Legal

Data Processing Agreement

Velogics' standard DPA for Operators acting as controllers of End-User personal data. Last updated: May 28, 2026.

1. Parties and Roles

This Data Processing Agreement ("DPA") applies between Velogics ("Processor") and any Operator ("Controller") that uses the Velogics platform to engage with End Users. It is incorporated into the Terms of Service and applies whenever Velogics processes End-User personal data on the Controller's behalf. For data Velogics processes about Operators themselves (account, billing, support), Velogics acts as controller — see Privacy Policy § 3.

2. Subject Matter, Nature, Duration

  • Subject matter: processing End-User personal data to deliver the AI Employees the Controller has subscribed to.
  • Nature of processing: collection, storage, transmission, AI generation of replies and drafts, integration with Controller-connected systems (CRM, calendar, GBP, Search Console).
  • Duration: for the term of the Controller's subscription, plus the post-termination retention windows in §10.
  • Categories of data subjects: leads, prospects, customers, and other individuals the Controller engages through the platform.
  • Categories of personal data: identifiers (name, email, phone), conversation transcripts (chat, voice, SMS, email), appointment data, sentiment data, and any other information End Users provide to or about themselves through Controller-configured flows.

3. Controller Instructions

Velogics will process End-User personal data only on the documented instructions of the Controller, which are given by the Controller's configuration of the platform (KB content, scripts, campaign settings, schedules, retention preferences) and by use of the platform's features. If Velogics is required by applicable law to process for another reason, we will notify the Controller unless that law prohibits the notice on important public-interest grounds.

4. Sub-Processors

Velogics relies on the sub-processors listed at velogics.ai/legal/sub-processors. Each sub-processor is bound by contractual terms imposing data-protection obligations no less protective than those in this DPA. By accepting this DPA, the Controller authorises Velogics' engagement of the current sub-processors. Velogics will give Controllers at least 30 days' prior notice before engaging any new sub-processor that processes End-User personal data; the Controller may object on reasonable data-protection grounds during that notice period, in which case the parties will work in good faith on an alternative or, failing that, the Controller may terminate the affected service.

5. Security Measures

Velogics maintains the technical and organisational measures described in Privacy Policy § 9, including encryption in transit and at rest, access controls and logging, encrypted credential storage, segregation of Operator-tenant data, and monitoring for unauthorised access. These measures may be updated from time to time provided the level of security is not materially decreased.

6. Confidentiality of Personnel

Velogics personnel and contractors authorised to access End-User personal data are bound by written confidentiality obligations and trained on appropriate data-handling.

7. Personal Data Breach Notification

If Velogics becomes aware of a personal data breach affecting End-User personal data, we will notify the affected Controllers without undue delay and in any event within 72 hours of confirmation. The notice will include the nature of the breach, categories and approximate number of data subjects and records affected (to the extent then known), likely consequences, and the measures taken or proposed to address it. Velogics will cooperate reasonably with the Controller's notification and investigation obligations.

8. Data Subject Requests

The Controller is responsible for responding to End-User requests to exercise rights under applicable data-protection law (access, rectification, erasure, portability, restriction, objection). Velogics will provide the Controller with the tools and reasonable assistance needed to fulfil such requests through the platform's export and deletion features, and will promptly forward to the Controller any data-subject request received directly by Velogics that relates to the Controller's End Users.

9. Audits

Velogics will make available to the Controller, on reasonable request, the information necessary to demonstrate compliance with this DPA — typically satisfied by current security documentation, sub-processor information, and responses to a reasonable security questionnaire. For Controllers with audit-right obligations under applicable law, the parties will agree on the scope, timing, and confidentiality of the audit in good faith; audits are at the Controller's expense and limited to once per 12 months absent a documented breach or regulatory mandate.

10. Return and Deletion

On termination of the subscription, the Controller may export End-User personal data via the operator portal for 30 days. After that window, all End-User personal data processed by Velogics on the Controller's behalf is permanently deleted within a further 30 days, except where retention is required by applicable law or for the resolution of disputes. Backups expire on their normal rolling cycle (up to 35 days).

11. International Transfers

For transfers of End-User personal data from the EEA, UK, or Switzerland to a country not deemed adequate by the relevant authority, the parties incorporate by reference the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) and, for transfers from the UK, the UK Information Commissioner's Office International Data Transfer Addendum. Velogics also self-certifies under the EU-U.S. Data Privacy Framework (and its UK and Swiss extensions) where applicable. Annexes I, II, and III to the SCCs are populated by reference to the platform configuration, the security measures in Privacy Policy § 9, and the sub-processor list at velogics.ai/legal/sub-processors.

12. General

  • This DPA forms part of the Terms of Service. In case of conflict between this DPA and the Terms regarding processing of End-User personal data, this DPA prevails.
  • Liability under this DPA is subject to the limitation of liability in the Terms.
  • This DPA is governed by the same law as the Terms (unless local law requires otherwise to give effect to data-subject protections).

Need a counter-signed copy?

Most Operators are covered by this online DPA. If your procurement process requires a counter-signed copy or a custom DPA with specific clauses, email admin@velogics.ai with your company name and we will turn it around within 5 business days.