Privacy Policy

14. Vern (Contract Triage Platform) – Privacy Addendum

This section applies specifically to personal data and document data processed through Vern ("Verify Every Risk Now"), our AI-powered contract risk triage platform. Vern is a separate SaaS product operated by AssurePath Ltd. Where this section is silent on a topic, the general provisions of this Privacy Policy apply. In the event of any conflict between this section and the general provisions above, this section shall prevail for data processed through Vern.

14.1 About Vern

Vern is an AI-powered contract risk triage tool built for UK recruitment agencies. Users upload recruitment contracts (Terms of Business, contractor agreements, IR35 compliance documents, NDAs and candidate contracts) for automated clause-by-clause analysis against a configurable risk playbook. Vern delivers traffic light risk ratings (red, amber, green), clause-by-clause breakdowns, executive summaries and downloadable PDF reports. Vern also offers email triage functionality and multi-tenant workspaces with team management.

Vern is a risk triage tool and does not provide legal advice. Users are encouraged to consult a qualified solicitor for any legal decisions relating to their contracts.

14.2 Data We Collect Through Vern

14.2.1 Account Data

• Full name, email address and password (stored in hashed form).
• Organisation name, job title and role within workspace.
• Workspace membership and role assignments (administrator or member).
• Account preferences and notification settings.
• Authentication tokens and session data.

14.2.2 Uploaded Contract Documents

• Contract files uploaded by users in PDF or DOCX format.
• Document metadata (file name, file size, upload timestamp, file type).
• Contracts forwarded via the email triage feature.

14.2.3 AI Triage Outputs

• Clause-by-clause risk analysis results and classifications (red, amber, green).
• Executive summaries and risk narratives generated by AI.
• Generated PDF triage reports.
• Risk playbook configurations and custom rules set by the user.
• Audit trail records of triage requests, playbook changes and team actions.

14.2.4 Usage and Technical Data

• IP address, browser type, device information, operating system.
• Feature usage patterns (e.g., number of triages, playbook edits, report downloads).
• Session duration and access timestamps.
• Error logs and performance metrics.

14.2.5 Payment Data

• Billing information for paid subscriptions (processed by Stripe).
• Subscription tier, billing cycle and transaction identifiers.
• AssurePath does not store full payment card details; these are handled entirely by Stripe.

14.3 Legal Basis for Processing Vern Data

Under GDPR Article 6, we process Vern data on the following legal bases:

• Contract Performance (Art 6(1)(b)): Processing uploaded contracts to deliver triage results, managing user accounts and workspaces, providing email triage functionality, generating reports, and processing subscription billing.
• Legitimate Interests (Art 6(1)(f)): Aggregate anonymised analytics for service improvement, system performance monitoring, fraud prevention, and platform security.
• Legal Obligation (Art 6(1)(c)): Retaining payment records as required by UK tax and company law, responding to law enforcement requests, and maintaining records for regulatory compliance.
• Consent (Art 6(1)(a)): Marketing communications and optional analytics cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

14.4 How We Use Vern Data

14.4.1 Service Delivery

• Processing uploaded contracts through AI analysis to deliver triage results.
• Generating risk reports, clause breakdowns and executive summaries.
• Applying the user's configured risk playbook to each analysis.
• Providing email triage functionality (parsing forwarded contracts and returning results).
• Managing workspaces, team memberships and role-based access.

14.4.2 Service Improvement

• Analysing aggregate, anonymised usage patterns to improve platform performance and features.
• Monitoring system performance and reliability.
• Identifying and resolving technical issues.

14.4.3 Account Management

• User authentication and account security.
• Subscription management and billing.
• Sending service-related notifications (e.g., triage completion, account alerts, subscription changes).

14.4.4 Legal and Compliance

• Maintaining audit trails as required by users and for regulatory compliance.
• Responding to data subject requests under GDPR.
• Meeting legal obligations under UK law.

14.5 AI Processing and Model Training

• Contract data is never used for AI model training. Uploaded contracts and triage outputs are processed solely for the purpose of fulfilling your triage request.
• Document content is transmitted to our AI processing providers (OpenAI and Anthropic) exclusively to perform the contracted analysis. It is not retained by these providers for model improvement, fine-tuning or any other purpose. Both providers operate under API Data Processing Addendums that contractually prohibit the use of customer data for model training.
• AI analysis results are generated in real-time for each request and stored only within your Vern workspace.
• AssurePath does not aggregate contract content across different customer workspaces.
• Your data does not influence, train or modify any AI models in any way.
• AI processing occurs within EU data centres. See Section 14.8 for international transfer details.

14.6 Data Processors and Sub-Processors

In accordance with GDPR Article 28, we disclose the following sub-processors who process data in connection with the Vern service. All sub-processors operate under Data Processing Agreements (DPAs) with AssurePath.

AI Processing Providers

• OpenAI – AI contract analysis and risk classification. Processes uploaded contract text content. Processing location: EU. Operates under an API Data Processing Addendum prohibiting use of data for model training.
• Anthropic – AI contract analysis and risk classification. Processes uploaded contract text content. Processing location: EU. Operates under an API Data Processing Addendum prohibiting use of data for model training.
• LlamaIndex – Document parsing, indexing and AI orchestration. Processes uploaded contract text content and document metadata. Processing location: EU.

Infrastructure and Platform Providers

• Railway – Application hosting and data storage. Processes all Vern application data. Processing location: EU.
• Clerk – User authentication and account management. Processes account credentials, session tokens and email addresses. Processing location: EU.

