← All legal documents

Data Processing Addendum

Version 1.0Updated June 6, 2026Status in effect

Scope and roles

This Data Processing Addendum ("DPA") supplements the Terms of Service and describes how Velira Finance processes personal data in connection with the Service. For personal data of its own account holders, Velira Finance generally acts as a controller; where it processes personal data on behalf of a business customer, it acts as a processor. The applicable roles will be confirmed with counsel.

Processing details

Subject matter and duration of processing, the nature and purpose of processing, the types of personal data, and the categories of data subjects are described in the Privacy Policy and in Annex A to this DPA. Velira Finance processes personal data only to provide and support the Service and as otherwise instructed or permitted by applicable law.

Security

Velira Finance maintains appropriate technical and organizational measures designed to protect personal data, including those described in the Security document — such as encryption in transit and at rest, access controls, least-privilege internal access, and logging. Measures may be updated provided protection is not materially reduced.

Subprocessors

Velira Finance engages the subprocessors listed in the Subprocessors document to support the Service. Subprocessors are bound by data-protection obligations no less protective than those in this DPA. Velira Finance remains responsible for its subprocessors' processing and will provide a mechanism for notice of changes where required.

International transfers

Where personal data is transferred across borders in a manner requiring a transfer mechanism, Velira Finance relies on an appropriate mechanism such as the Standard Contractual Clauses, the UK Addendum, or another lawful basis, to be completed with counsel.

Assistance, breach, deletion, and audits

Velira Finance will provide reasonable assistance with data-subject requests and with breach notification consistent with the Breach Notification document and applicable law, and will delete or return personal data at the end of the engagement except where retention is legally required. The parties' audit rights and obligations will be set out in the final DPA.

Questions about this document? Contact us at hello@velirafinance.com.