1. Scope
This DPA applies to the processing of Customer Personal Data by VelocIT when providing the NSite Service. “Applicable Data Protection Law” means any law applicable to Customer or VelocIT relating to the protection or privacy of personal data, including (where applicable) the GDPR, the UK GDPR, the Swiss FADP, and applicable US state privacy laws.
2. Roles
Customer is the Controller (or Business) of Customer Personal Data. VelocIT is the Processor(or Service Provider) that processes Customer Personal Data on Customer's behalf and under Customer's instructions. Each party shall comply with its respective obligations under Applicable Data Protection Law.
3. Processing instructions
VelocIT processes Customer Personal Data only on Customer's documented instructions, which are set out in the Principal Agreement and this DPA. VelocIT will promptly inform Customer if, in VelocIT's opinion, an instruction infringes Applicable Data Protection Law. VelocIT may process Customer Personal Data as required by applicable law, in which case VelocIT will (to the extent permitted) notify Customer of that requirement before processing.
4. Sub-processors
Customer grants VelocIT general written authorisation to engage the sub-processors listed in Annex III. VelocIT will give Customer at least 30 days' written notice before engaging any new sub-processor. Customer may object within that period by emailing privacy@velocitsystems.com; VelocIT will work with Customer in good faith to resolve the objection.
VelocIT binds each sub-processor to data-protection obligations substantially equivalent to those in this DPA and remains liable to Customer for the acts and omissions of its sub-processors.
5. Security
VelocIT implements and maintains the technical and organisational measures described in Annex II, which VelocIT considers appropriate to the risk. VelocIT will ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.
6. Controller assistance
VelocIT will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures to fulfil Customer's obligations to respond to data subject requests, and to comply with Customer's obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities. VelocIT may charge reasonable fees for assistance that is outside the ordinary scope of the Service.
7. Data subject rights
VelocIT will promptly notify Customer if it receives a data subject request relating to Customer Personal Data. VelocIT will not respond to such requests directly (unless required by law) and will instead direct the data subject to Customer. VelocIT will cooperate with Customer as reasonably necessary to enable Customer to respond to the request.
8. Personal data breach
VelocIT will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent known:
- Nature of the breach, categories and approximate number of Data Subjects and records concerned.
- Likely consequences of the breach.
- Measures taken or proposed to address it and mitigate adverse effects.
- Contact details of VelocIT's privacy contact for further information.
VelocIT will reasonably cooperate with Customer's investigation, remediation, and notification efforts.
9. Audit rights
VelocIT will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including the results of its most recent independent audit (annual penetration test report and any then-current attestations) under reasonable confidentiality terms.
Where the foregoing is insufficient under Applicable Data Protection Law, Customer (or a mutually agreed independent third party not in competition with VelocIT) may, at Customer's expense and on at least 30 days' written notice, conduct an audit no more than once per 12-month period during business hours in a manner that does not unreasonably interfere with VelocIT's operations.
10. International transfers
VelocIT primarily processes Customer Personal Data in the United States. Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country not deemed adequate:
- EEA transfers:governed by the EU SCCs, Module Two (Controller to Processor) or Module Three (Processor to Processor), as applicable, incorporated by reference. Annex I and II of this DPA populate the required fields. Option 2 of Clause 9(a) applies (general written authorisation with 30 days' notice). The supervisory authority is determined by Customer's lead establishment, defaulting to the Irish DPC.
- UK transfers: governed by the UK Addendum to the EU SCCs issued by the ICO.
- Swiss transfers:governed by the EU SCCs amended for the Swiss FADP, with references to “GDPR” treated as references to the FADP, the Swiss FDPIC as supervisory authority, and Swiss law as governing law.
A Transfer Impact Assessment is available on request to privacy@velocitsystems.com.
11. Return & deletion
On termination or expiration of the Principal Agreement, and on Customer's written request, VelocIT will return or delete Customer Personal Data within 60 days, subject to the export window described in the Terms of Service. VelocIT may retain Customer Personal Data to the extent required by applicable law; such retained data remains subject to the security and confidentiality obligations of this DPA.
