Home / Data Processing Agreement

Data Processing Agreement

Template — for review before purchase. Last updated: June 4, 2026.

This page publishes the template Data Processing Agreement (DPA) Veltima offers to Enterprise customers. A signed copy is executed manually after the commercial close — request one at sales@veltima.app.

Scope

This DPA applies to personal data the Customer submits to or instructs Veltima to process when using the Veltima service under an active Enterprise contract. It supplements the Terms of Service and is incorporated by reference into the master agreement.

Roles

For personal data the Customer uploads or otherwise submits to Veltima (account-holder data, contact-list inputs, integration payloads), the Customer is the data controller and Veltima is the data processor.

For data Veltima collects from public e-commerce websites and aggregates into its commercial directory under its own legitimate interest, Veltima acts as an independent controller. That activity is governed by the Privacy Policy, not this DPA.

Subject matter and duration

Veltima processes personal data on Customer's documented instructions for the duration of the Enterprise contract and for a limited period afterwards as required by tax and reconciliation obligations described in the Privacy Policy.

Categories of data and data subjects

Personal data processed under this DPA may include: name, business email, business phone, professional role, account identifiers, usage logs, and any data the Customer chooses to submit through search, export, API, or integration features. Data subjects may include the Customer's employees and contacts the Customer chooses to enrich through the platform.

Sub-processors

Veltima uses a small set of sub-processors to operate the service. Names and roles include:

  • Hetzner (Germany / Finland) — infrastructure hosting and backups.
  • Cloudflare — edge network and DDoS protection.
  • Stripe — Enterprise billing and invoicing.
  • WayForPay — self-serve card billing for legacy monthly subscriptions.
  • Resend — transactional email delivery.

Material changes to the sub-processor list are communicated to the dedicated support address with at least 30 days notice. The current list available to active Enterprise customers is the authoritative one and overrides the snapshot above if the two diverge.

Security

Veltima implements appropriate technical and organisational measures to protect personal data, including: HTTPS in transit, encrypted backups at rest, principle-of-least-privilege access to production data, dependency hygiene, and secret-rotation procedures. Specific controls are described in the Trust Center.

Data subject rights

Veltima assists the Customer in fulfilling data-subject requests (access, correction, erasure, restriction, portability, objection) using reasonable means available to a processor. Requests routed through Veltima are forwarded to the Customer's dedicated support address within 5 business days.

Personal data breach notification

Veltima notifies the Customer of a personal data breach affecting Customer data without undue delay after becoming aware of it, and in any case within 72 hours. Notification is sent to the Customer's dedicated support address and includes the nature of the breach, the categories and approximate number of data subjects affected if known, the likely consequences, and the measures taken or proposed.

International transfers

Personal data is stored in the EU. Where transfers outside the EU are required (e.g. a sub-processor with non-EU operations), Veltima relies on Standard Contractual Clauses or other valid transfer mechanisms.

Audit

Veltima provides reasonable cooperation with audits required by Article 28(3)(h) GDPR. Audit requests are handled remotely through documentation and written responses; on-site audits are limited to one per year and require 30 days written notice.

Return and deletion

On termination of the Enterprise contract, Veltima returns or deletes Customer personal data within the retention window described in the Privacy Policy, except where retention is required by law (tax, accounting).

Requesting a signed copy

To request a signed Data Processing Agreement, email sales@veltima.app with your company's legal name, country of incorporation, and the contact who will sign on behalf of the Customer. The signature workflow is manual — there is no click-to-sign option in the application.