either party may terminate these Terms with 30 days' written notice. Veridox may also terminate access immediately upon breach or if required by law.

13.3 Effects of Termination

Upon termination:

• Your right to access and use the Platform ceases immediately;
• Outstanding fees become immediately due and payable;
• Veridox will retain your uploaded data and analysis for up to 30 days, after which all data will be permanently deleted unless otherwise agreed in writing.

13.4 Survival

Sections relating to Confidentiality, Intellectual Property, Limitation of Liability, Indemnification, and Governing Law shall survive termination.

14. Publicity and Logos

14.1 Client Logo Usage

Unless agreed otherwise in writing, you grant Veridox a non-exclusive, royalty-free licence to use your company name and logo in marketing materials and on our website to identify you as a client.

Veridox will honour reasonable requests to approve specific placements before publication.

14.2 Opt-Out

You may withdraw this permission at any time by emailing policy@veridox.ai. We will remove your branding from all new public-facing content within 30 days.

14.3 No Endorsement

Veridox will not present your logo in a way that implies partnership, endorsement, or commercial affiliation beyond the fact that you are a user of the Platform.

15. Amendments to the Terms

15.1 Right to Modify

Veridox may amend these Terms from time to time. We will provide notice of material changes via the Platform or by email.

15.2 Continued Use

Your continued use of the Platform after such changes have been communicated constitutes acceptance of the updated Terms. If you do not agree to the changes, you must stop using the Platform.

16. Governing Law and Jurisdiction

16.1 Applicable Law

These Terms are governed by and shall be construed in accordance with the laws of England and Wales.

16.2 Jurisdiction

You agree to submit to the exclusive jurisdiction of the English courts for any dispute arising under or in connection with these Terms.

16.3 Optional Arbitration

Notwithstanding the above, Veridox may elect to resolve any dispute by binding arbitration under the rules of the London Court of International Arbitration (LCIA). The arbitration shall take place in Manchester, in English, with a single arbitrator. Each party shall bear its own costs unless otherwise determined by the arbitrator.

17. Contact and Notices

17.1 Legal Notices

All legal notices must be sent to: policy@veridox.ai

17.2 Operational Support

General queries, technical issues, and support requests should be directed to: help@veridox.ai

Veridox will send notices to the email address associated with your account. You are responsible for keeping your contact details up to date.

1. Introduction

Asset Protect Ltd (trading as "Veridox", "we", "us" or "our") is committed to protecting your privacy and handling your personal data transparently and securely. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our services, including our website, platform dashboard, and API.

Veridox is a UK-based company registered under number 15214106, with its registered office at 56 Manchester Road, Altrincham, WA14 4PJ.

This policy applies to all individuals whose personal data may be processed via our platform, including clients, end-users, developers, and individuals whose information is included in uploaded documents or content.

We act as a data processor when processing personal data on behalf of our clients. In some circumstances (e.g. platform administration or marketing), we may act as a data controller.

We process personal data only where we have a lawful basis to do so under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws. The legal bases for processing include:

• The performance of a contract with you or your organisation;
• Our legitimate interests (e.g. to provide and improve our services);
• Compliance with a legal obligation; or
• Your explicit consent (where required).

2. What Personal Data We Collect

We collect and process different types of personal data depending on how you interact with our platform:

2.1 Information You Provide Directly

This includes:

• Contact details (e.g. name, email address, job title) when registering or communicating with us;
• Billing and payment information;
• Any correspondence or support interactions;
• Preferences and consents you actively submit.

2.2 Information in Uploaded Documents

As part of our forensic analysis services, users upload documents, images, or files that may contain personal data such as:

• Names, addresses, dates of birth, identification numbers;
• Health, legal, or financial information;
• Signatures and identity documents.

Our clients are responsible for ensuring that such data is lawfully collected and uploaded.

