How does AI merchant verification work?

RegisteredBrands.AI verifies merchant identity through 7 automated checks: DNS domain ownership, USPTO trademark verification, GLEIF business entity validation, SSL/DMARC/SPF domain signals, SAM.gov/SEC EIN cross-referencing, document analysis, and community reputation. Results are packaged as Ed25519-signed Brand Capsules that AI agents can verify in milliseconds.

What is a Brand Capsule?

A Brand Capsule is a machine-readable, cryptographically signed identity credential for a brand. It contains verified information about the brand's domain, business registration, trademarks, and trust score. AI agents use Brand Capsules to verify merchant identity before committing to transactions.

Can AI agents verify brands offline?

Yes. Brand Capsules are signed with Ed25519 keys. The public key and signature travel with the credential, so agents can verify authenticity without calling the RegisteredBrands.AI API. This enables offline verification in air-gapped or latency-sensitive environments.

What is the difference between a directory-listed and an owner-verified brand?

Directory-listed brands are compiled from publicly available data and have not been claimed by their owners. Owner-verified brands have been claimed by the brand owner, who has proven domain ownership via DNS TXT record anchoring. Only owner-verified brands can achieve Verified or higher trust tiers.

Is RegisteredBrands.AI a government certification body?

No. RegisteredBrands.AI is a private trust registry operated by RootVaultAI LLC. Trust scores are informational indicators compiled from publicly available data sources. Similar to Dun & Bradstreet or the Better Business Bureau, our assessments represent independent analysis, not government endorsement or certification.

RegisteredBrands.AI: The Trust Layer for Bot-to-Bot Commerce

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between RootVaultAI LLC, doing business as RegisteredBrands.AI ("Processor," "we," "our," or "us"), and the entity or individual agreeing to these terms ("Controller," "you," or "your"). This DPA applies when we process personal data on your behalf in connection with the RegisteredBrands.AI platform and APIs. This DPA is designed to meet the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.

"Processing" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

"Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

3. Roles and Responsibilities

For the purposes of this DPA, you are the Controller and we are the Processor with respect to personal data that you submit to or that is collected through your use of the Service. We determine the means and purposes of processing for our own operational data (account management, billing, security), for which we act as an independent Controller as described in our Privacy Policy.

With respect to Brand Capsule data that is intentionally made public through the trust verification system, both parties acknowledge that this data is published by design and that standard data minimization principles are balanced against the legitimate purpose of enabling trust verification in agentic commerce.

4. Processing Details

Subject Matter	Provision of the RegisteredBrands.AI trust verification platform and APIs
Duration	For the term of the applicable service agreement, plus the data retention period specified in our Privacy Policy
Nature and Purpose	Brand identity verification, trust scoring, entitlement management, payment processing, and API access provision
Categories of Data Subjects	Brand representatives, developers, consumers, and AI agent operators
Types of Personal Data	Names, email addresses, business contact information, wallet addresses, authentication identifiers, API usage logs, IP addresses

5. Processor Obligations

We will process personal data only on your documented instructions, unless required by applicable law. We will ensure that persons authorized to process personal data have committed to confidentiality. We will implement appropriate technical and organizational security measures as described in Section 7 of our Privacy Policy. We will assist you in responding to data subject requests (access, deletion, correction, portability). We will notify you of any Data Breach without undue delay and in any event within 72 hours of becoming aware of it. We will assist you with data protection impact assessments and prior consultations with supervisory authorities where required. We will delete or return all personal data upon termination of the service agreement, unless retention is required by law. We will make available all information necessary to demonstrate compliance with this DPA and allow for audits.

6. Sub-processors

You authorize us to engage the following categories of sub-processors:

Sub-processor	Purpose	Location
Stripe, Inc.	Payment processing	United States
Cloud Infrastructure Provider	Hosting, storage, compute	United States
Manus Platform	Authentication, analytics	United States

We will notify you before adding or replacing sub-processors, providing you with an opportunity to object. If you object on reasonable grounds related to data protection, we will work with you to find an alternative solution. Each sub-processor is bound by data processing obligations no less protective than those in this DPA.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area, United Kingdom, or Switzerland, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914). The applicable SCCs are incorporated by reference into this DPA. For transfers to the United States, we also rely on the EU-U.S. Data Privacy Framework where applicable.

8. Security Measures

We implement and maintain technical and organizational security measures appropriate to the risk, including: encryption of personal data in transit (TLS 1.2+) and at rest; pseudonymization where feasible; access controls with role-based permissions and least-privilege principles; regular security assessments and vulnerability scanning; incident detection, response, and recovery procedures; employee training on data protection and security; and physical security measures at data center facilities through our infrastructure providers.

9. Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests under applicable law. If we receive a request directly from a data subject, we will promptly redirect the request to you unless we are legally required to respond directly. We provide technical mechanisms (API endpoints and dashboard tools) to facilitate data access, correction, deletion, and portability requests.

10. CCPA/CPRA Provisions

To the extent the CCPA/CPRA applies, we are a "Service Provider" as defined under the CCPA. We will not sell or share personal information received from you. We will not retain, use, or disclose personal information for any purpose other than performing the services specified in the service agreement, or as otherwise permitted by the CCPA/CPRA. We will not combine personal information received from you with personal information received from other sources, except as permitted by the CCPA/CPRA. We certify that we understand and will comply with these restrictions.

11. Audit Rights

You may audit our compliance with this DPA up to once per year, with 30 days' written notice, during normal business hours, and at your expense. Audits must be conducted by you or an independent third-party auditor bound by confidentiality obligations. We may satisfy audit requests by providing relevant certifications, audit reports (SOC 2 Type II or equivalent), or written responses to reasonable audit questionnaires.

12. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, we will delete or return all personal data within 90 days, except where retention is required by applicable law or for legitimate business purposes (such as resolving disputes or enforcing agreements). We will certify deletion upon request.

13. Contact

For questions about this DPA or to exercise your rights, contact our data protection team at [email protected] or through our Contact page.