VeloDB Data Processing Addendum
Effective Date: June 3, 2026
Last Updated: June 15, 2026
This Data Processing Addendum ("DPA") supplements the VeloDB agreement, order form, or other written terms under which VeloDB provides Services to Customer (the "Agreement"). This DPA applies when VeloDB Processes Customer Personal Data on behalf of Customer in connection with the Services.
1. Scope and Roles
1.1 Scope. This DPA applies to VeloDB's Processing of Customer Personal Data as a Processor, Subprocessor, service provider, or contractor on Customer's behalf in connection with the Services.
1.2 Customer Role. Customer is the Controller of Customer Personal Data, or a Processor acting on behalf of another Controller. Customer is responsible for the lawfulness of Customer Personal Data, Customer's instructions, and Customer's use of the Services.
1.3 VeloDB Role. VeloDB will Process Customer Personal Data only on Customer's documented instructions, except where required by applicable law.
1.4 Relationship Data. This DPA does not govern VeloDB's independent Processing of business contact, account, billing, marketing, website, contract, or relationship information, which is handled under VeloDB's Privacy Policy and applicable law.
2. Definitions
"Applicable Data Protection Laws" means privacy, data protection, and data security laws applicable to VeloDB's Processing of Customer Personal Data under the Agreement.
"Customer Personal Data" means Personal Data Processed by VeloDB on Customer's behalf in connection with the Services.
"Personal Data," "Controller," "Processor," "Process," "Processing," "Data Subject," and similar terms have the meanings given under Applicable Data Protection Laws. Where Applicable Data Protection Laws use analogous terms, those terms will be interpreted to cover the corresponding concepts.
"Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by VeloDB or its Subprocessors.
"Subprocessor" means a third party engaged by VeloDB to Process Customer Personal Data on Customer's behalf in connection with the Services.
3. Processing Instructions
Customer instructs VeloDB to Process Customer Personal Data to:
- provide, operate, maintain, secure, support, and troubleshoot the Services;
- perform obligations and exercise rights under the Agreement and applicable order forms;
- comply with Customer's written instructions accepted by VeloDB; and
- comply with applicable law.
If VeloDB reasonably believes an instruction violates Applicable Data Protection Laws, VeloDB will notify Customer unless prohibited by law and may suspend the affected Processing until the instruction is modified or confirmed as lawful.
4. Purpose and Use Restrictions
VeloDB will not retain, use, or disclose Customer Personal Data except as necessary to provide, maintain, support, secure, and improve the Services; comply with Customer's instructions; comply with applicable law; or as otherwise permitted by the Agreement and this DPA.
VeloDB will not sell Customer Personal Data, use it for cross-context behavioral advertising, or use identifiable Customer Personal Data or Customer Data to train generalized artificial intelligence models unless Customer expressly authorizes that use in writing.
5. Customer Responsibilities and Restricted Data
Customer is responsible for providing notices, obtaining consents, establishing legal bases, and ensuring that Customer's submission and use of Customer Personal Data comply with Applicable Data Protection Laws.
Customer will not submit restricted data, including protected health information, payment card data, children's data, biometric data, or data subject to specialized legal regimes, unless VeloDB has confirmed support for that use case in writing and the parties have executed any required additional terms.
6. Security and Confidentiality
VeloDB will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful Processing and accidental loss, destruction, or damage.
VeloDB will ensure that personnel authorized to Process Customer Personal Data are subject to confidentiality obligations and access Customer Personal Data only as needed for authorized purposes.
Security documentation, audit reports, certifications, questionnaires, and other assurance materials may be made available where approved by VeloDB and subject to applicable confidentiality, security, legal, and sharing restrictions.
7. Subprocessors
Customer generally authorizes VeloDB to use Subprocessors to Process Customer Personal Data. VeloDB will impose written data protection obligations on Subprocessors that are no less protective in material respects than those imposed on VeloDB under this DPA, to the extent applicable to the Subprocessor's Processing.
VeloDB remains responsible for Subprocessors' performance of their data protection obligations to the extent required by the Agreement and Applicable Data Protection Laws.
VeloDB will provide Subprocessor information where required by the Agreement, an applicable order form, an approved Subprocessor disclosure, or Applicable Data Protection Laws. Providers that Customer enables or controls, including Customer's cloud provider for Customer-controlled cloud resources, identity provider, monitoring destination, data source, data sink, webhook destination, marketplace, or other third-party integration, are Customer's responsibility unless the applicable Agreement, order form, or approved Subprocessor disclosure states otherwise.
8. Security Incident Notice
VeloDB will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data. VeloDB will provide information reasonably available to VeloDB regarding the nature of the Security Incident, affected data categories, measures taken or proposed, and a contact point for follow-up.
VeloDB will take reasonable steps to contain, investigate, and mitigate Security Incidents. Notice of a Security Incident is not an admission of fault or liability.