2.3 API Usage Data

If you use our API, we collect metadata such as:

• API key and user ID;
• Timestamps and endpoints accessed;
• File metadata and error logs;
• Usage volume and rate limits.

2.4 Technical and Device Information

When you access our platform or website, we may collect:

• IP address and geolocation;
• Browser type and version;
• Device identifiers;
• Operating system and referral source.

This helps us ensure security, monitor performance, and improve usability.

2.5 Marketing and Communication Preferences

If you opt into updates, webinars, or marketing emails, we store your preferences and engagement data (e.g. opens, clicks, unsubscribes). You may update these preferences at any time.

3. How We Use Personal Data

We use personal data only for the purposes for which it was collected, and only where we have a lawful basis to do so. Specifically, we may use personal data to:

3.1 Provide and Maintain the Platform

We use personal data to authenticate users, process uploads, generate outputs, manage accounts, and deliver core platform functionality via both the web dashboard and API.

3.2 Risk Scoring and Automated Analysis

Where documents or images are submitted for forensic review, we use machine learning and rules-based models to analyse inputs and generate structured outputs. These may include anomaly detection, manipulation scoring, or context evaluation. Processing is automated, and the results should be reviewed by qualified professionals.

3.3 Communications and Support

We may use contact details to send service updates, respond to enquiries, and provide technical support. Where applicable, we may also provide onboarding assistance or usage advice tailored to your role or organisation.

3.4 Product Improvement and Testing

We analyse aggregated or pseudonymised data to improve our models, enhance accuracy, monitor performance, and develop new features. We do not use identifiable client-uploaded content for training models unless specifically agreed.

3.5 Legal and Compliance Purposes

We may process personal data to comply with applicable laws, respond to legal requests, enforce our Terms of Use, detect misuse or fraud, and protect the rights, property, or safety of Veridox, our users, or third parties.

4. Lawful Bases for Processing

We rely on the following lawful bases to process personal data under the UK GDPR and related laws:

4.1 Contract Performance

We process personal data to fulfil our contractual obligations to our clients and users, such as delivering services, providing support, or issuing invoices.

4.2 Legitimate Interests

Where appropriate, we process personal data to pursue our legitimate business interests. For example, to ensure platform integrity, prevent fraud, respond to client needs, or improve product performance, in ways that do not override the fundamental rights and freedoms of data subjects.

4.3 Legal Obligation

We may process or retain certain data as required by law, such as tax regulations, accounting requirements, or data protection obligations.

4.4 Consent (Where Applicable)

In limited circumstances, such as for marketing communications or optional cookies, we rely on your explicit consent. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. Data Sharing and Sub-Processors

5.1 Categories of Recipients

We may share personal data with carefully selected third parties where necessary to deliver our services, comply with legal obligations, or support platform operations. This includes:

• Cloud hosting and infrastructure providers
• Analytics and error monitoring services
• Sub-processors performing document or image processing functions
• Legal, regulatory, or tax authorities (where required)

5.2 Use of Trusted Infrastructure Providers

Veridox uses leading UK and EU-based infrastructure providers to host and process data. All such providers are contractually bound to maintain strict confidentiality, implement appropriate security controls, and act only on our instructions.

5.3 List of Sub-Processors and Roles

We maintain a publicly accessible list of our active sub-processors, including their roles and geographic location, available at: [https://veridox.ai/legal/subprocessors]. This list is reviewed regularly and updated as necessary. Clients will be notified in advance of any material changes.

5.4 Data Sharing with Clients or Authorities

Where you upload a document or case file that includes third-party personal data, the resulting outputs may be shared with your organisation's authorised users. We do not share client data with external parties unless required by law, a court order, or regulatory request. Where legally permissible, we will notify you before disclosing any data to authorities.

6. International Transfers

6.1 Transfers Outside the UK/EEA

Where personal data is transferred outside the UK or European Economic Area (EEA), we ensure that such transfers are lawful and protected by appropriate safeguards. This may occur, for example, where a sub-processor operates from a non-EEA country.

