Product Data Privacy Policy
Version 3.0 – Last updated May 7, 2025. Supersedes Version 2.4 dated Aug 1, 2022.
What Changed Since v2.4
- Added state‑privacy references (CPRA, VCDPA, Colo‑CPA) where they affect Customer Data handling.
- Consolidated the separate “Information Security Program” and “Security Assessment” sections into a single § 9 for clarity.
- Clarified data‑destruction timelines and certificate language to reflect updated NIST SP 800‑88 rev. 1.
- Added a Sub‑processor transparency table (§ 7) and advanced notice mechanism.
- Plain‑language disclosures on Customer‑directed consumer‑rights workflows (see Section 6 below).
Overview
Verato, Inc. (“Verato,” “we,” “our,” “us”) provides identity resolution and data management SaaS products (the “Services”) under a Master SaaS Agreement (“MSA”) and, for HIPAA‑covered customers, a Business Associate Agreement (“BAA”). This Policy describes how Verato processes all Customer Data entrusted to the Services, including any Protected Health Information (PHI) or other Personally Identifiable Information (PII/SPII).
Relationship of the Parties
| Role | Under U.S. privacy law | Under HIPAA (if BAA executed) |
| Customer | “Business” / “Controller” | “Covered Entity” |
| Verato | “Service Provider / Contractor” | “Business Associate” |
Verato acts solely on Customer’s documented instructions (MSA, BAA, Data Processing Addendum “DPA”) except where required by law.
Scope of Customer Data Covered
Uploaded Records: Demographic, social‑determinants, or reference data you send to or receive from the Services.
Generated Data: Persistent IDs and match‑scores the Services derive from Uploaded Records.
Limited-Service Logs: Technical logs required to operate and secure the Services; these may contain IP addresses and user IDs.
Excluded: Verato marketing‑site data (see the separate Verato Website Privacy Policy here
Permitted Uses
Verato will process Customer Data only to:
- Deliver, maintain, and improve the contracted Services.
- Provide customer‑support, security monitoring, and troubleshooting.
- Comply with law or a valid court/agency order (with prompt notice to Customer where legally permitted)
Verato will not:
- Sell or share Customer Data for cross‑context behavioral advertising.
- Unless instructed otherwise by a given customer, combine Customer Data with Personal Information from other customers.
- Combine Re‑identify any pseudonymized data except as necessary to perform the Services.
- Store or process Customer Data outside the United States unless expressly authorized in writing (§ 7.2).
Customer Responsibilities
- Legal Basis & Notices: Obtain any required consents as required or legal authority before providing data to Verato.
- Data Accuracy: Maintain the accuracy of uploaded records; request corrections or deletions as required.
- User Access Controls: Provision, review, and revoke user credentials in accordance with the principle of least privilege.
- Consumer / Patient Requests: Route any CCPA/CPRA, VCDPA, or HIPAA access‑or‑deletion requests to Verato. Verato will assist within fifteen (15) business days (see Section 6 below).
Individual Rights Assistance
Where Customer is subject to consumer‑privacy laws (e.g., CPRA, VCDPA), Verato will:
| Request Type | Processor/BAA Support Commitment |
| Access / Data Export | Provide relevant Customer Data in machine‑readable format. |
| Deletion | Delete or de‑identify records or provide tools for Customer to do so. |
| Correction | Accept corrected source records and propagate updated match‑results. |
| Opt‑out of “Sale / Share” / Targeted Ads | Not applicable – Verato does not sell/share Customer Data. |
| HIPAA Accounting of Disclosures | Provide log extracts of non‑routine disclosures within 30 days. |
Data Location, Transfers & Sub-processors
Primary Hosting: Customer Data is hosted in the cloud environments of nationally recognized entities in the northeastern and southwestern United States; redundant encrypted backups remain within the same region.
Cross‑Border Processing: Verato will not move Customer Data outside the U.S. without Customer’s prior written approval. If approved, Verato will rely on a valid transfer mechanism.
Data Retention & Deletion
Termination: Within forty‑five (45) calendar days after the effective termination date Verato will securely destroy or return all Customer Data and certify destruction in writing, in accordance with NIST SP 800‑88 rev. 1.
Information Security Program
Verato maintains an information‑security program aligned to HITRUST, SOC 2 Type II and NIST 800‑53 High controls, including:
| Control Domain | Key Measures (non‑exhaustive) |
| Governance | Annual risk assessment; board oversight; ISO 27701 mapping. |
| Access Control | SAML SSO; MFA; RBAC; access reviews. |
| Encryption | AES‑256 at rest; TLS 1.3 in transit; FIPS‑validated modules. |
| Network Security | Segmented VPCs; firewalls; zero‑trust micro‑segmentation. |
| Monitoring | 24×7 SIEM with managed detection & response; immutable audit logs. |
| Secure SDLC | Static/dynamic code scanning; threat‑model reviews; CI/CD attestations. |
Security & Privacy Assessments: Either party may request one third‑party “Security Assessment” per 12‑month period at its own expense, plus an immediate assessment following a confirmed Security Incident.
Incident & Breach Notification
Unless otherwise contractually obligated, Verato will notify Customer without undue delay and in any event within:
- Five business days of confirming a breach of PHI or PII that triggers notification obligations.
- 72 hours of detecting any Security Incident that materially impacts the Services’ confidentiality, integrity, or availability.
Compliance Audits
Upon thirty (30) days’ notice, Customer may audit Verato’s compliance via:
- Review of Verato’s latest certification letters summarizing Verato’s SOC 2 Type II or HITRUST reports.
- A written risk‑assessment questionnaire; or
- An on‑site visit (maximum once per contract year) subject to reasonable confidentiality and safety procedures, rules and conditions.
Non‑Compliance & Suspension
If a Security Assessment reveals high‑severity findings, the responsible party must remediate them within thirty (30) days; failure may result in temporary suspension of the Services or pro‑rata fee credits, as applicable.
Changes to this Policy
We may update this Policy from time to time. Material changes will:
- Be emailed to the Customer’s privacy contact; and
- Become effective 30 days after notice, unless required sooner by law.
Contact Information
Verato Inc.
1751 Pinnacle Drive, Suite 1700
McLean, VA 22102, USA
Email: [email protected]
Phone: (703) 650‑5155
Version History
| Version | Date | Summary of Key Changes | Approved by |
| 2.4 | Aug 1, 2022 | Initial public posting | CISO |
| 3.0 | May 7, 2025 | State‑privacy alignment, sub‑processor table, clarified retention, merged security sections | CPO & General Counsel |