Data Processing Agreement
Last updated: February 24, 2026
In accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).
Who needs this DPA? This Data Processing Agreement applies to business customers ("Controllers") who use Veluvanto to process personal data of their own customers, employees, or other individuals in the course of their business activities. If you use Veluvanto solely for personal use, the standard Privacy Policy applies.
By using Veluvanto as a business customer, you agree to the terms of this DPA. For a signed DPA or custom enterprise DPA, contact legal@veluvanto.com.
1. Parties and Definitions
This Data Processing Agreement ("DPA") is entered into between:
- Controller: The business customer or organization that has agreed to the Veluvanto Terms of Service and uses Veluvanto to process personal data on behalf of their business ("you").
- Processor: Veluvanto s.r.o., Korunní 2569/108, Vinohrady, 101 00 Praha 10, IČO: 249 15 122 ("Veluvanto", "we", "us").
Terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679).
2. Subject Matter and Nature of Processing
Veluvanto processes personal data on behalf of the Controller for the purpose of providing document management services, including:
- Storing and indexing documents uploaded by the Controller
- AI-powered analysis, categorization, and metadata extraction of documents
- Full-text and semantic search over documents
- AI chat assistant responses based on document content
- Document translation and summarization
- Automated reminders based on document content
- Any other features described in the Veluvanto service documentation
3. Categories of Personal Data Processed
The personal data processed under this DPA may include any personal data contained in documents uploaded by the Controller, which may include (but is not limited to):
- Names, addresses, email addresses, phone numbers of individuals
- Business contact information and company details
- Financial data (invoice amounts, payment details, bank account numbers)
- Identification numbers (IČO, DIČ, birth numbers where present in documents)
- Contract terms and conditions involving individuals
- Any other personal data the Controller includes in uploaded documents
Special categories of data: The Controller should not upload documents containing special categories of personal data (health data, racial/ethnic origin, etc.) as defined in Article 9 GDPR unless they have obtained Veluvanto' prior written consent and have appropriate legal basis for such processing. Contact legal@veluvanto.com for specific arrangements.
4. Categories of Data Subjects
The data subjects whose personal data may be processed include: the Controller's customers, suppliers, business partners, employees, contractors, or any other individuals whose personal data appears in documents uploaded to Veluvanto.
5. Duration of Processing
Processing continues for the duration of the Veluvanto service agreement. Upon termination of the agreement, data is handled as described in Section 12 (Return and Deletion of Data).
6. Processor Obligations (Veluvanto)
Veluvanto (as Processor) shall:
- Process personal data only on documented instructions from the Controller (the Terms of Service and this DPA constitute such instructions)
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (Article 32 GDPR)
- Not engage sub-processors without prior authorization, either specific or general, from the Controller (see Section 9 for the current list of authorized sub-processors)
- Assist the Controller in fulfilling data subject rights requests (Articles 15–22 GDPR)
- Assist the Controller with security obligations, breach notification, DPIAs, and consultation with supervisory authorities
- Delete or return all personal data upon termination of the service (see Section 12)
- Provide the Controller with all information necessary to demonstrate compliance with Article 28 GDPR
- Notify the Controller of a personal data breach without undue delay (within 72 hours of becoming aware)
7. Controller Obligations
The Controller shall:
- Ensure a valid legal basis exists for processing the personal data uploaded to Veluvanto
- Provide necessary information to data subjects about the processing (including the use of Veluvanto as a processor)
- Ensure that personal data provided to Veluvanto is accurate and relevant
- Not instruct Veluvanto to process personal data in a manner that violates GDPR or applicable law
- Comply with their own obligations as a Controller under GDPR
8. Technical and Organizational Security Measures
Veluvanto implements the following security measures to protect personal data:
8.1 Encryption
- Data in transit: TLS 1.2+ encryption for all data transfers
- Data at rest: AES-256 encryption for stored data and documents
8.2 Access Controls
- Role-based access control (RBAC) for all system access
- Multi-factor authentication required for administrative access
- Principle of least privilege applied to all personnel
- Access logs maintained for all data access
8.3 Infrastructure Security
- Documents and data stored on Backblaze B2 object storage in EU data centers (Amsterdam, Netherlands); Backblaze holds SOC 2 Type II certification
- Application servers hosted on Hetzner Online GmbH infrastructure in EU data centers (Germany/Finland); Hetzner holds ISO/IEC 27001:2022 certification (SOCOTEC, valid 2025–2028)
- Regular security assessments and penetration testing