6.2 Safeguards and Standard Contractual Clauses

For international transfers, we rely on one or more of the following mechanisms:

• Adequacy decisions by the UK government or European Commission
• Standard Contractual Clauses (SCCs) approved by the UK ICO and/or European Commission
• Binding corporate rules or equivalent frameworks where applicable

We continually assess the legal and technical risks of such transfers and implement additional safeguards as necessary.

7. Data Retention

7.1 Default Retention Period

Unless agreed otherwise in writing, we retain client-uploaded documents and outputs for a default period of 12 months from the date of upload. This retention period allows for investigation continuity, audit trails, and re-analysis where needed.

7.2 Deletion Timelines and Exceptions

At the end of the retention period, documents and outputs are automatically and irreversibly deleted from our systems, unless subject to a legal obligation or ongoing dispute requiring longer retention. Metadata or logs may be retained for service continuity or compliance purposes in a pseudonymised format.

7.3 Client-Controlled Deletion

Clients may delete uploaded data earlier via the Platform or upon written request. Requests for deletion will be actioned promptly, and typically fulfilled within 5 business days unless a longer timeframe is required due to system architecture or legal constraints.

8. Your Rights as a Data Subject

Under the UK GDPR and related legislation, you have certain rights regarding the personal data we process about you. These rights may apply whether we act as a controller or processor, and we will assist our clients in responding to data subject requests where appropriate.

8.1 Access, Rectification, Erasure

You have the right to request:

• Access to your personal data (commonly known as a "data subject access request")
• Correction of inaccurate or incomplete data
• Deletion of your data in certain circumstances (the "right to be forgotten")

8.2 Objection and Restriction

You may object to the processing of your personal data where we rely on legitimate interests. You may also request the restriction of processing in limited situations, such as where the accuracy of data is contested or processing is unlawful.

8.3 Data Portability

Where processing is based on consent or contract and carried out by automated means, you have the right to request your data in a structured, commonly used, machine-readable format and to transmit it to another controller.

8.4 Right to Lodge a Complaint

If you are dissatisfied with how we handle your personal data, you may contact us directly. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk or with your local data protection authority.

9. Security Measures

We implement appropriate technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration, or destruction.

9.1 Encryption, Access Controls, Monitoring

All uploaded content is encrypted in transit and at rest using industry-standard protocols. Access to systems is restricted to authorised personnel only, using role-based access controls and multi-factor authentication. System activity is logged and monitored continuously.

9.2 Internal Policies and Audits

We maintain internal policies governing information security, acceptable use, and incident response. Employees and contractors are subject to confidentiality obligations and undergo regular training. Security policies are reviewed periodically and audited as needed.

9.3 Incident Response Procedures

In the event of a personal data breach, we will follow a structured incident response process, including prompt investigation, containment, remediation, and — where required — notification to affected individuals and regulatory authorities within the required timeframes.

10. Cookies and Analytics

10.1 Use of Cookies and Local Storage

Our website and platform may use cookies or local storage technologies to support user authentication, session management, and feature enablement. These are essential to the operation of the service and cannot typically be disabled.

10.2 Analytics Tools and Opt-Outs

We may use analytics tools (e.g. Plausible, Matomo, or similar privacy-friendly platforms) to understand usage patterns, identify errors, and improve performance. These tools collect anonymised or pseudonymised information and do not track users across other websites.

You can manage non-essential cookies via your browser settings or through the cookie banner provided on our website, where applicable.

11. Marketing Communications

11.1 Consent-Based Outreach

We may send you marketing communications related to our services, events, or industry updates where you have explicitly consented, or where we have an existing client relationship that allows for limited outreach under applicable soft opt-in rules.

11.2 Opt-Out Mechanisms

You can opt out of receiving marketing emails at any time by clicking the unsubscribe link in any message or by contacting us at privacy@veridox.ai. Withdrawing consent does not affect the lawfulness of any communications sent before the withdrawal. Service-related messages will continue as needed for contractual or operational purposes.

