Velicoo

Legal

Data Processing Agreement

Last updated: 2026-05-07

Velicoo offers a standard Data Processing Agreement (DPA) under GDPR Article 28 to every merchant on the platform. The DPA covers Velicoo as data processor, with the merchant as data controller.

What it covers

  • Subject matter, duration, nature and purpose of processing.
  • Categories of personal data and data subjects.
  • Subprocessor list (Vercel, Fly.io, Resend, Stripe) and the approval flow for adding new ones.
  • EU Standard Contractual Clauses (SCCs) for any transfer outside the EU/EEA.
  • Security measures (TLS 1.3, AES-256, scoped access, audit logs).
  • Breach notification within 72 hours.
  • Audit rights and reasonable cooperation with data-subject requests.

How to get a copy

DPA is signed automatically on the Custom tier and available on request for all other plans. Email hello@velicoo.com with the subject "DPA" — we send the current version the same working day, ready for counter-signature.

Need redlines?

On Custom we accept redlines and negotiate the DPA against your own template. Smaller plans use the standard DPA — one document, no per-customer variations, so it stays auditable.