Data Processing Addendum

This Data Processing Addendum (“DPA”) is between you (“Customer” and “Controller”) and Veliqo (“Veliqo, ” “Processor”) and supplements the Terms of Service in respect of personal data Veliqo processes on the Customer’s behalf while delivering the service.

• Subject-matter: processing of personal data necessary to provide the Veliqo service to the Customer.
• Duration: the term of the Customer’s subscription, plus any limited retention period set out in our Privacy Policy.
• Nature and purpose: storage, retrieval, indexing and AI processing of Customer Content so the Customer can summarize, query, quiz and study their documents.
• Categories of data subjects: the Customer’s end users (i.e. authorized account holders).
• Types of personal data: account identifiers (email, name, avatar URL), authentication metadata, and any personal data the Customer chooses to upload within documents.

Veliqo will:

• Process personal data only on documented instructions from the Customer.
• Ensure persons authorized to process personal data are bound by confidentiality.
• Implement appropriate technical and organizational measures (see Annex II).
• Assist the Customer in responding to data-subject requests where reasonably required.
• Notify the Customer without undue delay of any personal-data breach.
• Delete or return personal data at the Customer’s choice on termination.
• Make available information necessary to demonstrate compliance.

The Customer authorizes Veliqo to engage the subprocessors listed in our Privacy Policy. We’ll notify customers of any new subprocessor with at least 30 days’ notice (via email to the account’s billing address). The Customer may object on reasonable grounds, in which case the parties will work together to find a solution or terminate the affected service.

Where Veliqo or a subprocessor processes personal data outside the EEA, UK or Switzerland, the transfer will be governed by the European Commission’s Standard Contractual Clauses (or the equivalent UK / Swiss addenda) which are incorporated by reference into this DPA.

We will notify the Customer without undue delay (and in any case within 72 hours) of becoming aware of a personal-data breach affecting Customer personal data, along with information reasonably available to assist the Customer in meeting its own notification obligations.

On reasonable written request and no more than once per twelve months, the Customer may review our most recent third-party audit reports (when available). On-site audits are reserved for cases where the reports are insufficient and are subject to mutually agreed scope, timing and confidentiality terms.

The liability of each party under this DPA is subject to the limitations of liability in the Terms of Service.

On termination or expiry of the subscription, Veliqo will, at the Customer’s choice, return or delete all Customer personal data, unless retention is required by applicable law.

See sections 2 above for a description of the categories of data, data subjects and purpose of processing.

• TLS 1.2+ for all data in transit; encrypted database connections.
• Stateless JWT sessions; OAuth and email magic-link sign-in only.
• Server-side authorization on every API route and server action.
• Per-user tenant isolation enforced at the database query layer.
• Plan-aware, race-safe daily quota enforcement to prevent abuse.
• Secrets stored in Vercel’s encrypted environment, never in source.
• CI gates (typecheck, lint, build) on every change before production deploy.
• Structured logging and alerting on anomalous error or quota events.

Questions or signed copies: legal@veliqo.net.