Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between Velovia (the “Processor”) and the customer that has accepted the Velovia Terms of Use (the “Controller” or “Customer”). It applies whenever Velovia processes Personal Data on behalf of the Customer in the course of providing the Service. Terms capitalised but not defined here have the meaning given in the Terms of Use or in the GDPR.

This DPA is incorporated into the Terms of Use by reference and applies automatically once the Terms are accepted; no separate signature is required. A signed countersigned copy is available on request at privacy@velovia.ai.

1. Subject matter and duration

Velovia processes Personal Data to provide the Service to the Customer for the duration of the Terms of Use and for such further period as is needed for deletion or return of data.

2. Nature, purpose, and types of Personal Data

Nature and purpose: hosting, analysis, generation of content, SEO recommendations, and publication of changes through the integrations the Customer enables.

Types of Personal Data processed on behalf of the Customer may include names, email addresses, IP addresses, browsing activity, and other personal data incidentally present in content the Customer submits or in the websites the Customer asks Velovia to analyse. Categories of data subjects may include the Customer's staff, the Customer's own users, and visitors to the Customer's website.

3. Processor obligations

Velovia will:

• process Personal Data only on documented instructions from the Customer, including as set out in the Terms of Use and the configuration choices the Customer makes in the Service, unless required otherwise by EU or Member State law (in which case Velovia will notify the Customer before processing, unless prohibited from doing so)
• ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• implement the technical and organizational measures described in Annex A
• assist the Customer, taking into account the nature of the processing, to respond to data subject requests and to comply with its obligations under Articles 32–36 GDPR
• on termination of the Service, delete or return Personal Data to the Customer, at the Customer's choice, within 30 days, except where retention is required by law
• make available to the Customer the information reasonably necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, as described in section 7

4. Sub-processors

The Customer grants Velovia general authorization to engage sub-processors. The current list is published at velovia.ai/subprocessors. Velovia will impose on each sub-processor data protection obligations substantially equivalent to those in this DPA.

Velovia will notify the Customer at least 14 days before adding or replacing a sub-processor (customers who email us to subscribe to sub-processor notices receive those notices by email; other customers should consult the subprocessors page). The Customer may object on reasonable data protection grounds within that period. If the parties cannot agree on a resolution, the Customer's sole remedy is to terminate the affected part of the Service by written notice.

5. International transfers

Where Velovia or a sub-processor transfers Personal Data out of the EEA, UK, or Switzerland to a country that is not the subject of an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Module 2 or Module 3 as applicable) are incorporated by reference. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum is also incorporated by reference. For transfers subject to the Swiss FADP, the SCCs apply with the adaptations indicated by the Swiss Federal Data Protection and Information Commissioner.

6. Data subject requests and breach notification

If a data subject contacts Velovia directly to exercise rights in relation to Personal Data processed on the Customer's behalf, Velovia will forward the request to the Customer and will not respond except on the Customer's instruction. Velovia will notify the Customer of any Personal Data Breach affecting Personal Data processed on its behalf without undue delay after becoming aware, and will provide the information reasonably required for the Customer to meet its notification obligations.

7. Audit rights

Velovia will make available to the Customer the security documentation and the sub-processor list referred to in this DPA. Where the Customer reasonably determines this is insufficient, Velovia will respond to a reasonable number of written questions per year. On-site audits are conducted only where required by applicable law or by a supervisory authority, at the Customer's cost, with at least 30 days' prior written notice, during normal business hours, and subject to Velovia's confidentiality and security requirements.

8. Liability

Liability under this DPA is subject to the limitations of liability in the Terms of Use. For the avoidance of doubt, those limitations apply to liability under this DPA and under the SCCs, to the maximum extent permitted by applicable law.

9. Governing law

This DPA is governed by the laws of the Hellenic Republic (Greece) and is subject to the jurisdiction clause of the Terms of Use, except where the SCCs prescribe a different governing law or forum for claims arising directly from the SCCs.

Annex A — Technical and organizational measures

• TLS 1.2+ for all data in transit
• Encryption at rest for databases and file storage managed by Supabase
• OAuth tokens and secrets stored encrypted at rest with envelope encryption
• Role-based access control and least-privilege for production systems
• Multi-factor authentication for administrative accounts
• Short-lived authentication sessions and rotating refresh tokens
• Automated daily backups retained for at least 7 days
• Centralized logging of administrative actions and anomalous events
• Written incident response and breach notification process
• Contractual confidentiality and data protection obligations on all personnel with access to Personal Data
• Regular review of sub-processors and transfer mechanisms

Contact

For DPA questions or to request a countersigned copy, email privacy@velovia.ai.