Data Processing Agreement
If you process personal data of EU/UK residents through Vela, we are your data processor and you are the controller. This DPA forms part of our Terms when those circumstances apply.
Parties
"Controller" means you, the customer. "Processor" means Vela Build. "Sub-processors" are third-party services we engage to deliver Vela Hosted.
Scope
We process personal data strictly to provide the service: storing your content, sending transactional emails, serving your site to visitors, and generating usage analytics for your dashboard.
Processing principles
We only process data on your documented instructions. We don't sell, rent, or repurpose your data. We don't train AI models on your content.
Security
Technical and organisational measures listed on /security. Summary: encryption at rest + in transit, least-privilege access, MFA for staff, logged access, nightly encrypted backups.
Sub-processors
A current list of sub-processors lives at /security/sub-processors. We'll notify you by email at least 14 days before adding a new sub-processor.
International transfers
Where we transfer personal data outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) and maintain Transfer Impact Assessments.
Your rights
As controller, you can: export your data at any time, request we correct or delete specific records, and receive breach notifications within 24 hours of confirmation.
Data retention
We retain your data while your account is active. On termination, we delete your data within 30 days — except where legal obligations require longer retention.