Data Processing Agreement
Last Updated: 2025-11-23
If you have any questions about this document, please contact us at [email protected].
This Data Processing Agreement (“DPA”) forms part of the Master Terms of Service (“Agreement”) between Vekora (“Provider”) and the Customer.
Definitions and Roles
Section titled “Definitions and Roles”1.1 Roles. For the purposes of Data Protection Laws (including GDPR and CCPA), Customer is the Controller (or Business) and Provider is the Processor (or Service Provider). 1.2 Definitions. Terms such as “Personal Data,” “Processing,” “Data Subject,” and “Personal Data Breach” shall have the meanings ascribed to them in applicable Data Protection Laws. 1.3 Scope. This DPA applies to the Processing of Personal Data submitted to the PaaS platform by the Customer in connection with the use of the Services.
Customer Responsibilities
Section titled “Customer Responsibilities”Customer represents that it has obtained all necessary consents and provided all necessary notices to Data Subjects required to transfer Personal Data to Provider for the purpose of the Services.
Processing of Data
Section titled “Processing of Data”3.1 Instructions. Provider shall process Personal Data only on the documented instructions of Customer, which include the Agreement, this DPA, and the Customer’s configuration and use of the Services. 3.2 Purpose. The objective of processing is the performance of the Cloud Services as described in the Terms of Service and Service Level Agreement (SLA).
Sub-processors
Section titled “Sub-processors”4.1 Authorization. Customer generally authorizes Provider to engage third-party sub-processors to assist in the provision of Services. 4.2 List. A current list of sub-processors and their locations is available in our Subprocessor List. 4.3 Changes. Provider will update the Subprocessor List regarding any addition or replacement of sub-processors. Customer may object to a new sub-processor by notifying Provider in writing within ten (10) days of the update.
Security and Confidentiality
Section titled “Security and Confidentiality”5.1 Measures. Provider implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, or alteration. These measures are detailed in the Security Policy. 5.2 Confidentiality. Provider ensures that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Data Subject Rights
Section titled “Data Subject Rights”To the extent Customer cannot access the relevant Personal Data within the Services, Provider shall (at Customer’s expense) provide reasonable assistance to Customer to respond to requests from Data Subjects exercising their rights (e.g., rights of access, rectification, erasure, portability) under Data Protection Laws.
Data Breaches
Section titled “Data Breaches”Provider will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. Notification procedures and specific timelines are further detailed in the Security Policy.
Audits and Compliance
Section titled “Audits and Compliance”Upon written request, Provider will make available to Customer information necessary to demonstrate compliance with this DPA. Since Provider does not currently hold external certifications (such as SOC 2 or ISO 27001), this requirement shall be satisfied by Provider completing a standard security questionnaire provided by Customer or providing written responses regarding Provider’s security practices.
International Transfers
Section titled “International Transfers”If Provider transfers Personal Data out of the European Economic Area (EEA), United Kingdom, or Switzerland to a country not deemed adequate by the European Commission, such transfers shall be governed by the Standard Contractual Clauses (SCCs) published by the European Commission. These EU-standard legal templates are legally “incorporated by reference” here, meaning both parties agree to abide by those standard EU terms for international transfers without needing to sign a separate physical document.
Return or Deletion of Data
Section titled “Return or Deletion of Data”Upon termination or expiration of the Agreement, Provider shall delete or return all Customer Data in accordance with the timelines and procedures specified in the Terms of Service and Acceptable Use Policy, unless applicable law requires storage of the Personal Data. For inquiries regarding this DPA or to report a vulnerability, please refer to our Bug Bounty Policy or contact our compliance team.