9. Data Subject Requests and Regulatory Assistance
Taking into account the nature of Processing and information available to VeloDB, VeloDB will provide reasonable assistance for Customer to respond to Data Subject requests and meet applicable obligations for data protection impact assessments, consultations, or regulator inquiries.
If VeloDB receives a request from a Data Subject relating to Customer Personal Data, VeloDB will notify Customer where legally permitted and will not respond except on Customer's instruction or as required by law.
10. Government and Third-Party Demands
If VeloDB receives a legally binding demand for Customer Personal Data from a governmental authority or other third party, VeloDB will notify Customer before disclosure unless legally prohibited. VeloDB will review the legality of the demand, disclose only the Customer Personal Data it is legally required to disclose, and use reasonable efforts to allow Customer to seek protective measures where appropriate.
11. Return and Deletion
Upon termination or expiration of the Services, VeloDB will delete or return Customer Personal Data in VeloDB-controlled systems in accordance with the Agreement, applicable order form, Customer's documented instructions, approved retention materials, and standard deletion practices, unless retention is required or permitted by applicable law.
Deletion and return may require time to propagate through applicable systems, backups, and Subprocessors. Until Customer Personal Data is deleted or returned, VeloDB will continue to protect it under this DPA and limit further Processing to deletion, return, export, security, backup, audit, compliance, dispute, legal-hold, or lawful retention purposes.
Backup, archive, security, audit, legal, tax, accounting, support, dispute, and legal-hold records may follow separate retention or deletion treatment where permitted by the Agreement, applicable retention materials, applicable law, or Customer's documented instructions.
Customer remains responsible for exporting, retaining, deleting, or deprovisioning Customer Personal Data in Customer-controlled systems, Customer-configured destinations, and Customer-controlled cloud resources.
12. Audits and Compliance Evidence
VeloDB will make available information reasonably necessary to demonstrate compliance with this DPA, subject to appropriate confidentiality, security, and non-disruption requirements. Where available and adequate for Customer's verification purpose, independent audit reports, certifications, security documentation, questionnaires, control mappings, and written responses may be used first to satisfy reasonable audit requests.
Any additional audit must be limited to controls relevant to Customer Personal Data, conducted by Customer or an independent auditor under appropriate confidentiality obligations, and designed not to compromise VeloDB systems, security controls, or data of other customers.
Nothing in this Section limits the audit or investigation powers of a competent regulator under Applicable Data Protection Laws.
13. International Transfers
VeloDB will not transfer Customer Personal Data in violation of Applicable Data Protection Laws. Where required for transfers from the European Economic Area, United Kingdom, Switzerland, or other jurisdictions with transfer restrictions, the parties will use appropriate transfer mechanisms, which may include standard contractual clauses, UK or Swiss transfer addenda, adequacy decisions, or other lawful mechanisms, in each case only to the extent valid and applicable to the relevant transfer.
Where VeloDB transfers Customer Personal Data to a Subprocessor or other third party acting on VeloDB's behalf, VeloDB will require contractual safeguards designed to limit Processing to specified purposes and to provide a level of protection required by the applicable transfer mechanism, Applicable Data Protection Laws, and this DPA.
Processing locations, access locations, and applicable transfer safeguards may be described in an approved Subprocessor list, transfer or access-location disclosure, order form, or customer-specific exhibit.
14. Term, Precedence, and Liability
This DPA remains in effect for as long as VeloDB Processes Customer Personal Data subject to the Agreement.
If this DPA conflicts with the Agreement regarding Processing of Customer Personal Data, this DPA controls for that subject matter. Liability arising from this DPA is subject to the limitations and exclusions in the Agreement, unless Applicable Data Protection Laws prohibit those limitations.
Annex A - Processing Details
| Item | Description |
|---|---|
| Subject matter | Processing of Customer Personal Data to provide, maintain, support, secure, and improve the Services ordered by Customer. |
| Duration | For the term of the applicable Services and any limited period required for deletion, return, security, backup, audit, compliance, dispute, or legal retention purposes. |
| Nature and purpose | Hosting, processing, transmission, storage, service administration, monitoring, reliability, troubleshooting, support, security operations, customer-instructed export or deletion, and compliance assistance. |
| Categories of Data Subjects | Customer users and administrators; Customer employees, contractors, customers, prospects, or other individuals whose Personal Data Customer submits to or processes using the Services; business contacts included in support requests where Processed on Customer's behalf. |
| Categories of Customer Personal Data | Customer-submitted data to the extent it is Personal Data; account and user identifiers; technical, operational, access, security, diagnostic, and support information that constitutes Personal Data and is Processed on Customer's behalf. |
| Sensitive data | No restricted or sensitive category data is approved unless expressly authorized in an order form or additional written addendum. |
| Subprocessors | Subprocessors, if any, are identified in VeloDB's approved Subprocessor disclosure, applicable order form, or customer-specific exhibit. |