12. Liability
Each party's aggregate liability under this DPA is subject to the limitations of liability set out in the Principal Agreement. Nothing in this DPA limits either party's liability where such limitation is prohibited by Applicable Data Protection Law.
Annex I — Description of processing
A. List of parties
Data exporter / Controller: Customer, as identified in the account record on the Service.
Data importer / Processor: VelocIT Systems LLC, Georgia, USA. Contact: privacy@velocitsystems.com.
B. Description of processing
| Categories of Data Subjects | (i) Customer's Authorized Users; (ii) individuals identifiable in endpoint inventory of End Client environments (e.g., logged-in usernames on a workstation). |
|---|---|
| Categories of Personal Data | Name, work email, role; endpoint hostname, IP address, OS user account names; configuration metadata; scan-event logs; IP address and user-agent of authenticated sessions. |
| Special categories | None. The Service is not designed to process special categories of Personal Data and Customer agrees not to upload such data. |
| Frequency of processing | Continuous, for the duration of the subscription. |
| Nature of processing | Hosting, collection, recording, organization, storage, retrieval, consultation, use, transmission, generation of reports, and deletion, all as necessary to provide the Service. |
| Purpose | Operating the NSite Service for the benefit of Customer and, where applicable, Customer's End Clients. |
| Duration | For the term of the Principal Agreement and any post-termination return/deletion window. |
C. Competent supervisory authority
For EEA data exporters: the supervisory authority of the Member State of the data exporter's lead establishment, or the Irish DPC where unclear. For UK data exporters: the UK Information Commissioner's Office. For Swiss data exporters: the Swiss FDPIC.
Annex II — Technical & organizational measures
Access control
- Role-based access control with least-privilege defaults across the Service.
- Mandatory TOTP multi-factor authentication on every user login.
- Production access by VelocIT personnel is restricted to a documented short list, logged, and time-boxed.
- Scan credentials stored encrypted using envelope encryption with KMS-managed keys; never exposed in clear text in the UI, API, or logs.
Encryption
- TLS 1.2+ for all data in transit.
- AES-256 for all data at rest in primary storage and backups.
- Backups encrypted with separate key material and stored in a different region.
Tenant isolation
- PostgreSQL Row-Level Security (RLS) enforced on every table containing Customer Personal Data.
- Application-level tenant checks in addition to RLS, as defense in depth.
Operations & monitoring
- Centralized log aggregation, retained for up to 90 days.
- Real-time alerting on authentication anomalies, error rate spikes, and infrastructure availability.
- Vulnerability scanning of container images on every build.
- Annual third-party penetration testing of the Service.
Resilience
- Daily automated backups with a 30-day retention window.
- Multi-AZ deployment for the primary database tier.
- Documented disaster recovery procedure with quarterly drills.
Personnel
- Background checks for personnel with production access, where permitted by law.
- Mandatory annual security and privacy training for all personnel.
- Confidentiality obligations in every employment and contractor agreement.
Incident response
- Documented incident response procedure with named on-call roles.
- Personal Data Breach notification to controllers within 72 hours.
- Annual incident response exercise.
Annex III — Authorized subprocessors
As of the effective date of this DPA:
| Subprocessor | Service | Region |
|---|---|---|
| Amazon Web Services / Supabase | Database (PostgreSQL), authentication, file storage | US (us-east-1, multi-AZ) |
| Vercel, Inc. | Application hosting and edge delivery | US, with global edge cache |
| Stripe, Inc. | Payment processing and subscription management | US, Ireland |
| Resend, Inc. | Transactional email delivery | US |
| Functional Software (Sentry) | Application error and performance monitoring | US |
| Plausible Insights OÜ | Cookie-free site analytics | EU (Estonia) |
To subscribe to subprocessor change notifications, ensure the primary admin email on your account is current and monitored. Notifications are sent at least 30 days before any new subprocessor begins processing Customer Personal Data.