12. Children's Privacy

12.1 Statement on Intended Audience

Veridox is a business-to-business platform intended solely for professional use by organisations and authorised individuals over the age of 18. It is not designed for or directed at children.

12.2 No Knowingly Collected Children's Data

We do not knowingly collect or process personal data relating to children. If we become aware that data relating to a child has been submitted in violation of this policy, we will take steps to delete it promptly.

13. Changes to This Policy

13.1 How We Notify Users

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. Material updates will be communicated via the platform, email, or other reasonable means.

13.2 Effective Date of Updates

The most recent version of this policy will be available at veridox.ai/legal/privacy. Continued use of our services after any update will constitute your acceptance of the revised policy.

14. Contact Details

14.1 How to Reach Our Data Protection Officer (DPO)

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of personal data, you may contact our Data Protection Officer at:

policy@veridox.ai

14.2 Contact for Complaints or Requests

For data subject rights requests, complaints, or security concerns, please contact us at:

policy@veridox.ai

or write to:

Veridox (Asset Protect Ltd), 56 Manchester Road, Altrincham, WA14 4PJ, United Kingdom.

1. Definitions

In this Data Processing Addendum ("DPA"), the following terms shall have the meanings set out below:

"Agreement" means the Terms of Use or any other written or electronic agreement between the Client and Veridox governing the provision of the Platform and related services.

"Client" means the legal entity that has entered into the Agreement and is identified as the data controller under this DPA.

"Data Protection Laws" means all applicable data protection and privacy laws, including the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation ("EU GDPR").

"Personal Data" means any information relating to an identified or identifiable natural person as defined in the Data Protection Laws.

"Processing", "Processor", "Controller", "Data Subject", and "Supervisory Authority" shall have the meanings given in the applicable Data Protection Laws.

"Sub-Processor" means any third party engaged by Veridox to process Personal Data on behalf of the Client.

"Veridox" means Asset Protect Ltd, trading as Veridox, a company registered in England and Wales with company number 15214106.

"Platform" means the Veridox fraud detection and analysis tools and services provided to the Client under the Agreement.

2. Purpose and Scope

2.1

This DPA sets out the terms and conditions under which Veridox, acting as a Processor, shall process Personal Data on behalf of the Client, who acts as the Controller, in connection with the Agreement.

2.2

The DPA forms part of and is subject to the Agreement. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail in relation to data protection obligations.

2.3

This DPA applies solely to the Processing of Personal Data submitted to the Platform by the Client or its authorised users in the course of using the services provided by Veridox.

2.4

Veridox shall process Personal Data only for the purpose of providing the Platform and related services in accordance with the documented instructions of the Client, unless otherwise required by applicable law.

3. Roles of the Parties

3.1

The Client acts as the Data Controller and determines the purposes and means of the Processing of Personal Data. The Client is responsible for ensuring that its use of the Platform complies with all applicable Data Protection Laws, including the lawful basis for any Processing and the rights of Data Subjects.

3.2

Veridox acts as the Data Processor and shall process Personal Data solely on behalf of and in accordance with the documented instructions of the Client, as set out in this DPA and the Agreement.

3.3

Nothing in this DPA shall be construed to make Veridox a joint controller or to determine the purposes and means of Processing Personal Data.

4. Details of Processing

4.1 Subject Matter

The subject matter of the Processing is the provision of document and image analysis services through the Veridox Platform, including the detection of anomalies, manipulations, and contextual risk indicators within uploaded materials.

4.2 Duration

Processing shall continue for the duration of the Agreement, or until the deletion of all Client Data in accordance with this DPA.

4.3 Nature and Purpose of Processing

The nature of the Processing includes the receipt, storage, inspection, and algorithmic analysis of documents, images, and associated metadata to generate automated Outputs. The purpose is to provide structured risk intelligence and investigative support to the Client.

