Data Processing Addendum
Last updated: February 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Velora Digital Limited (“Velora”, “Processor”) and the customer (“Customer”, “Controller”) and governs the processing of personal data by Velora on behalf of the Customer.
1. Definitions
Terms not defined in this DPA have the meanings given in the Terms of Service or UK GDPR.
- “UK GDPR” means the UK General Data Protection Regulation (the EU GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019).
- “Data Protection Laws” means the UK GDPR, the Data Protection Act 2018, and any applicable regulations or guidance issued by the Information Commissioner’s Office.
- “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, and “Personal Data Breach” have the meanings given in the UK GDPR.
2. Scope and roles
The Customer is the Controller and Velora is the Processor in respect of any Personal Data processed by Velora on behalf of the Customer when providing the Service.
This DPA applies to Personal Data that Velora processes as part of the Service, primarily:
- Personal data contained in emails monitored via OAuth (sender names, email addresses, email content)
- Personal data in content sources (social media posts, RSS feed content)
- Team member names and email addresses
This DPA does not apply to Personal Data that Velora processes as a Controller (such as Customer account and billing information), which is governed by the Privacy Policy.
3. Customer obligations
The Customer shall:
- Ensure it has a lawful basis under Data Protection Laws for the processing of Personal Data by Velora
- Provide any required notices to, and obtain any required consents from, Data Subjects whose Personal Data will be processed
- Ensure that its instructions to Velora comply with Data Protection Laws
4. Velora obligations
Velora shall:
- Process Personal Data only on the Customer’s documented instructions, unless required to do so by law (in which case Velora will inform the Customer before processing, unless prohibited by law)
- Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2
- Not engage another processor (sub-processor) without the Customer’s prior consent, subject to section 6
- Assist the Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Laws
- Assist the Customer in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation
- At the Customer’s choice, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies unless required by law to retain them
- Make available to the Customer all information necessary to demonstrate compliance with this DPA
5. Data breach notification
Velora will notify the Customer without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
- The name and contact details of Velora’s point of contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
6. Sub-processors
The Customer provides general authorisation for Velora to engage sub-processors listed in the Privacy Policy. Velora will:
- Notify the Customer by email at least 30 days before adding or replacing a sub-processor
- Impose data protection obligations on each sub-processor that are no less protective than those in this DPA
- Remain liable to the Customer for the acts and omissions of its sub-processors
If the Customer objects to a new sub-processor within 14 days of notification, the parties will discuss the concern in good faith. If the concern cannot be resolved, the Customer may terminate the affected Service by written notice.
7. International data transfers
Where Personal Data is transferred outside the UK, Velora will ensure that appropriate safeguards are in place in accordance with Data Protection Laws, including:
- The UK International Data Transfer Agreement (IDTA); or
- Any other approved transfer mechanism under Data Protection Laws
8. Audit rights
Velora will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. On reasonable notice (at least 30 days), the Customer may conduct or commission an audit of Velora’s processing activities, no more than once per year, during normal business hours, and subject to reasonable confidentiality obligations. The Customer shall bear its own costs of any audit.
9. Duration and termination
This DPA takes effect on the date the Customer accepts the Terms of Service and continues until the Terms of Service are terminated. Velora’s obligations regarding deletion or return of Personal Data survive termination.
10. Regulatory changes
If changes to Data Protection Laws require amendments to this DPA, the parties will negotiate in good faith to update the DPA accordingly.
Annex 1: Details of processing
| Item | Details |
|---|---|
| Subject matter | Processing of Personal Data to provide the Velora content automation Service |
| Duration | For the term of the Customer’s Subscription |
| Nature and purpose | Monitoring Customer’s email inboxes and content sources to identify newsworthy content; generating draft articles; storing and delivering content via CMS integration |
| Categories of Data Subjects | Individuals whose Personal Data appears in monitored emails, content sources, or social media (e.g., press release contacts, newsletter senders, public social media users) |
| Categories of Personal Data | Names, email addresses, job titles, and other Personal Data incidentally contained in monitored emails and content sources |
| Special categories | None anticipated. The Customer must not configure the Service to process special category data without prior written agreement. |
Annex 2: Technical and organisational measures
Velora implements the following security measures:
Access controls
- Role-based access controls for Velora personnel
- Multi-factor authentication for access to production systems
- Principle of least privilege for system access
Encryption
- TLS/HTTPS for all data in transit
- Encryption at rest for stored credentials (CMS passwords, OAuth tokens)
- Database encryption at rest
Infrastructure security
- Application hosted on managed infrastructure with automated security patching
- Database hosted on managed PostgreSQL with network isolation
- Regular security updates and dependency monitoring
Operational security
- Logging and monitoring of access to production systems
- Incident response procedures
- Confidentiality obligations for all personnel with access to Personal Data
Data minimisation
- Email monitoring is read-only and restricted to sender/domain filters configured by the Customer
- Personal Data is processed only to the extent necessary to provide the Service
Annex 3: Sub-processors
See the sub-processor list in the Privacy Policy. The list is maintained there as a single source of truth and updated in accordance with section 6 of this DPA.