Data Processing Addendum

Effective Date: 1 December 2022, Version: 1.1

Please find information on our Security Policy (PDF, 1.7MB).

1.    INITIAL PROVISIONS
  1. This Data Processing Addendum forms an integral part of the Agreement and is referenced in the Terms of Service.
  2. This Data Processing Addendum is subject to change. The current version is always available at https://www.velaris.io/data-processing-addendum.
  3. By entering into the Agreement with Velaris, You, the Customer, acknowledge that you have read and understood this Data Processing Addendum and agree to be bound by it.
2.    DEFINITIONS
  1. Capitalised definitions not otherwise defined below shall have the meaning given to them in the Terms of Service.
  2. In this Data Processing Addendum, the following capitalised definitions have the following meaning:
"CCPA"
means the California Consumer Privacy Act, California Civil Code§§1798.100 et seq., including any amendments and implementing regulations that become effective on or after the effective date of this Data ProcessingAddendum;
"Data Breach"
means a breach of security of the Service leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Velaris under this Data Processing Addendum;
"Data Protection
Legislation"
means, as applicable to a party and its Processing of Personal Data: (i)UK Data Protection Law, (ii) CCPA and any national data protection laws made under the CCPA, (iii) EU Data Protection Law; (iv) any other law applicable for the provision of the Services;
"Personal Data"
means any  information that (i) is protected as "personal data", "personal  information" or "personally identifiable information" under  Data Protection Legislation; and (ii) is Processed by Velaris on behalf of  the Customer in the course of providing the Service, as more particularly  described in Annex A of this Data Processing Addendum;
"Restricted
Transfer"
means either (i) a  transfer of Personal Data from the United Kingdom to any other country which  is not subject based on adequacy regulations pursuant to Section 17A of the  United Kingdom Data Protection Act 2018; or (ii) a transfer of Personal Data  from the European Economic Area to any other country which is not subject  based on adequacy regulations of the European Commission;
"Sub-processor"
means any third party engaged by Velaris to assist in fulfilling its obligations with respect to providing the Service and that Processes PersonalData as Processor;
"Standard
Contractual
Clauses"
mean the standard  contractual clauses annexed to the European Commission's Implementing  Decision 2021/914 of 4 June 2021;
"UK Addendum"
means standard data protection clauses to be issued by the UK ICO underS119A(1) Data Protection Act 2018, version B1.0 and attached as Annex D of this Data Processing Addendum;
"UK Data
Protection Law"
means: (i) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i) or (ii); in each case, as may be amended or superseded from time to time; and
the terms "Controller", "Processor","Process", "Processing" and "DataSubject" shall have the same meanings given to them under the UK GDPR,and the terms "business", "service provider"and "sale" have the same meaning given to it under the CCPA.
3.    VELARIS' OBLIGATION
  1. Roles. For the purposes of the GDPR, UK GDPR, and similar Data ProtectionLegislation, the Customer (or third party on whose behalf the Customer is authorised to instruct Velaris) is the Controller of Personal Data, and Velaris shallProcess Personal Data as a Processor (or sub-Processor, as applicable to the Customer's use of the Service); and for the purposes of theCCPA (to the extent the CCPA is applicable), the Customer is the "business"and Velaris is the "service provider".
  2. Permitted Purposes. Velaris shall Process Personal Data for the purposes described in AnnexA and in accordance with the Customer's documented lawful instructions ("PermittedPurposes"), except where otherwise required by law(s) that are not incompatible with applicable Data Protection Legislation.  In particular and to the extent the CCPA is applicable, the Customer's transfer of Personal Data to Velaris is not a sale, and Velaris provides no monetary or other valuable consideration to theCustomer in exchange for Personal Data. To the extent required by DataProtection Legislation, this Clause 3.b constitutes the certification from Velaris to the Processing instructions herein. Velaris is obliged at all times to Process Personal Data in compliance with DataProtection Legislation and fulfil all its obligations arising out of DataProtection Legislation.
  3. Processing Instructions. Velaris shall immediately inform the Customer if it becomes aware that the Customer's Processing instructions infringe Data Protection Legislation. If Velaris is unable to Process Personal Data in accordance with the Customer's documented lawful instructions, Velaris is obliged to promptly notify theCustomer of its inability to comply.