4.4 Types of Personal Data

Personal Data processed may include names, dates of birth, addresses, signatures, identification numbers, contact details, and any other personal data contained within the documents and images submitted to the Platform.

4.5 Categories of Data Subjects

Data Subjects may include claimants, policyholders, legal representatives, witnesses, medical professionals, and any other individuals whose personal data is included within Client-uploaded materials.

4.6 Special Categories of Data

Veridox does not require special category data for the provision of its services. If the Client submits special category data (e.g. health information), it must do so lawfully and in accordance with Article 9 of the GDPR. Veridox will process such data only as strictly necessary and with appropriate safeguards.

5. Client Obligations

5.1

The Client shall ensure that all Personal Data submitted to Veridox has been collected and processed in accordance with applicable Data Protection Laws, including by providing adequate notice to Data Subjects and establishing a lawful basis for Processing.

5.2

The Client shall not use the Platform to process Personal Data where such processing would violate applicable laws or infringe upon the rights of any Data Subject.

5.3

The Client is responsible for the accuracy, quality, and legality of the Personal Data it provides and the means by which it is acquired and transmitted to Veridox.

5.4

The Client shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the transmission of Personal Data to Veridox.

5.5

The Client shall not instruct Veridox to process Personal Data in a manner that would cause Veridox to breach applicable Data Protection Laws.

6. Veridox Obligations as Processor

6.1

Veridox shall process Personal Data only on documented instructions from the Client, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, Veridox shall inform the Client of that legal requirement before processing, unless the law prohibits such disclosure.

6.2

Veridox shall ensure that persons authorised to process the Personal Data are subject to appropriate confidentiality obligations, whether by contract or under law.

6.3

Veridox shall not sell, rent, or otherwise disclose Personal Data to any third party except as necessary to perform its obligations under the Agreement or as required by law.

6.4

Veridox shall assist the Client, taking into account the nature of the processing, in responding to requests to exercise Data Subject rights under the Data Protection Laws, including access, rectification, erasure, restriction, portability, and objection, insofar as this is possible without disproportionate effort.

6.5

Veridox shall assist the Client in ensuring compliance with its obligations under Articles 32 to 36 of the UK GDPR, including with respect to security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities, where required.

6.6

Veridox shall maintain a record of its processing activities in accordance with Article 30(2) of the UK GDPR.

6.7

Upon termination or expiry of the Agreement, Veridox shall delete or return all Personal Data in accordance with Clause 13 of this DPA, unless retention is required by applicable law.

7. Security Measures

7.1

Veridox shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures shall include, at a minimum:

• Encryption of data in transit and at rest;
• Access controls based on least privilege;
• Regular security assessments and vulnerability scanning;
• Logging and monitoring of system access and anomalies;
• Secure software development and deployment practices.

7.2

Veridox shall regularly review and update its security measures to ensure they remain appropriate in light of relevant technical developments, risks, and the nature of the data processed.

7.3

Veridox shall ensure that all employees, contractors, and Sub-Processors with access to Personal Data are trained in data protection principles and subject to ongoing compliance oversight.

8. Use of Sub-Processors

8.1

The Client authorises Veridox to engage Sub-Processors to support the provision of the Platform, provided that Veridox enters into a written agreement with each Sub-Processor imposing data protection obligations equivalent to those set out in this DPA.

8.2

A current list of Sub-Processors, including their locations and roles, is maintained at [veridox.ai/subprocessors] or may be made available upon request.

8.3

Veridox shall notify the Client in advance of any intended addition or replacement of Sub-Processors, thereby giving the Client the opportunity to object on reasonable data protection grounds.

8.4

If the Client objects to a new Sub-Processor and cannot reasonably accommodate the use of such Sub-Processor, either party may terminate the affected services upon 30 days' written notice.