Payment and Communication Providers

• Stripe – Subscription payment processing. Processes billing data and transaction records. Full payment card numbers are handled entirely by Stripe and are not stored by AssurePath. Processing location: UK/EU.
• Resend – Transactional email delivery. Processes email addresses and notification content. Processing location: EU.

Sub-Processor Change Notifications

• AssurePath will notify Vern users of material changes to sub-processors via email with at least 30 days' notice before the change takes effect.
• Users who object to a new sub-processor may terminate their account in accordance with the Vern service terms.
• Full DPA details are available on request by contacting privacy@assurepath.co.uk.
• AssurePath may use one or both AI providers (OpenAI, Anthropic) for contract analysis depending on the specific analysis task and service requirements.

14.7 Data Security for Vern

• Encryption at rest: All stored data (uploaded contracts, triage results, account data) is encrypted at rest using industry-standard AES-256 encryption.
• Encryption in transit: All data transmitted between users' browsers and Vern, and between Vern and its sub-processors, is encrypted using TLS 1.2 or higher.
• SOC 2 Type 2 infrastructure: Vern is hosted on infrastructure that has completed SOC 2 Type 2 auditing.
• EU data centres: All Vern data is stored and processed in data centres located in the European Union.
• Access controls: Role-based access controls with multi-factor authentication options. Workspace isolation ensures one tenant cannot access another tenant's data.
• Audit logging: All significant actions (triage requests, playbook changes, team membership changes, data exports) are logged with timestamps and user attribution.
• Disaster recovery: Defined backup and disaster recovery procedures are in place to protect against data loss.
• Vulnerability assessments: Regular security assessments of the Vern platform.

14.8 International Data Transfers (Vern)

• Vern application data is hosted by Railway in EU data centres.
• Contract content is transmitted to OpenAI and Anthropic's EU infrastructure for AI analysis.
• The UK-to-EU data transfer is covered by the UK's adequacy decision for the EU, maintained under the UK GDPR framework.
• All international transfers are additionally governed by Data Processing Agreements containing Standard Contractual Clauses (SCCs) as a supplementary safeguard.
• AssurePath has conducted a Transfer Impact Assessment (TIA) confirming that transfers to the EU do not materially increase risk to data subjects' rights and freedoms.
• No Vern data is transferred outside the UK and EU.

14.9 Data Retention for Vern

• Active account data: Retained for the duration of the active subscription.
• Uploaded contracts and triage results: Retained in the user's workspace for the duration of the active subscription. Users may delete individual contracts and triage results at any time from within the application.
• Playbook configurations: Retained for the duration of the active subscription.
• Audit trail data: Retained for the duration of the active subscription plus 12 months after account closure for compliance purposes.
• Account data after closure: Upon account deletion or subscription cancellation, all user data including uploaded contracts, triage results, playbook configurations and workspace data will be permanently deleted within 30 days, except where retention is required by law or for legitimate compliance purposes.
• Payment records: Retained for 7 years as required by UK tax and company law.
• Anonymised usage analytics: May be retained indefinitely in aggregate, anonymised form for service improvement purposes. This data cannot be linked back to individual users.

14.10 Data Protection Impact Assessment

In accordance with GDPR Article 35, AssurePath has conducted a Data Protection Impact Assessment (DPIA) for the Vern platform, recognising that AI-powered automated processing of contract documents at scale requires careful assessment of risks to data subjects' rights and freedoms.

• The DPIA covers all aspects of Vern's data processing including AI analysis of contract documents, automated risk classification, data sharing with sub-processors, and international data transfers.
• The DPIA is reviewed and updated at least annually, or whenever material changes are made to Vern's data processing activities.
• A summary of the DPIA findings is available on request by contacting dpo@assurepath.co.uk.

14.11 Automated Decision-Making

Vern uses AI to perform automated analysis of uploaded contracts and generate risk classifications (red, amber, green traffic light ratings). In relation to GDPR Article 22 (automated individual decision-making):

• Vern's automated outputs are informational triage indicators intended to assist human decision-making. They do not constitute automated decisions that produce legal effects or similarly significantly affect individuals within the meaning of GDPR Article 22.
• No automated decisions are made by Vern that restrict, deny or alter users' access to services or legal rights.
• Users always retain full control over how they act on triage results and are encouraged to seek qualified legal advice before making contractual decisions.
• If you believe an automated output has been applied in a way that significantly affects you, you have the right to request human review by contacting privacy@assurepath.co.uk.

14.12 Data Breach Notification

In the event of a personal data breach affecting Vern user data, AssurePath will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms, as required by GDPR Article 33.
• Notify affected Vern users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.
• Provide clear information about the nature of the breach, the data affected, the likely consequences, and the measures taken to address and mitigate the breach.
• Maintain an internal breach register documenting all incidents, including those that do not meet the notification threshold.

AssurePath's sub-processors are contractually required to notify AssurePath of any data breach without undue delay.

14.13 Your Rights Regarding Vern Data

In addition to the general GDPR rights described in Section 9 of this Privacy Policy, Vern users have the following specific controls:

• Data export: You may export your triage results and reports from within the Vern application at any time.
• Data deletion: You may delete individual contracts, triage results and your entire account from within the Vern application. Account deletion triggers permanent removal of all associated data within 30 days.
• Playbook portability: Your playbook configuration is available for export from within the application.
• Right to human review: You may request human review of automated outputs as described in Section 14.11.
• Access requests: You may request a full copy of all personal data held in connection with your Vern account by contacting privacy@assurepath.co.uk.
• Sub-processor information: You may request full details of current sub-processors and Data Processing Agreements by contacting privacy@assurepath.co.uk.