Legal

Data Processing Addendum

Last updated: January 2026

Scope

This DPA applies when Veluxa processes Personal Data on behalf of a Customer in connection with the Service. Terms not defined here have the meaning set in the main Terms of Service.

Sub-processors

Current list: AWS (infrastructure), Clerk (auth), Stripe (billing), OpenAI (AI), Anthropic (AI fallback), Google (AI video), Cloudflare R2 (storage), Pusher (realtime), PostHog (analytics). 30 days notice before adding new sub-processors on Scale + Enterprise.

Security measures

SOC 2 Type II in progress. Encryption at rest (libsodium) and in transit (TLS 1.3). Role-based access control. Annual penetration test. Audit log retention.

Data subject requests

We assist Customers in responding to access / correction / deletion requests within 30 days. Contact [email protected].

Breach notification

Within 72 hours of confirmed breach, per GDPR Art. 33.

Execute a DPA

Scale + Enterprise customers receive a countersigned DPA on request. Email [email protected] with your entity name and billing email.

Other legal: Privacy Policy · Terms of Service · GDPR Statement · Security at Veluxa