8.5

Veridox shall remain fully liable for the performance of its Sub-Processors in relation to their processing of Personal Data.

9. Data Subject Rights

9.1

To the extent that the Client is unable to independently address a Data Subject request relating to Personal Data processed through the Platform, Veridox shall provide reasonable assistance, upon written request, in enabling the Client to comply with its obligations under the Data Protection Laws.

9.2

This includes assisting with the fulfilment of Data Subjects' rights of access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right not to be subject to automated decision-making, where applicable and technically feasible.

9.3

Veridox shall promptly notify the Client if it receives any request, complaint, or other communication from a Data Subject in relation to Personal Data processed under this DPA, and shall not respond directly except on documented instruction from the Client or where required by law.

10. Data Breach Notification

10.1

In the event of a Personal Data Breach affecting Personal Data processed under this DPA, Veridox shall without undue delay — and in any event within 48 hours of becoming aware of the breach — notify the Client of the breach.

10.2

The notification shall include, to the extent known:

• A description of the nature of the breach, including the categories and approximate number of affected Data Subjects and records;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach and mitigate its effects.

10.3

Veridox shall cooperate fully with the Client and take all reasonable steps to assist in the investigation, mitigation, and resolution of the breach, including providing access to relevant records and personnel.

10.4

Veridox shall not notify any third parties, regulators, or affected Data Subjects of the breach unless instructed to do so by the Client, except where required by applicable law.

11. Data Transfers and International Safeguards

11.1

Veridox shall not transfer Personal Data outside the UK or European Economic Area (EEA) unless it has implemented appropriate safeguards in accordance with the requirements of the Data Protection Laws.

11.2

Where Veridox transfers Personal Data to a country not deemed to provide an adequate level of protection by the UK or EU authorities, it shall do so only by implementing one of the following safeguards:

• Standard Contractual Clauses adopted by the European Commission or UK ICO;
• An approved certification mechanism or binding corporate rules;
• Any other lawful mechanism approved under the applicable Data Protection Laws.

11.3

Veridox shall ensure that any Sub-Processor located outside the UK or EEA provides appropriate safeguards equivalent to those required under this Clause.

11.4

The Client acknowledges and agrees that some Sub-Processors (e.g. hosting or AI model providers) may be located outside the UK/EEA. A list of such entities and transfer mechanisms is available upon request.

12. Audit and Inspection Rights

12.1

Veridox shall make available to the Client, upon written request, all information reasonably necessary to demonstrate compliance with its obligations under this DPA and applicable Data Protection Laws.

12.2

Subject to reasonable notice and confidentiality restrictions, the Client shall have the right to carry out an audit, directly or through an independent auditor appointed by the Client, to verify Veridox's compliance with its obligations under this DPA. Such audits shall be:

• Conducted no more than once per year (unless required by a Supervisory Authority or due to a confirmed security incident);
• Conducted during normal business hours;
• Limited in scope to systems and processes relevant to the services provided to the Client.

12.3

Veridox may charge a reasonable fee for facilitating an audit if it requires significant disruption to normal operations or goes beyond standard audit documentation. The Client shall bear all costs associated with its own audit.

12.4

Where Veridox believes an audit request infringes the rights of other clients, the security of its systems, or is disproportionate, it may object and propose alternative means to satisfy the Client's request for assurance.

13. Return or Deletion of Data

13.1

Upon termination or expiry of the Agreement, Veridox shall, at the choice of the Client, either:

• Delete all Personal Data processed on behalf of the Client, or;
• Return such Personal Data to the Client in a commonly used, machine-readable format.

13.2

Veridox shall comply with such instruction within 30 days of termination, unless otherwise agreed in writing, or where retention is required by applicable law or necessary for legitimate defence of legal claims.

13.3

After the deletion or return of Personal Data, Veridox shall delete all remaining copies in its systems or otherwise ensure they are irreversibly anonymised.

