velora.
Velora Legal

Data Processing Addendum

Processor-style terms describing how Velora handles personal data on behalf of business customers, including instructions, subprocessors, security, international transfers, and assistance obligations.

Last Updated

March 9, 2026

Applies To

Business customers acting as controllers or businesses under applicable privacy law

Contact

support@velora.app

This Data Processing Addendum ('DPA') supplements the Business SaaS Terms and applies where Velora processes personal data on behalf of a business customer acting as a controller, business, or equivalent principal under applicable privacy law.

If a signed order form, enterprise agreement, or negotiated privacy addendum applies between the parties, that document will control to the extent of any direct conflict on the same subject matter.

Policy Snapshot

  • Velora processes customer personal data only on documented instructions from the customer except where law requires otherwise.
  • Velora uses subprocessors, security controls, confidentiality obligations, and assistance measures appropriate to the hosted service model.
  • The customer remains responsible for lawful collection, notices, consent where required, and data subject rights decisions as controller.
  • International transfers, incident handling, deletion or return, and audit rights are framed in processor-style enterprise language.

Section 01

Roles and scope

For customer personal data processed in connection with the services, the customer is the controller or business and Velora is the processor or service provider unless another role is expressly stated in writing.

This DPA applies only to personal data processed by Velora on behalf of the customer in connection with the services and does not apply to data for which Velora acts as an independent controller, such as its own billing, account management, security logging, and direct commercial relationship records.

Section 02

Processing instructions

  • Velora will process customer personal data only on documented instructions from the customer as reflected in the agreement, product configuration, support requests, API calls, and other authorized use of the services.
  • If Velora believes a customer instruction violates applicable law, Velora may notify the customer and suspend the affected processing until the issue is resolved.
  • The customer warrants that its instructions are lawful and that it has all rights and permissions necessary to provide those instructions.

Section 03

Customer controller obligations

  • The customer is responsible for providing legally adequate privacy notices and obtaining all required consents, permissions, and lawful bases for processing.
  • The customer is responsible for determining the categories of personal data uploaded, the retention periods it requires, and whether special categories or regulated data may lawfully be processed through the services.
  • The customer is responsible for responding to data subject requests, regulatory notices, and other controller-side legal obligations, except to the extent Velora has agreed to assist under this DPA.

Section 04

Confidentiality and security measures

Velora will ensure that personnel authorized to process customer personal data are subject to appropriate confidentiality obligations.

Velora will maintain reasonable technical and organizational measures designed to protect customer personal data against unauthorized access, accidental loss, misuse, disclosure, alteration, or destruction, taking into account the nature of the services and the risks presented by the processing.

  • role-based access management and logical access controls;
  • transport protection and secure secret-handling practices;
  • audit logging, monitoring, and incident response procedures;
  • backup, recovery, and service continuity controls appropriate to a hosted SaaS environment;

Section 05

Subprocessors

The customer authorizes Velora to engage subprocessors that are reasonably necessary to provide the services, including hosting, infrastructure, communications, analytics, security, and payment-support providers.

Velora will impose data-protection obligations on subprocessors that are materially protective of customer personal data in a manner appropriate to the service provided by that subprocessor.

Where required by law or contract, Velora may make subprocessor information available on request or through a separate subprocessor notice mechanism.

Section 06

International data transfers

To the extent customer personal data is transferred across borders, Velora will use transfer mechanisms and safeguards appropriate to the relevant legal regime, which may include contractual commitments, regional hosting choices, and access controls.

The customer acknowledges that use of global infrastructure, communication providers, or integration ecosystems may involve cross-border processing.

Section 07

Assistance with rights and compliance

  • Taking into account the nature of the processing, Velora will provide reasonable assistance to the customer for responding to data subject requests that the customer cannot fulfill through the product itself.
  • Velora will provide reasonable assistance, taking into account the information available to Velora, with customer obligations relating to security, incident response, impact assessments, and regulator consultation where required by applicable law.
  • Velora may charge reasonable fees for extraordinary, repetitive, legally complex, or non-standard assistance.

Section 08

Security incidents

Velora will notify the customer without undue delay after becoming aware of a confirmed security incident affecting customer personal data processed by Velora as processor, unless notification is not legally required.

Such notice may include the nature of the incident, the categories of data involved, the likely consequences known at the time, and the mitigation steps taken or proposed by Velora.

Velora is not responsible for incidents caused by the customer, the customer devices, the customer credentials, unlawful customer instructions, or third-party services chosen and controlled solely by the customer outside Velora reasonable control.

Section 09

Deletion and return

Upon termination or expiration of the services, Velora will delete or return customer personal data in accordance with the agreement, product capabilities, and Velora standard retention and backup cycles, unless applicable law requires longer retention.

Backup copies and archived system records may persist for a limited period until overwritten in the ordinary course of business, subject to continued protection under this DPA.

Section 10

Audit and information rights

Velora will make available information reasonably necessary to demonstrate compliance with this DPA, taking into account confidentiality, security, and the shared-service nature of the platform.

Any audit or inspection right will be limited to what is legally required or contractually agreed, must be reasonable in scope and timing, must avoid disruption to other customers, and may be satisfied through existing reports, certifications, questionnaires, or comparable assurance materials where appropriate.

Section 11

Liability and order of precedence

This DPA is subject to the liability limitations, disclaimers, and indemnity structure in the Business SaaS Terms unless applicable law requires otherwise.

If there is a direct conflict between this DPA and the Business SaaS Terms on the same data-processing issue, this DPA controls only for that issue.

Questions about this DPA may be sent to support@velora.app.