Back to home
Legal Version 1.0 – November 2025  ·  Effective January 2026

Data Processing Agreement

This DPA forms part of the Terms of Service between Vellora Ops Ltd (Processor) and any organisation using the platform (Controller), governing the processing of personal data under UK GDPR.

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Vellora Ops Ltd ("Processor", "we", "us", or "our") and any client or organisation using the Vellora Ops platform ("Controller", "you", or "your").

This DPA governs the processing of personal data by Vellora Ops Ltd on behalf of the Controller, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using our Service, you agree to the terms of this DPA.

2. Parties

Role Details
Data Processor Vellora Ops Ltd, registered in Scotland (Company No. SC864617)
Office 110, 18 Young St, UNIT LGE, Edinburgh, EH2 4JB
privacy@vellora-ops.com
Data Controller The organisation or customer using the Vellora Ops platform to manage its data and users

3. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data, whether automated or not.
Subprocessor: Any third party appointed by Vellora Ops Ltd to process data on behalf of the Controller.

Other terms have the meanings given in the UK GDPR.

4. Subject Matter and Duration

This DPA applies to all personal data processed by Vellora Ops Ltd on behalf of the Controller while the Controller subscribes to or uses the Service.

Upon termination of the Service, the DPA remains in effect until all personal data has been deleted or returned in accordance with Section 11.

5. Nature and Purpose of Processing

Vellora Ops Ltd processes personal data solely for the following purposes:

  • Hosting, storing, and managing data within the Vellora Ops platform
  • Providing customer support and technical assistance
  • Managing subscriptions, authentication, and billing
  • Monitoring and securing the platform infrastructure
  • Complying with legal obligations

Vellora Ops Ltd will not process personal data for any purpose other than those stated above.

6. Categories of Data and Data Subjects

Category Examples
Data Subjects Client staff, end users, and customers of the Controller
Personal Data Name, email address, job title, organisation, ticket or signal content, logs, and metadata
Special Category Data Not intentionally collected or required. Controllers must not store sensitive data without prior agreement.

7. Processor Obligations

Vellora Ops Ltd shall:

  1. Process personal data only on documented instructions from the Controller
  2. Ensure all personnel authorised to process data are subject to confidentiality obligations
  3. Implement appropriate technical and organisational security measures (see Section 10)
  4. Assist the Controller in responding to data subject requests
  5. Notify the Controller of any personal data breach without undue delay
  6. Maintain records of processing activities under its responsibility
  7. Make available all information necessary to demonstrate compliance with this DPA

8. Controller Obligations

The Controller shall:

  1. Ensure all personal data provided to Vellora Ops Ltd has been collected lawfully and in compliance with UK GDPR
  2. Obtain all necessary consents and authorisations from data subjects
  3. Provide clear written instructions to the Processor where required
  4. Remain responsible for the accuracy, quality, and legality of the personal data provided

9. Subprocessors

Vellora Ops Ltd uses subprocessors to support service delivery. All subprocessors are bound by written agreements ensuring data protection and security standards equivalent to this DPA.

Subprocessor Purpose Location
Microsoft Azure Cloud infrastructure and data hosting United Kingdom
Stripe Payments UK Ltd Payment processing United Kingdom / EEA

The Processor may update this list with reasonable notice. Controllers may object to new subprocessors if they have legitimate grounds related to data protection.

10. Security Measures

Vellora Ops Ltd implements the following security measures to protect personal data:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Azure-managed network and database security controls
  • Role-Based Access Control (RBAC) and Principle of Least Privilege
  • Tenant-level data isolation via PostgreSQL Row-Level Security (RLS)
  • Continuous logging and monitoring for security events
  • Regular vulnerability assessments and patch management
  • Controlled access to production systems (managed identities only)

11. Data Retention, Return, and Deletion

Upon termination or expiry of the Controller's subscription:

  • Vellora Ops Ltd will retain data for up to 12 months (grace/deactivation period)
  • After this period, all personal data will be securely deleted from live systems and backups unless required by law
  • Upon written request, we will provide a data export (JSON or CSV) before deletion

Deletion will be verified through internal audit logs.

12. Data Subject Rights

Where possible, Vellora Ops Ltd will assist the Controller in fulfilling data subject requests under UK GDPR, including access, rectification, restriction, erasure, and portability.

The Controller is responsible for initiating such requests.

13. International Data Transfers

All data is hosted and processed within the United Kingdom. If transfers outside the UK occur in the future, they will be subject to the UK's approved International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs).

14. Data Breach Notification

In the event of a personal data breach, Vellora Ops Ltd will:

  1. Notify the Controller without undue delay after becoming aware of the breach
  2. Provide relevant details including the nature, scope, and mitigation steps
  3. Assist the Controller with any required notifications to the ICO or affected individuals

15. Audits and Inspections

Upon reasonable notice, the Controller may request an audit summary or certification demonstrating compliance with this DPA. Where necessary, Vellora Ops Ltd will cooperate with the Controller or relevant supervisory authorities.

Physical inspections may be allowed where required by law or regulator order, subject to confidentiality and security restrictions.

16. Liability and Indemnity

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Neither party shall be liable for indirect or consequential loss arising from data processing activities, except where prohibited by law.

17. Duration and Termination

This DPA remains in effect for as long as Vellora Ops Ltd processes personal data on behalf of the Controller. Upon termination, data will be deleted or returned as described in Section 11.

18. Governing Law and Jurisdiction

This DPA is governed by the laws of Scotland, and both parties agree to the exclusive jurisdiction of the Scottish courts.

19. Contact Information

For data protection or DPA-related queries, please contact:

privacy@vellora-ops.com

© 2025 Vellora Ops Ltd. All rights reserved.  •  Privacy Policy  •  Terms of Service