13.4

Veridox shall confirm in writing, upon request, that such deletion or return has been completed in accordance with this Clause.

14. Liability and Indemnity

14.1

Each party shall be liable for its own acts and omissions under this DPA and under applicable Data Protection Laws.

14.2

Veridox shall be liable for any damage caused by Processing only where it has not complied with obligations specifically directed to Processors under the Data Protection Laws or where it has acted outside or contrary to the lawful instructions of the Client.

14.3

The Client shall indemnify and hold harmless Veridox against all claims, losses, damages, penalties, or costs (including reasonable legal fees) arising from:

• The Client's failure to comply with its obligations under this DPA or applicable Data Protection Laws;
• The Client's unlawful instructions;
• Any third-party claim arising from the Client's use of the Platform in violation of Data Protection Laws.

14.4

Neither party shall be liable to the other for any indirect, incidental, or consequential damages, except to the extent such limitation is not permitted by applicable law.

15. Duration and Termination

15.1

This DPA shall take effect on the date the Client first uses the Platform or enters into the Agreement, whichever is earlier, and shall remain in force for the duration of the Agreement.

15.2

Termination of the Agreement shall automatically terminate this DPA, except for those provisions which by their nature are intended to survive termination, including Clauses relating to confidentiality, liability, deletion of data, and governing law.

15.3

Veridox shall continue to process Personal Data only to the extent required to comply with its legal obligations or to establish, exercise, or defend legal claims, subject to the safeguards set out in this DPA.

16. Governing Law and Jurisdiction

16.1

This DPA shall be governed by and construed in accordance with the laws of England and Wales, without regard to its conflict of law rules.

16.2

The parties agree that any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

16.3

Notwithstanding the above, either party may elect to resolve a dispute under this DPA through binding arbitration in accordance with the rules of the London Court of International Arbitration (LCIA), to be held in Manchester, conducted in English, with one arbitrator. Each party shall bear its own legal costs unless otherwise directed by the arbitrator.

17. Contact Details

All queries, concerns, or requests related to this Data Processing Addendum may be directed to Veridox at: policy@veridox.ai

1. Introduction

This Acceptable Use Policy ("Policy") governs the use of the Veridox Platform, including all web-based interfaces, APIs, dashboards, and related services (collectively, the "Platform") provided by Asset Protect Ltd, trading as Veridox ("Veridox", "we", "our", or "us").

This Policy applies to all users of the Platform, including clients, developers, resellers, authorised users within client organisations, and any individual or system accessing Veridox services via API or web interface ("you" or "User").

By accessing or using the Platform, you agree to comply with this Policy in addition to the Veridox Terms of Use and any applicable commercial agreement.

Veridox reserves the right to suspend or terminate access to the Platform for any violation of this Policy, with or without notice, in accordance with the Terms of Use.

2. Permitted Use of the Platform

2.1 Intended Use Cases

The Veridox Platform is designed to assist clients with the forensic analysis of documents and images for the purpose of detecting manipulation, inconsistencies, or risk signals in insurance, legal, and investigative contexts. Permitted uses include uploading individual documents for structured analysis, generating outputs for review, and integrating results into investigative workflows through the Veridox API.

You must only use the Platform in a lawful manner and strictly within the scope of your authorisation, as described in your agreement with Veridox.

2.2 One-Upload-Per-Document Rule

Each upload submitted to the Platform, whether through the dashboard or API, must consist of a single document or logical unit of analysis. You must not bundle multiple documents, datasets, or claims into a single upload to circumvent pricing or processing limits.

Veridox may apply automated or manual measures to detect and restrict uploads that violate this rule. Repeated or systematic circumvention may result in account suspension.

3. Prohibited Conduct

You must not, directly or indirectly, engage in any conduct that compromises the integrity, security, or fair use of the Veridox Platform. Prohibited actions include, but are not limited to:

3.1 Bundling or Circumventing Pricing

Uploading multiple documents, pages, or datasets as a single file to bypass per-upload pricing or service limits is strictly prohibited. You must not manipulate file formats, compress multiple documents into archives, or otherwise attempt to reduce billable activity outside the scope of the agreed pricing structure.

