Data Processing Agreement.

This Data Processing Agreement (“DPA”) supplements the master agreement between VELMORA LLC (“Velmora,” “Processor”) and the customer identified in the applicable Statement of Work (“Client,” “Controller”) (together the “Agreement”) and governs the processing of Personal Data carried out by Velmora on behalf of Client in connection with the Services.

This DPA reflects the parties' obligations under: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (b) the UK GDPR and the Data Protection Act 2018 (“UK GDPR”); (c) the revised Swiss Federal Act on Data Protection (“revFADP”); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”); and (e) other applicable US state privacy laws.

In case of conflict between this DPA and the Agreement on a matter of data protection, this DPA prevails.

Capitalized terms not defined here have the meanings given in the GDPR or the CCPA/CPRA. The following terms have the meanings indicated:

Personal Data

Any information relating to an identified or identifiable natural person.

Processing

Any operation performed on Personal Data, including collection, storage, use, disclosure, deletion.

Sub-processor

A third party engaged by the Processor to process Personal Data on the Controller's behalf.

Standard Contractual Clauses / SCCs

The clauses approved by European Commission Implementing Decision (EU) 2021/914.

UK IDTA

The UK International Data Transfer Addendum to the EU SCCs (in force March 2022).

Data Subject

An identified or identifiable natural person to whom Personal Data relates.

In respect of Personal Data processed under this DPA, Client is the Controller and Velmora is the Processor. The Agreement (including the SOW, this DPA, and any written communications between the parties) constitutes Client's documented instructions to Velmora.

Velmora will only process Personal Data on these documented instructions, except where required by EU, UK, or US law to which Velmora is subject — in which case Velmora will (unless prohibited) notify Client of the legal requirement before processing.

Velmora will inform Client without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

Subject matter

Provision of web development, hosting, content, and SEO services as described in the SOW.

Duration

The term of the Agreement plus the retention periods set out in § 12.

Nature & purpose

Building, deploying, hosting, monitoring, and optimizing websites and related digital properties on Client's behalf.

Categories of Data Subjects

Client's website visitors and customers; Client's employees and contractors interacting with us in the course of the engagement.

Categories of Personal Data

Identifiers (name, email, IP), commercial information, internet activity, contact details, account credentials shared by Client, and any other category Client elects to collect through systems we build.

Special categories

Not processed unless explicitly agreed in writing.

Frequency

Continuous, on a one-off and recurring basis as needed to provide the Services.

Velmora ensures that personnel authorized to process Personal Data (a) have committed themselves to confidentiality (or are under appropriate statutory obligations of confidentiality), and (b) receive appropriate data-protection training on hire and annually thereafter.

Velmora has implemented and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Measures include:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256, vendor-managed).
• Access controls based on least privilege; MFA mandatory; quarterly access reviews.
• Secure software-development lifecycle, including code review, static analysis, dependency scanning.
• Vulnerability management and patching within 14 days (24 hours for critical CVEs).
• Annual third-party security review; tabletop incident-response exercises every six months.
• Encrypted backups with rolling 35-day retention; documented restoration drills.
• Documented incident-response process aligned with NIST SP 800-61r3.

Full controls inventory is published on our Trust & Security page and is incorporated by reference as Annex II.

Client provides general authorization for Velmora to engage Sub-processors. The current list is maintained on our Trust & Security page.

Velmora will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable to Client for the acts and omissions of each Sub-processor.

Velmora will give Client at least 30 days' advance notice of any new Sub-processor (by email and Trust-page update). Client may object on reasonable, documented data-protection grounds; if the parties cannot resolve the objection in good faith, Client may terminate the affected SOW without penalty.

Taking into account the nature of the processing, Velmora will assist Client by appropriate technical and organizational measures, insofar as possible, in fulfilling Client's obligation to respond to requests from Data Subjects under Chapter III GDPR or the CCPA/CPRA (access, rectification, erasure, restriction, portability, objection, opt-out of sale/share).

Where Velmora receives a request directly from a Data Subject in relation to Personal Data processed for Client, Velmora will (a) not respond except to confirm receipt and direct the Data Subject to Client, and (b) promptly notify Client of the request.

Velmora will notify Client without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach affecting Client's data. The notification will include, to the extent then known:

• The nature of the breach, including categories and approximate numbers of Data Subjects and records.
• The name and contact details of Velmora's incident commander.
• The likely consequences.
• The measures taken or proposed to address the breach and mitigate effects.