  4. Security Measures. Velaris shall implement and maintain reasonable and appropriate technical and organisational measures designed to protect all data, includingPersonal Data, from Data Breaches and preserve their security, integrity, and confidentiality. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, these measures must include the measures identified in Annex C of this Data Processing Addendum.
  5. Access and Confidentiality. Velaris shall ensure that any person it authorises to Process thePersonal Data (including Velaris' staff, agents and Sub-processor's) ("Personnel")are under appropriate obligations of confidentiality (whether a contractual or statutory duty), have received proper training, and are informed about the confidential nature of the Personal Data and their obligations related to it and have access to Personal Data only in accordance with the need-to-know principle.  Velaris shall ensure that allPersonnel Process the Personal Data only as necessary for the PermittedPurposes.
  6. Data Returns and Deletion. Upon termination or expiration of the Agreement, Velaris must delete or return to the Customer all Personal Data (including copies) in its possession or control in accordance with the Agreement.
  7. Audit Rights.
    • Records of Processing. Velaris shall maintain records of its Personal Data Processing activities in accordance with Data Protection Legislation. Upon the first request, Velaris shall provide the records to the Customer, any auditor appointed by it or any supervisory authority. Velaris shall also respond to any written audit questions submitted to it by the Customer and that are necessary to confirm Velaris' compliance with this Data Processing Addendum.
    • Certifications. If Velaris maintains records in accordance with Information Security Management System ("ISMS")standards, Velaris shall, on the Customer's request, provide to the Customer copies of relevant external ISMS certifications, audit report summaries or other documentation necessary to demonstrate compliance with this DataProcessing Agreement and Data Protection Legislation.
    • Audit.  Velaris shall allow the Customer (or a third party licensed auditor engaged by the Customer) to carry out the remote audit of the electronic data files, systems, and documentation relating to the Processing of Personal Data, provided that theCustomer bears all costs of the audit.
    • Scope of Audit. The audit under the preceding Clause shall:
      • occur no more than once in any 12-month period;
      • be agreed by the Parties no fewer than thirty (30) days in advance; and
      • take no more time than reasonably necessary, in any case, fewer than 16 business hours.
4.    CUSTOMER'S OBLIGATIONS
  1. Customer's Processing of Personal Data. a.    The Customer shall, in its use of the Service, Process Personal Data inaccordance with Data Protection Legislation. The Customer shall have the soleresponsibility for the accuracy, quality, and legality of Personal Data and howthe Customer acquired Personal Data.
  2. Customer's Compliance. Customer agrees that:
    • it shall comply withits obligations as a Controller under Data Protection Legislation in respect ofits Processing of Personal Data and any Processing instructions it issues toVelaris;  
    • it has provided notice and obtained (or shall obtain) all consents or any other necessary authorisations(as applicable) under Data Protection Legislation for Velaris to ProcessPersonal Data for the Permitted Purposes;
    • it has fulfilled (or shall fulfil) all registration or notification obligations to which theCustomer is subject to under the Data Protection Legislation; and
    •  it is responsible for its own Processing of Personal Data, including integrity, security, maintenance and appropriate protection of Personal Data under the Customer's control.
  3. Technical and Organisational Measures. The Customer is responsible for its secure use of the Service, including securing the Account, protecting the security of Personal Data when in transit to and from the Service and taking any appropriate technical, organisational and security measures to securely encrypt or backup any Personal Data uploaded to the Service. The Customer is also responsible for the use of the Service by any person the Customer authorised to access or use the Service, and any person who gains access to its Personal Data or the Service as a result of its failure to use reasonable security precautions, even if the Customer did not authorise such use. The Customer agrees to, immediately upon awareness, notify Velaris of any unauthorised use of Service or the Account or of any other breach of security involving the Service.