3.2 Abuse of API Rate Limits or Platform Access

You may not exceed the permitted usage thresholds defined in your service tier or API documentation. This includes, but is not limited to, flooding the system with rapid automated uploads, concurrent API sessions, or unauthorised use of multiple keys. Attempts to evade rate-limiting mechanisms or throttle controls are forbidden.

3.3 Attempted Reverse Engineering or Security Testing

You may not probe, scan, or test the vulnerability of the Platform or any related systems. Reverse engineering, decompiling, or attempting to extract the underlying models, algorithms, or system logic is strictly prohibited.

3.4 Use of Automated Scraping or Bulk Ingestion Tools

Unless explicitly authorised in writing, you may not use bots, crawlers, automated scripts, or bulk ingestion frameworks to interact with the Platform, collect data, or bypass standard interfaces.

3.5 Upload of Malicious, Infringing, or Unlawful Content

You must not upload content that contains viruses, malware, or other malicious code; content that infringes the intellectual property rights or privacy of others; or content that is illegal, deceptive, or obtained through unauthorised means.

3.6 Use for Harassment, Fraud, or Unlawful Surveillance

You may not use the Platform to harass, stalk, defraud, or unlawfully monitor individuals. Veridox must not be used in connection with activities that violate applicable data protection, surveillance, or consumer protection laws.

4. Security and System Integrity

4.1 No Interference with Platform Operations

You must not interfere with or disrupt the operation of the Platform, servers, or connected networks. This includes denial-of-service attacks, intentional service degradation, or unauthorised system access.

4.2 No Exploitation of Vulnerabilities

Discovery or awareness of any security vulnerability must be reported to Veridox immediately. You may not exploit or share such vulnerabilities for personal gain or to disrupt service delivery.

4.3 Responsibility for Safeguarding API Keys and Credentials

You are solely responsible for maintaining the confidentiality of your access credentials, including API keys, dashboard logins, and authentication tokens. You must notify Veridox promptly if you suspect any unauthorised access or compromise. Misuse arising from compromised credentials will be treated as a breach of this Policy.

5. Fair Usage and Resource Limits

5.1 Respecting Service Tiers and Technical Limits

Use of the Platform must remain within the boundaries of your agreed service tier, subscription plan, and any documented API or technical constraints. This includes limits on upload frequency, file size, concurrent requests, and storage or retention thresholds. Use outside these limits may require an upgrade or custom agreement.

5.2 Throttling or Access Restrictions for Excessive Use

Veridox reserves the right to monitor usage and apply throttling, rate limits, or temporary access restrictions where usage is excessive, abnormal, or impacts the stability or availability of the Platform for other users. Persistent overuse may result in suspension or the requirement to migrate to a higher tier.

6. Consequences of Breach

6.1 Suspension or Termination

Violation of this Policy may result in immediate suspension or termination of your access to the Platform, API, or related services. This may occur with or without prior notice, depending on the severity and nature of the breach.

6.2 Legal Reporting or Enforcement

Veridox may report unlawful conduct to the appropriate legal authorities, cooperate with investigations, or pursue legal remedies to protect its systems, customers, and intellectual property. We may disclose user information as required to comply with applicable law, regulation, legal process, or governmental request.

7. Changes to This Policy

7.1 Notification Process

Veridox may update or modify this Acceptable Use Policy from time to time to reflect changes in the Platform, applicable law, or operational practices. Any changes will be posted at [veridox.ai/legal/aup] and, where material, may be communicated to active clients via email.

7.2 Continued Use = Acceptance

Your continued use of the Platform after any update to this Policy constitutes your acceptance of the modified terms. If you do not agree to any change, you must discontinue use of the Platform.