Velmora will reasonably assist Client in notifying supervisory authorities and Data Subjects where required, and in conducting an investigation. Velmora will document each breach internally for at least 5 years.

Velmora will, upon reasonable request and at Client's cost (excluding Velmora's standard reporting), provide reasonable assistance to Client in carrying out data-protection impact assessments and prior consultations with supervisory authorities, in respect of the processing carried out under the Agreement.

Where Velmora transfers Personal Data subject to the GDPR/UK GDPR/revFADP outside the EEA/UK/Switzerland to a country that has not received an adequacy decision, the transfer will be carried out under one of the following mechanisms:

• The EU–US Data Privacy Framework (where the recipient is certified).
• The EU Standard Contractual Clauses (Module 2 or Module 3 as applicable).
• The UK International Data Transfer Addendum.
• The Swiss FDPIC's SCC addendum.

By executing the Agreement, the parties are deemed to enter into the applicable SCCs, with Velmora acting as Data Importer and Client as Data Exporter. The information required for the Annexes is set out in § 4 (Annex I), § 6 (Annex II), and § 7 (Annex III). The Supervisory Authority identified in Annex I.C is the lead authority of the Client's place of establishment in the EU; in the UK, the Information Commissioner's Office.

Velmora maintains and updates a Transfer Impact Assessment for each onward transfer; a copy is available on written request.

At Client's choice, expressed in writing within 30 days of the end of the engagement, Velmora will either return all Personal Data to Client in a structured, commonly-used, machine-readable format, or delete it. Backups will be cryptographically erased within 35 days of production deletion.

Velmora may retain Personal Data after the engagement only where required by EU/UK/US law (e.g., for tax records), and only for the legally required minimum period. Such retained data will be protected by the security measures described in § 6 and not used for any other purpose.

Velmora will make available to Client all information necessary to demonstrate compliance with this DPA. Such information includes, at no additional charge: (a) the most recent third-party security review, (b) the Velmora security questionnaire response (CAIQ, SIG Lite), and (c) the sub-processor list.

Once per year, Client may, on at least 30 days' written notice, conduct an audit of Velmora's data-protection compliance, either by Client's own qualified personnel or by an independent third party mutually agreed (excluding direct competitors of Velmora). Audits will be conducted during business hours, must not unreasonably interfere with operations, and may not access other clients' data. Velmora may require execution of an NDA.

In the event of a confirmed Personal Data Breach affecting Client, the above frequency and notice limits do not apply.

For Personal Information subject to CCPA/CPRA, the parties further agree that:

• Velmora is a “Service Provider” and Client is a “Business” under the CCPA/CPRA.
• Velmora will not (a) sell or share Personal Information; (b) retain, use, or disclose Personal Information for any purpose other than the specific business purpose of performing the Services, including for any “commercial purpose” other than performing the Services; (c) retain, use, or disclose Personal Information outside of the direct business relationship between Velmora and Client; or (d) combine Personal Information received from Client with Personal Information received from other sources, except as permitted by 11 CCR § 7050(c).
• Velmora certifies that it understands and will comply with these restrictions.
• Velmora will notify Client promptly if it determines that it can no longer meet its obligations under the CCPA/CPRA.

Each party's liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability in the Agreement, except where applicable law (including Art. 82 GDPR) provides otherwise.

This DPA takes effect on the effective date of the Agreement and continues until completion of all Services and return or deletion of all Personal Data. Obligations that by their nature should survive (confidentiality, liability, breach notification of past incidents) survive termination.

Order of precedence. This DPA controls over conflicting terms in the Agreement on data protection matters. The SCCs control over this DPA in the event of conflict between them.

Severability. If a provision is invalid or unenforceable, the remainder remains in effect.

No third-party beneficiaries. Except for Data Subjects whose third-party-beneficiary rights under the SCCs are preserved.

Governing law & jurisdiction. As set out in the Agreement, except for the SCCs, which are governed by the law of the EU Member State of the Data Exporter (or such other law as the SCCs specify).

By entering into the Agreement and submitting Personal Data for processing by Velmora, Client is deemed to have signed this DPA and, where applicable, the SCCs incorporated herein. Where Client's procurement process requires a signed counterpart, email legal@velmoraseo.com and we will return a signed copy within 5 business days.