- Vulnerability management and patch management procedures
- DDoS protection and network security monitoring
8.4 Organizational Measures
- Staff confidentiality agreements and data protection training
- Incident response procedures and data breach response plan
- Data minimization principles applied throughout the service
9. Sub-Processors
By accepting this DPA, the Controller provides general authorization for Veluvanto to engage the following categories of sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google LLC | Identity provider (OAuth authentication) | US (SCC) |
| Microsoft Corporation | Identity provider (OAuth authentication) | EU/US (Microsoft Data Protection Addendum applies) |
| Paddle.com Market Ltd. | Payment processing (merchant of record) | UK (UK Adequacy Decision) |
| Google LLC (Vertex AI) | AI model inference (Gemini models) for document processing, semantic search, and AI chat | EU (Google Cloud europe-west region; no transfer outside EEA; Google Cloud Data Processing Addendum applies; API data not used for model training by default) |
| Backblaze, Inc. | Primary object storage for documents and backups (B2 Cloud Storage) | EU (Amsterdam, Netherlands; SOC 2 Type II certified) |
| IDrive, Inc. | Disaster recovery object storage | EU (Frankfurt, Germany) |
| Hetzner Online GmbH | Cloud infrastructure and application servers | EU (Germany / Finland; ISO/IEC 27001:2022 certified) |
| Collabora Online | Document viewing and rendering software (WOPI protocol); deployed and operated entirely on our own infrastructure; Collabora Productivity Ltd. has no access to data; not a sub-processor | EU (our own infrastructure; no international transfer) |
| Cloudflare, Inc. | Content delivery network, DDoS protection, and network security (processes HTTP request metadata: IP addresses, user-agent strings, request timestamps) | US (SCC) |
Veluvanto will notify the Controller of any intended changes to sub-processors by updating this list with at least 14 days' prior notice (via email or website update). The Controller may object to new sub-processors within 14 days of notification. If Veluvanto cannot accommodate the objection, the Controller may terminate the service.
All sub-processors are bound by data processing agreements containing equivalent data protection obligations as this DPA.
10. International Data Transfers
Where personal data is transferred to sub-processors outside the EEA, such transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914), or other appropriate safeguards under Article 46 GDPR. The Controller may request copies of these safeguards from legal@veluvanto.com.
11. Assistance with Data Subject Rights
Veluvanto will assist the Controller in fulfilling data subject rights requests under GDPR Articles 15–22. Where technically feasible, the Controller can fulfill many rights directly through the Veluvanto application (e.g., data export, account deletion).
For requests that require Veluvanto' direct involvement, contact privacy@veluvanto.com. Veluvanto will respond within 5 business days and provide assistance within a timeframe that allows the Controller to meet GDPR response deadlines.
12. Return and Deletion of Data
Upon termination of the service or upon the Controller's request:
- Data Export: The Controller may export all documents and data through the application's export function at any time during the service
- Deletion upon termination: Within 30 days of account deletion or service termination, Veluvanto will permanently delete all personal data, including documents, metadata, and AI-generated content, unless retention is required by applicable law
- Confirmation: Upon request, Veluvanto will provide written confirmation of deletion
Billing records and legally required audit logs may be retained as required by Czech accounting law (Act No. 563/1991 Coll.) for up to 10 years.
13. Audit Rights
Veluvanto will make available all information necessary to demonstrate compliance with this DPA. The Controller may request an audit of Veluvanto' data processing activities by:
- Requesting documentation of security measures and compliance reports
- Requesting third-party audit reports (ISO 27001 certification, SOC 2, etc.) where available
- Conducting audits or inspections by appointment (with at least 30 days' notice, at the Controller's expense, and subject to reasonable confidentiality obligations)
14. Data Breach Notification
In the event of a personal data breach affecting Controller data, Veluvanto will notify the Controller without undue delay and within 72 hours of becoming aware of the breach. The notification will include available information about: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed. Additional information will be provided as it becomes available.
15. Governing Law
This DPA is governed by the laws of the Czech Republic and applicable EU law, including GDPR. Any disputes shall be resolved in accordance with the governing law provisions of the Veluvanto Terms of Service.
16. Signed DPA
If your organization requires a separately executed, signed DPA (e.g., for enterprise compliance requirements), please contact us at legal@veluvanto.com. We will provide a signed copy within a reasonable time.
17. Contact
For all DPA-related inquiries:
Veluvanto s.r.o.
Korunní 2569/108, Vinohrady, 101 00 Praha 10
Email: legal@veluvanto.com
Privacy: privacy@veluvanto.com