Vertirite Privacy Notice
Effective 2026-05-19. This is a draft. The version of record for any customer engagement is the counter-signed Data Processing Addendum (DPA) and, where applicable, the executed Business Associate Agreement (BAA). Where this notice conflicts with a counter-signed agreement, the agreement governs.
Vertirite is operated by SurgeXi Business Intelligence, headquartered in Birmingham, Alabama, United States ("SurgeXi", "we", "us"). Vertirite is a business-to-business control plane for AI agents and other automated callers. It is sold under sales-led pilot and annual contracts. Consumer use is not contemplated.
1. Scope
This notice describes how SurgeXi handles personal data and customer data in connection with the Vertirite product, the marketing site at vertirite.com, and SurgeXi-hosted broker tenants. It applies to operator users (the named human accounts who configure Vertirite and review the approval queue), end users whose data may be referenced by AI actions Vertirite governs, and prospective customers contacting us about pilots.
2. Roles
For data Vertirite ingests on the customer’s behalf (audit log entries, action payloads, approval decisions, capability registry contents), SurgeXi is a data processor. The customer is the data controller. The contract between the customer and SurgeXi (master services agreement plus the DPA) governs the processing.
For data SurgeXi collects directly — operator account profiles on hosted tenants, marketing-site analytics, sales pipeline contact records — SurgeXi is the data controller.
3. What we collect
- Operator account data — name, work email, organization, role, plan tier, SSO subject identifier when SSO is used.
- Audit ledger contents — the action payload, actor identity, role, tenant scope, policy decision, approval/denial chain, cryptographic signature row. Audit ledger contents are customer data. SurgeXi cannot read tenant-scoped audit rows without an explicit support escalation that the customer grants in writing.
- Approval queue contents — the pending action, the actor that requested it, the human(s) who approved or denied it. Customer data; same processing rules as the audit ledger.
- Capability registry contents — YAML declaring which roles may invoke which endpoints. Customer data.
- Operational telemetry — uptime metrics, error rates, latency histograms. Aggregated; no personal data or action contents included.
- Sales pipeline data — name, work email, organization, role, conversation notes from pilot discussions. Standard B2B sales contact records.
- Site analytics — page views, referrer, user agent, session identifier randomly assigned in the browser. No third-party trackers; analytics are first-party only.
4. What we do not collect
- We do not collect personal data from end users of customer systems unless the customer’s own integration of Vertirite causes such data to appear in an audit row. Where this occurs, the data is treated under the DPA, not this notice.
- We do not run third-party advertising trackers on vertirite.com.
- We do not sell personal data. There is no scenario in which Vertirite customer data is monetized.
- We do not train AI models on customer data — not the audit ledger, not the approval queue, not the capability registry, not action payloads.
5. Storage and security
Hosted Vertirite tenants store customer data in PostgreSQL on encrypted volumes. Transport is TLS 1.3. Internal cross-host calls use mutual TLS. Tenant isolation is enforced row-by-row in code paths that thread the tenant identifier end-to-end, with a two-tenant bleed test in CI on every pull request. Customer-managed KMS (AWS KMS, Azure Key Vault, GCP CMEK) is available on Enterprise.
Self-hosted Vertirite deployments store everything on the customer’s own infrastructure. SurgeXi does not have a backdoor into a self-hosted deployment. Support engagements that require SurgeXi to see customer data on a self-hosted broker require the customer to export and forward the relevant rows; we do not request remote access.
6. Sub-processors
The current sub-processor list is published at /marketing/vertirite/security#subprocessors and maintained per the DPA notification cadence. Customers under contract receive 30 days’ written notice of material sub-processor changes and may object before the change takes effect.
7. Retention
Audit ledger contents are retained for the period named in the customer’s plan (30 days on Team, full retention on Business and Enterprise) and are deleted at the end of the customer’s subscription unless a regulatory hold requires otherwise. Operator account profiles are deleted within 30 days of subscription end. Sales pipeline data is retained for 24 months from last contact, then deleted.
8. Subject rights
Operator users may request access, correction, or deletion of their account data by emailing [email protected]. Subject requests concerning end-user data that appears in audit rows must be made to the data controller (the Vertirite customer), not to SurgeXi, because SurgeXi cannot identify the subject without the customer’s help.
Audit rows that are subject to a deletion request are tombstoned rather than removed, so that the cryptographic chain integrity is preserved. The tombstone records that the row existed and the time of the deletion request; the contents are erased.
9. International transfers
Hosted Vertirite tenants run in United States data centers by default. Customers requiring data residency in the European Union, Canada, or other jurisdictions should ask sales about Enterprise deployment options. For transfers from the European Economic Area, the Standard Contractual Clauses (Module Two, Controller to Processor) are incorporated into the DPA.
10. HIPAA
On the Enterprise tier, SurgeXi will enter into a Business Associate Agreement before any protected health information enters the hosted system. A signed BAA is a precondition of the install — not a post-hoc accommodation. The BAA template is available from [email protected].
11. Children
Vertirite is a business-to-business product. We do not knowingly process data from anyone under 18, and we do not contemplate any use of Vertirite that would involve minors.
12. Changes to this notice
Material changes will be communicated to customers under contract per the DPA notification clause. The marketing-site version reflects the most recent published draft and is dated above. Prior versions are available on request.
13. Contact
SurgeXi Business Intelligence
Privacy Inquiries: [email protected]
Sales Inquiries: [email protected]
Headquarters: Birmingham, Alabama, United States
This is a draft starter notice prepared in advance of formal legal review. It is the operator’s opinion, not legal advice. Before any paid Vertirite contract is signed, this notice will be reviewed by qualified counsel and superseded by counter-signed agreements (MSA, DPA, BAA, SCCs as applicable).