  4. Use of Cookies. Where the Service employ the use of cookies or similar tracking technologies("Cookies"), the Customer shall maintain appropriate noticeand consent mechanisms as required by Data Protection Legislation and industrybest practice (or as otherwise reasonably requested by Velaris) to enableVelaris to deploy Cookies lawfully on, and collect data from, the devices ofData Subjects to provide the Service. Velaris, upon request, shall provide theCustomer with all information reasonably required by the Customer (includingdetails about the Cookies) to enable the Customer to provide such notice. TheCustomer shall promptly notify Velaris if it is unable to comply with theseobligations.
5.    COOPERATION
  1. Data Subject Rights. To the extent that the Customer is unable to access the relevantPersonal Data within the Service independently, Velaris shall, taking into account the nature of the Processing, provide assistance (including by appropriate technical and organisational measures) to enable the Customer to:
    • respond to any requests from a data subject seeking to exercise any of its rights under DataProtection Legislation (including its right of access, correction, objection, erasure and data portability, as applicable); and
    • any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Personal Data(collectively "Correspondence").  
    In the event that any such Correspondence is made directly to Velaris, it shall promptly notify the Customer and shall not respond directly unless legally completed to do so. If Velaris is required to respond to such Correspondence, Velaris shall promptly notify the Customer and provide it with a copy of the request, unless legally prohibited from doing so.
  2. Data Protection Impact Assessment. To the extent required by Data Protection Legislation, Velaris shall provide all requested information regarding the Service to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Legislation.
  3. Request for Disclosure. Velaris is obliged to promptly notify the Customer about any legallybinding request for disclosure of the personal data by a judicial or regulatoryauthority unless otherwise prohibited, such as the obligation under criminallaw to preserve the confidentiality of a judicial enquiry and to assist theCustomer therewith (at the Customer's expense).
6.    SECURITY INCIDENTS
  1. Data Breach. Upon becoming aware of a Data Breach, Velaris shall notify the Customer without undue delay and shall provide such timely information and cooperation as the Customer may reasonably require in order to fulfil its data breach reporting obligations under Data Protection Legislation, including the type of data affected and the identity of the affected person(s) as soon as such information becomes known or available to Velaris.
  2. No Acknowledgement. The Customer agrees that any notification that Velaris provides to the Customer in relation to a Data Breach shall not be construed or understood as an acknowledgement of any fault or liability.
  3. Further Conduct. Velaris shall further take all such measures and actions as are reasonable to remedy or mitigate the effects of the Data Breach and shall keep the Customer informed of all developments in connection with the Data Breach.
  4. Cooperation. If a Data Breach is caused or materially contributed to by the Customer,Velaris will cooperate in the investigation of the Data Breach subject to the Customer'sobligation to compensate Velaris for its expenses and costs.
7.    SUB-PROCESSING
  1. Authorised Sub-processors. The Customer provides a general authorisation for Velaris to engage Sub-processors to Process Personal Data on the Customer's behalf. TheSub-processors currently engaged by Velaris are listed in Annex B.
  2. New Sub-processors. Velaris shall not subcontract any Processing of the Personal Data to aSub-processor, other than listed in Annex B, without the Customer's prior written consent. Notwithstanding this, the Customer consents to Velaris engagingSub-processors to process the Personal Data provided that:
    • Velaris provides at least 30 days prior written notice to the Customer of the engagement of any newSub-processor (including details of the Processing and location), and Velaris shall update the list of all Sub-processors engaged in processing of PersonalData under this Agreement at Annex B and send such updated version to the Customer prior to the engagement of the Sub-processor;
    • Velaris imposes the same data protection terms on any Sub-processor it engages as contained in this Data Processing Addendum (including the Standard Contractual Clauses, where applicable); and
    • Velaris remains fully liable for any breach of this Data Processing Addendum or the Agreement caused by an act, error or omission of such Sub-processor.
  3. Objections. If the Customer objects to the engagement of any Sub-processor on reasonabledata protection grounds, then either Velaris will provide sufficient furthersafeguards, not engage the Sub-processor to process the Personal Data, or theCustomer may elect to suspend or terminate the Processing of Personal Dataunder the Agreement without penalty. If it is not commercially reasonable forthe Customer to use the Service without such Data Processing, the Customer isentitled to terminate the Agreement without penalty, whereas the Customer shallbe entitled to receive a pro-rata refund of Fees already paid to Velaris butnot utlised.
