velin

Data Processing Agreement

Last updated: 23 June, 2026 · Effective: on acceptance of the Terms of Service or signature, whichever is earlier.

1. Parties and roles

This Data Processing Agreement (“DPA”) forms part of the agreement between Velin (“Velin”, “UseVelin”, “Processor”) and the customer identified in the account (“Customer”, “Controller”) (together, the “Parties”) for use of the Velin service (the “Service”).

For personal data contained in the evidence, files, and content the Customer uploads to its workspace (“Customer Personal Data”), the Customer is the controller and Velin is the processor, processing only on the Customer’s documented instructions. This DPA governs that processing. Velin’s processing of account and website data, for which Velin is itself the controller, is governed by the Velin Privacy Policy, not this DPA.

Where the Customer is itself a processor acting for a third-party controller, the Customer warrants it has the authority to engage Velin as a sub-processor on those terms.

2. Subject matter, duration, nature and purpose

  • Subject matter: processing of Customer Personal Data to provide the Service — an evidence-management platform for deletion-compliance records.
  • Duration: for the term of the Customer’s subscription, plus the post-termination period in §10.
  • Nature and purpose: storage, hosting, organisation, retrieval, transmission, content-hashing, and generation of signed evidence packs, solely to provide the Service. Velin does not delete data from the Customer’s own systems and holds no credentials to them; it records and attests to what the Customer asserts.
  • Categories of data subjects and personal data: as determined by the Customer when it uploads content. See Annex 1.

3. Processor obligations (Art. 28(3))

Velin will:

(a) process Customer Personal Data only on the Customer’s documented instructions, including the instructions set out in the Terms and this DPA, unless required by EU or member-state law (in which case Velin will inform the Customer unless legally prohibited);

(b) ensure persons authorised to process Customer Personal Data are bound by confidentiality;

(c) implement the technical and organisational measures in Annex 2 (Art. 32);

(d) respect the conditions in §4 for engaging sub-processors;

(e) taking account of the nature of processing, assist the Customer by appropriate measures, insofar as possible, to respond to data-subject rights requests (Art. 12–22);

(f) assist the Customer in ensuring compliance with Art. 32–36 (security, breach notification, DPIAs, prior consultation), taking into account the information available to Velin;

(g) at the Customer’s choice, delete or return all Customer Personal Data after the end of the provision of services, and delete existing copies unless retention is required by law (see §10);

(h) make available to the Customer the information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits as set out in §8.

If Velin considers an instruction to infringe data-protection law, it will inform the Customer.

4. Sub-processors

The Customer gives general authorisation for Velin to engage the sub-processors listed in Annex 3 (maintained current at /legal/sub-processors). Velin will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable for its sub-processors’ performance.

Velin will give the Customer 30 days’ prior notice of any intended addition or replacement of a sub-processor (by email or in-app). The Customer may object on reasonable data-protection grounds within that period; if the Parties cannot resolve the objection, the Customer may terminate the affected Service.

5. International transfers

Velin hosts core infrastructure in the EU (Frankfurt, eu-central-1). Velin will not transfer Customer Personal Data outside the EEA except under an appropriate Chapter V safeguard — an adequacy decision, or the European Commission’s Standard Contractual Clauses (2021) — with any supplementary measures required. Where SCCs apply between the Parties, they are incorporated by reference and, in case of conflict, prevail over this DPA on transfer matters.

6. Security

Velin will implement and maintain the technical and organisational measures described in Annex 2, appropriate to the risk, and will not materially reduce their overall protection during the term.

7. Personal data breach

Velin will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data, providing the information reasonably available (nature of the breach, categories and approximate numbers affected, likely consequences, and measures taken or proposed). Velin will assist the Customer with its own notification obligations under Art. 33–34.

8. Audits

Velin will make available the information necessary to demonstrate compliance with Art. 28 — including, where available, current third-party certifications or audit reports (e.g. SOC 2, ISO 27001) — and will allow for and contribute to audits or inspections by the Customer or its mandated auditor no more than once per 12 months (and after a breach), on reasonable prior notice, during business hours, subject to confidentiality and without compromising other customers’ security.

9. Data-subject requests

Velin will, to the extent legally permitted, promptly notify the Customer if it receives a request from a data subject relating to Customer Personal Data, and will not respond directly except on the Customer’s instruction. Taking into account the nature of processing, Velin will assist the Customer with appropriate technical and organisational measures (e.g. export, retrieval) to fulfil the Customer’s obligation to respond.

10. Return and deletion

On termination or expiry, and at the Customer’s choice, Velin will return or delete Customer Personal Data. The Customer may export its data during the 30-day window described in the Terms; after that window Velin may delete Customer Personal Data, and will delete existing copies, except where EU or member-state law requires retention, in which case Velin will protect it and process it only as required by that law. Velin never silently deletes Customer evidence during an active subscription.

11. Liability

Each Party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable data-protection law.

12. General

This DPA is governed by the law of Ireland and forms part of the Terms. If any conflict arises between this DPA and the Terms on the processing of Customer Personal Data, this DPA prevails. The Annexes form part of this DPA.

Annex 1 — Details of processing

  • Categories of data subjects: as determined by the Customer; typically the Customer’s own data subjects referenced in deletion records (e.g. former customers, employees, or contacts).
  • Categories of personal data: as determined by the Customer’s uploads; typically identifiers and metadata describing deletion events. Customers are instructed not to upload special-category data unless necessary, and to minimise personal data in evidence.
  • Special categories: only if the Customer chooses to include them; the Customer is responsible for any Art. 9 conditions.
  • Frequency: continuous, for the subscription term.
  • Duration: as per §2 and §10.

Annex 2 — Technical and organisational measures (TOMs)

  • EU-only hosting (Frankfurt, eu-central-1).
  • Encryption in transit (TLS) and at rest.
  • Row-level tenant isolation enforced at the database layer, with an automated tenant-isolation test suite.
  • Mandatory multi-factor authentication for accounts.
  • Append-only, tamper-evident audit log; evidence files content-hashed at upload.
  • Access to stored files only via short-lived signed URLs; no public buckets.
  • Least-privilege access controls for Velin personnel; confidentiality obligations.
  • PII scrubbing in error/operational monitoring; no payment card data stored.
  • Ed25519-signed evidence packs; independently verifiable without access to Velin systems.
  • Backups and recovery procedures; logging and monitoring.

Annex 3 — Approved sub-processors

Sub-processorPurposeLocation
SupabaseDatabase, authentication, file storageEU (Frankfurt, eu-central-1)
VercelApplication hostingEU region
ResendTransactional email deliveryIreland
PaddlePayment processing / merchant of recordIreland
Google / MicrosoftOptional single sign-on (only if Customer chooses)EU
SentryError and operational monitoring (PII-scrubbed)EU

Authoritative current list: /legal/sub-processors.