Data Processing Agreement
Article 28 controller-to-processor terms for customers who use velixir to process personal data on behalf of their own users.
Last updated . Operated by velixir Ltd (company no. 17240244, registered in England & Wales).
This Data Processing Agreement (the “DPA”) supplements the velixir Terms of Service and applies whenever you (the “Controller”) use the velixir Service to process personal data - for example, when your application stores end-users' names, emails, or other personal identifiers in a velixir-managed database or cache. velixir Ltd (the “Processor”) processes that personal data on your behalf under the terms below.
By creating an account and accepting the Terms of Service, you accept this DPA. No separate signature is required; a countersigned PDF is available on request at [email protected] for enterprise procurement.
1. Subject matter, nature and purpose
velixir processes personal data solely to provide the Service to you - hosting your applications, storing data in databases and caches you provision, delivering email and HTTP traffic, and persisting logs and metrics. We do not use personal data for our own purposes, do not sell it, and do not use it to train AI models.
2. Duration
Processing continues for as long as your account is active and for the data-retention windows in our Privacy Policy. On termination, you have 30 days to export Customer Data before we delete it permanently.
3. Types of personal data and categories of data subjects
These are determined by you - velixir does not predetermine what you store. Typically, customers process:
- Identifiers: email address, username, name, IP address.
- Authentication data: password hashes, OAuth tokens, session cookies.
- Communications: messages, support history, notifications.
- Application-specific personal data of any category your application's domain warrants (excluding special-category data prohibited by clause 9 below without prior written agreement).
Data subjects are typically your end users, your employees, or your customers.
4. Sub-processors
velixir engages the following sub-processors. By accepting this DPA you authorise this list. We'll update the list if it changes and email you 30 days before adding a new sub-processor that has access to personal data.
| Sub-processor | Location | Purpose |
|---|---|---|
| Hetzner Online GmbH | Germany, Finland | Compute, storage, networking, object storage backups |
| OVH SAS | France | Edge nodes (HTTPS termination, traffic ingress) |
| Stripe Payments Europe Ltd | Ireland | Payment processing (no service data, only billing) |
| Resend Inc. | United States | Transactional email delivery (recipient address + body) |
| Cloudflare Inc. | United States with EU PoPs | DNS, anti-DDoS, edge caching |
| Intuition Machines (hCaptcha) | United States | Anti-bot on sign-up |
International transfers from the EEA to sub-processors outside the EEA are governed by the EU-US Data Privacy Framework where the sub-processor is certified, or by Standard Contractual Clauses (Commission Decision 2021/914) otherwise.
5. Confidentiality
velixir ensures that personnel authorised to process personal data are bound by confidentiality obligations. Access to production data is on a need-to-know basis and audit-logged.
6. Security measures
velixir maintains technical and organisational measures appropriate to the risk, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Password hashing with PBKDF2 and random per-user salts.
- Environment variables encrypted at rest with ASP.NET Data Protection.
- Multi-factor authentication available to all accounts.
- Rate limiting on authentication endpoints; hCaptcha on sign-up.
- Network isolation of databases - no public internet exposure unless explicitly enabled per instance.
- Hardware-security-key-secured SSH for production administration; no shared admin credentials.
- Continuous logging of admin actions; quarterly review of access lists.
- Daily encrypted database backups with PITR; backups stored in Hetzner Object Storage with separate credentials.
7. Data subject rights
If a data subject contacts velixir with a request relating to data we process on your behalf, we'll redirect them to you and notify you within 5 business days. We'll cooperate with you (at your reasonable expense) in fulfilling access, rectification, erasure, restriction, portability, and objection requests.
8. Personal data breaches
If velixir becomes aware of a personal data breach affecting your Customer Data, we'll notify you without undue delay and within 72 hours of becoming aware. The notice will describe the nature of the breach, the data affected (to the extent we can determine), the likely consequences, and the measures taken or proposed.
9. Special-category and prohibited data
Without prior written agreement, you may not use the Service to process:
- Special-category data under GDPR Article 9 (health, biometric, racial/ethnic origin, religious beliefs, sex life/orientation, political opinions, trade union membership).
- Children's personal data of users under 16, except via your own age-gating compliant with national laws.
- Personal data subject to PCI-DSS (cardholder data) - that's Stripe's job, not the application layer's.
- Data subject to HIPAA. velixir is not a HIPAA Business Associate at this time.
10. Deletion or return of data
On termination of your account, Customer Data is retained for 30 days to allow export, then permanently deleted from primary systems within a further 7 days. Encrypted backups are aged out within 90 days, after which deletion is complete. Billing records are retained for six years (UK statutory tax requirement).
11. Audit
velixir will make available to you the information necessary to demonstrate compliance with this DPA. Audit reports and SOC-equivalent attestations will be shared with enterprise customers under NDA where available; bespoke on-site audits can be arranged at the Controller's expense for material concerns.
12. Order of precedence
Where this DPA conflicts with the Terms of Service, this DPA prevails for matters relating to personal data processing. Where it conflicts with the Standard Contractual Clauses incorporated by reference for international transfers, the Clauses prevail.
13. Contact
velixir Ltd
Office 2, Risebridge Farm, Peasley Lane
Cranbrook, England, TN17 1HP
[email protected]