8.    DATA TRANSFERS
  1. International Data Transfers. Velaris shall take all such measures necessary to ensure that theProcessing and transfer of Personal Data in or to a territory other than the territory in which the Personal Data was first collected complies with Data Protection Legislation.
  2. Restricted Transfers. The Parties agree that when and to the extent the transfer of PersonalData (i) from the Customer to Velaris; or (ii) from Velaris to a Sub-processor,i a Restricted Transfer, it shall be subject to the Standard ContractualClauses as follows:
    • subject to Clauses 7.b.ii and 7.b.iii below, the Standard Contractual Clauses shall be incorporated by reference into and form an integral part of this Data Processing Addendum;
    • for the purposes of the UK SCCs, Annex A and Annex C and of this Data Processing Addendum shall replace Appendix 1 and 2 accordingly; and
    • in the event that any provision of this Data Processing Addendum contradicts, directly or indirectly, the Standard Contractual Clauses, the appropriate Standard Contractual Clauses shall prevail to the extent of such conflict.
  3. UK Addendum. The Parties agree that when and to the extent the transfer of PersonalData from Customer to Velaris is a Restricted Transfer and UK Data ProtectionLaw requires that appropriate safeguards are put in place, such transfer shall be governed by the UK Addendum.
  4. Modifications of Standard Contractual Clauses. In relation to transfers of Personal Data protected by GDPR the StandardContractual Clauses will apply with following modifications:
    • Where the Customer isa Controller of Personal Data, Module Two (Controller to Processor Clauses)will apply, and where the Customer is a Processor acting on behalf of third party Controllers, Module 3 (Processor to Processor Clauses) will apply;
    • in Clause 7 (Docking Clause), the optional docking clause will apply;
    • in Clause 9 (a) (Use of Sub-processors), Option 2 will apply, and the time period for notifying anew sub-processor change shall be as set out in Clause 7.b.i of this DataProcessing Addendum;
    • in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;
    • in Clause 17 (Governing Law), Option 1 will apply, and the Standard Contractual Clauses will be governed by Irish law; and
    • in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Dublin, Ireland.
9.    LIMITATION OF LIABILITY
  1. The Customer's remedies, including its Affiliates, and Velaris' liability arising out of or inr elation to this Data Processing Addendum, are subject to those limitations of liability and disclaimers set forth in the Agreement (incl. Terms of Service).
10.    FINAL PROVISIONS
  1. Third-Party Beneficiaries. Data Subjects are the sole third party beneficiaries to the Standard Contractual Clauses, and there are no other third-party beneficiaries to the Agreement and this Data Processing Addendum.
  2. Governing Law and Jurisdiction. This Data Processing Addendum shall be governed by and construed with governing law and jurisdiction provisions in the Agreement, unless and to the extent required otherwise by the Data Protection Legislation or the Standard Contractual Clauses.
  3. Scope of this DataProcessing Addendum. For the avoidance of doubt, the processing of information other than Personal Data for the Permitted Purposes does not fall under the scope of this Data Processing Addendum.
  4. Term. This Data Processing Addendum shall continue to be in effect for the term of the Agreement plus the period from expiry of the Agreement until Velaris ceases to process Personal Data on behalf of the Customer.
ANNEX A: Description of the Processing Activities / Transfer
ANNEX A(1) List of Parties:
Data Exporter
Data Importer
Name: The Customer
Name: MANANTIAL LTD
Address: As identified in the Agreement
Address: As identified in the Agreement
Contact Person's Name, position and contact details: As identified in the applicable Sales Order.
Contact Person's Name, position and contact details: As identified in the applicable Sales Order.
Activities relevant to the transfer: See Annex A(2) below
Activities relevant to the transfer: See Annex A(2) below
Role: Controller
Role: Processor
ANNEX A(2) Description of Transfer:
Description
Categories of data subjects:
  • Users: any of the Customer's employees or other personnel, suppliers and other third parties authorised under the Agreement to use the Service.
