Data Processing Agreement
Last Updated:
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer," "Data Controller") and VELUM Labs ("Processor," "we," "us," or "our") and governs the processing of Personal Data in connection with our Services.
1. Definitions
For purposes of this DPA:
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by VELUM Labs on behalf of Customer.
"Data Subject" means the individual to whom Personal Data relates.
"Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, or deletion.
"Sub-processor" means any third party engaged by VELUM Labs to process Personal Data on behalf of Customer.
"Data Protection Laws" means all applicable laws relating to data protection and privacy, including:
- •EU General Data Protection Regulation (GDPR)
- •UK Data Protection Act 2018
- •California Consumer Privacy Act (CCPA)
- •Other applicable regional data protection laws
"Encrypted Data" means data processed using homomorphic encryption (FHE) through our Services, where the plaintext content remains inaccessible to VELUM Labs.
2. Scope and Roles
Processing Scope
This DPA applies to Personal Data processed by VELUM Labs when providing our FHE platform and services to Customer.
Roles and Responsibilities
- •Customer acts as the Data Controller, determining the purposes and means of processing Personal Data
- •VELUM Labs acts as the Data Processor, processing Personal Data on behalf of and according to Customer's instructions
- •Customer is responsible for ensuring lawful basis for processing and obtaining necessary consents from Data Subjects
Nature of Processing
Purpose: Provide computational services, encrypted machine learning training, and privacy-preserving AI infrastructure
Duration: For the term of the service agreement and applicable retention periods
Types of Personal Data: As determined by Customer; may include any data uploaded or processed through our Services
Categories of Data Subjects: As determined by Customer; may include employees, customers, or other individuals whose data is processed
Special Category Data: Customer should not process special category or sensitive Personal Data without explicit agreement and appropriate safeguards
3. Customer Instructions
Processing Instructions
VELUM Labs will process Personal Data only:
- •In accordance with Customer's documented instructions
- •As necessary to provide the Services
- •As required by applicable law (with notice to Customer where legally permissible)
Instruction Documentation
Customer's instructions are documented in:
- •These Terms of Service and this DPA
- •Customer's configuration and use of the Services
- •Additional written instructions provided to VELUM Labs
Instruction Limitations
If VELUM Labs believes an instruction violates Data Protection Laws, we will inform Customer and may refuse to carry out the instruction until confirmed or modified.
4. Security Measures
Technical and Organizational Measures
VELUM Labs implements appropriate security measures, including:
Encryption:
- •End-to-end homomorphic encryption for computational data
- •TLS 1.3 for data in transit
- •AES-256 encryption for data at rest
- •Encryption key management and rotation
Access Controls:
- •Role-based access control (RBAC)
- •Multi-factor authentication (MFA)
- •Principle of least privilege
- •Regular access reviews and revocation procedures
Infrastructure Security:
- •Secure cloud infrastructure (AWS)
- •Network segmentation and firewalls
- •Intrusion detection and prevention systems
- •Regular security assessments and penetration testing
Operational Security:
- •Security incident response procedures
- •Regular security training for personnel
- •Background checks for employees with data access
- •Secure development lifecycle practices
Monitoring and Logging:
- •Continuous security monitoring
- •Audit logging of system access and activities
- •Anomaly detection and alerting
Security Updates
We regularly review and update security measures to address evolving threats and maintain compliance with Data Protection Laws.
5. Confidentiality
Staff Obligations
VELUM Labs ensures that:
- •Personnel with access to Personal Data are bound by confidentiality obligations
- •Personnel are trained on data protection requirements
- •Access is limited to those who need it to perform their duties
- •Confidentiality obligations survive termination of employment
Non-Access to Encrypted Data
Due to the nature of homomorphic encryption:
- •VELUM Labs personnel cannot access the plaintext content of Encrypted Data
- •Processing occurs on encrypted data without decryption
- •Cryptographic protections provide confidentiality guarantees beyond contractual obligations
6. Sub-processing
Sub-processor Engagement
VELUM Labs may engage Sub-processors to assist in providing the Services. Current Sub-processors include:
- •Amazon Web Services (AWS) - Cloud infrastructure and computational resources
- •Stripe - Payment processing and billing services
A current and complete list of Sub-processors is available upon request by contacting dpo@velum-labs.com.
Sub-processor Requirements
VELUM Labs ensures that Sub-processors:
- •Are bound by data protection obligations equivalent to this DPA
- •Implement appropriate technical and organizational security measures
- •Process Personal Data only for purposes authorized by Customer
- •Undergo periodic evaluation and review
New Sub-processors
We will inform Customer of any intended changes concerning addition or replacement of Sub-processors at least 30 days in advance. Customer may object on reasonable grounds relating to data protection within 15 days of notice.
If Customer objects and parties cannot resolve concerns, Customer may terminate the affected Services without penalty.
Sub-processor Liability
VELUM Labs remains liable to Customer for Sub-processor performance of data protection obligations.