  • Employees and Contractors of Customer's Clients: any existing or future employee or contractor of the Customer's client that is in contact with the Customer through a connection (e.g., email, analytical software) connected by the Service or whose personal data is otherwise uploaded by the Customer or its Users to the Service.
Categories of personal data:
Depending on the Service purchased by the Customer, the Personal Data may include:
  • Users: identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility); IT related data (computer ID, user ID, password, IP address, log files).
  • Employees and Contractors of Customer's Clients: identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility); IT related data (computer ID, user ID, password, IP address, log files), other personal data shared by a user herself.
Sensitive data:
Velaris does not require any special categories of data to provide the Service and does not intentionally collect or process such data in connection with the provision of the Service.
Frequency of the transfer:
Continuous
Nature and subject matter of processing:
The Personal Data may be subject to the following processing activities:
  • storage (hosting) and other processing necessary to provide, maintain and improve the Service provided to Customer under the Agreement;
  • technical support provided to the Customer on a case by case basis;
  • disclosures in accordance with the Agreement and the Data Processing Agreement, as compelled by law; and
  • collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Duration of the processing:
Processing Term
Purpose(s) of the data transfer and further processing:
  1. Processing to provide, maintain, support, and improve the Service provided to the Customer in accordance with the Agreement;
  2. Processing initiated by the Users in their use of the Service; and
  3. Processing to comply with other documented reasonable instructions provided by the Customer (e.g. via email) where such instructions are consistent with the terms of the Agreement (including this Data Processing Agreement).
Retention period (or, if not possible to determine, the criteria used to determine that period):
Processing Term
ANNEX A(3) Competent supervisory authority
In accordance with Clause 13 of the UK SCCs, the competent supervisory authority is the Office of the Information Commissioner.
ANNEX B : Approved Sub-processors
Amazon Web Services (EMEA) SARL,
38 Avenue John F. Kennedy, Luxembourg 1855, Luxembourg
Hosting provider
TINYBIRD LABS,
Calle Moreno Nieto, 2, 28005 Madrid, SPAIN
Analytics
Manantial (Pvt) Ltd,
156/1B, Laxhapathiya Road, Laxhapathiya, Moratuwa, Sri Lanka
Servicing company, a wholly-owned subsidiary of MANANTIAL LTD (Velaris)
ANNEX C : Technical and Organisational Measures
The technical and organisational measures implemented by Velaris (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context, and purposes of the processing, and the risks for the rights and freedoms of natural persons, are described at https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf and https://docs.aws.amazon.com/whitepapers/latest/aws-risk-and-compliance/welcome.html

The Customer Data is fully hosted on Amazon Web Services and Velaris adheres to all Amazon Web Services security best practices.
ANNEX D: Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual ClausesVERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides AppropriateSafeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date
Effective date of the DPA (clause 8.7 of the DPA)
The Parties
Exporter
Importer
Parties’ details
See Annex A (1)
See Annex A (1)
Key Contact
See Annex A (1)
See Annex A (1)
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs
The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date: See effective date of the DPA
Reference (if any):
Other identifier (if any):
Or
the Approved EU SCCs, including the AppendixInformation and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
Module
Module  in operation
Clause  7 (Docking Clause)
Clause  11
 (Option)
Clause 9a (Prior Authorisation or General Authorisation)
Clause  9a (Time period)
Is  personal data received from the Importer combined with personal data collected by the Exporter?
1.
N/A
2.
X
Applies
Does not apply
General authorisation
30 days
N/A
3.
X
Applies
Does not apply
General authorisation
30 days
N/A
4.
N/A
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex I.A: List of Parties:
See Annex A(1) of the DPA
Annex I.B: Description of Transfer:
See Annex A(2) of the DPA
Annex II.: Technical and organisational measures including technical and organisational measures to ensure the security of the data:
See Annex B of the DPA
Annex III: List of Sub processors (Modules 2 and 3 only):
See Annex C of the DPA
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section ‎19:
Importer
Exporter
neither Party
Part 2: Mandatory Clauses
MandatoryClauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of thoseMandatory Clauses. By entering into the Data Processing Addendum, the parties are deemed to have signed the mandatory clauses, incorporated herein by reference.