7. Data Subject Rights
Assistance with Rights Requests
VELUM Labs will provide reasonable assistance to Customer in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:
- •Right of access
- •Right to rectification
- •Right to erasure ("right to be forgotten")
- •Right to restriction of processing
- •Right to data portability
- •Right to object to processing
- •Rights related to automated decision-making
Request Handling
If VELUM Labs receives a Data Subject request directly:
- •We will promptly forward the request to Customer
- •We will not respond to the Data Subject without Customer's prior authorization
- •Customer is responsible for responding to Data Subject requests
Technical Assistance
We will provide Customer with appropriate technical and organizational measures to fulfill Data Subject rights requests, taking into account the nature of processing.
8. Data Breaches and Incidents
Notification
VELUM Labs will notify Customer without undue delay (and where feasible within 72 hours) after becoming aware of a Personal Data breach.
Breach Information
Notification will include, to the extent available:
- •Nature of the breach, including categories and approximate number of Data Subjects and records affected
- •Contact point for further information
- •Likely consequences of the breach
- •Measures taken or proposed to address the breach and mitigate adverse effects
Investigation and Remediation
VELUM Labs will:
- •Investigate the breach and take steps to remediate
- •Preserve evidence and maintain records of breaches
- •Provide reasonable assistance to Customer in breach notification to authorities or Data Subjects
- •Cooperate with Customer's investigation and regulatory inquiries
Customer Responsibilities
Customer is responsible for:
- •Determining whether to notify Data Subjects or authorities
- •Complying with breach notification requirements under applicable laws
- •Managing external communications regarding the breach
9. Audits and Compliance
Audit Rights
Customer has the right to audit VELUM Labs' compliance with this DPA, subject to:
- •Providing reasonable advance notice (at least 30 days)
- •Conducting audits no more than once per year (unless required by authorities or following a breach)
- •Executing a confidentiality agreement
- •Conducting audits during business hours with minimal disruption
- •Bearing audit costs (unless audit reveals material non-compliance)
Audit Alternatives
Customer may satisfy audit rights through:
- •Reviewing our SOC 2 Type II reports, security certifications, and compliance documentation
- •Submitting written questions to be answered within reasonable timeframes
- •Engaging a mutually agreed independent third-party auditor
Compliance Documentation
VELUM Labs will provide information reasonably necessary to demonstrate compliance with obligations under this DPA and Data Protection Laws.
10. International Data Transfers
Transfer Mechanisms
Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), United Kingdom, or your jurisdiction.
For transfers subject to GDPR or UK data protection law, VELUM Labs ensures adequate protection through:
- •Standard Contractual Clauses (SCCs) - EU Commission approved SCCs or UK International Data Transfer Agreement/Addendum
- •Adequacy Decisions - Transfers to countries with adequacy decisions from the EU Commission or UK
- •Additional Safeguards - Supplementary measures including encryption, access controls, and data minimization
Transfer Impact Assessment
VELUM Labs has assessed the legal framework of recipient countries and implemented supplementary measures where necessary to ensure adequate protection.
Customer Obligations
Customer represents that it has complied with all requirements for transferring Personal Data to VELUM Labs, including:
- •Implementing appropriate safeguards
- •Providing necessary notices to Data Subjects
- •Obtaining required consents or authorizations
11. Data Retention and Deletion
Retention Period
VELUM Labs implements data minimization principles and retains Personal Data only for the minimum duration necessary to provide Services and fulfill legal obligations.
Data Deletion
Upon termination or expiration of the Services, VELUM Labs will:
- •Delete or return all Personal Data to Customer (at Customer's choice) within 30 days
- •Delete existing copies unless storage is required by applicable law
- •Certify deletion upon Customer's request
- •Provide detailed deletion confirmation including scope and date of deletion
Backup Data
Personal Data in backup systems will be securely deleted or anonymized according to our standard backup retention and deletion cycles (maximum 60 days).
Customer-Initiated Deletion
Customer may request deletion of Personal Data at any time during the service term. We will process such requests within 10 business days unless technical limitations prevent immediate deletion.
Legal Retention
If law requires retention of Personal Data, VELUM Labs will:
- •Inform Customer of the legal requirement
- •Continue to protect the Personal Data
- •Delete the data once the legal retention period expires
12. Limitation of Liability
The liability provisions in the Terms of Service apply to this DPA. Nothing in this DPA reduces VELUM Labs' liability under the Terms of Service.
Each party's liability to the other under this DPA is subject to the exclusions and limitations of liability set forth in the Terms of Service.
13. Term and Termination
This DPA takes effect when Customer accepts the Terms of Service and continues until termination of the Services or Customer's subscription.
Upon termination, data deletion provisions in Section 11 apply.
Sections that by their nature should survive termination will survive, including confidentiality, limitation of liability, and governing law provisions.
14. Governing Law and Disputes
This DPA is governed by the same law as the Terms of Service.
Any disputes arising from this DPA will be resolved according to the dispute resolution provisions in the Terms of Service.
15. Order of Precedence
In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.
16. Contact Information
For questions regarding this DPA or data protection matters:
VELUM Labs
Data Protection Officer: dpo@velum-labs.com
Legal: legal@velum-labs.com
Privacy: privacy@velum-labs.com
For inquiries from EU/EEA data subjects, please contact: dpo@velum-labs.com