Data Processing Addendum

Vela Cloud Ltd, operating as Vela

Last updated: May 18, 2026

This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the Terms of Use between Vela Cloud Ltd ("Processor", "we", "us") and the customer entity that has agreed to those Terms ("Controller", "you"). Together, the Terms of Use and this DPA constitute the complete data processing agreement between the parties. In the event of a conflict, this DPA takes precedence with respect to the processing of Personal Data.

This DPA applies wherever Vela Cloud Ltd processes Personal Data on behalf of the Controller in connection with the Vela platform, including CRM data synchronised from Salesforce, HubSpot, or other connected integrations, and any pipeline, contact, or opportunity data uploaded or generated through the platform.

1. Definitions

"Applicable Data Protection Law" means, as applicable: (a) the EU General Data Protection Regulation (EU 2016/679) ("GDPR"); (b) the UK GDPR and Data Protection Act 2018; (c) the Israeli Protection of Privacy Law 5741-1981 and regulations thereunder; and (d) any other data protection or privacy legislation applicable to the processing described in this DPA.

"Controller" means the customer entity that determines the purposes and means of processing Personal Data.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Vela Cloud Ltd on behalf of the Controller in connection with the platform.

"Processing" means any operation or set of operations performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.

"Processor" means Vela Cloud Ltd, which processes Personal Data on behalf of the Controller.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by or on behalf of Vela Cloud Ltd.

"Subprocessor" means any third party engaged by Vela Cloud Ltd to process Personal Data on behalf of the Controller.

2. Scope and Roles

The parties acknowledge that, with respect to Personal Data processed through the platform:

  • The Controller determines the purposes and means of processing and is responsible for the lawfulness of its instructions.
  • Vela Cloud Ltd acts as Processor and processes Personal Data only on documented instructions from the Controller.
  • For account registration and billing data, Vela Cloud Ltd acts as an independent Controller; such processing is governed by the Privacy Policy rather than this DPA.

Subject matter of processing

Nature: CRM data synchronisation between Controller's CRM systems and cloud hyperscaler co-sell programmes; storage, retrieval, and display of pipeline and opportunity data.
Purpose: Providing the Vela SaaS platform as described in the Terms of Use.
Duration: For the duration of the active subscription, plus any retention period required by law.
Categories of data: Business contact information (names, email addresses, job titles, company names), pipeline opportunity data, and other CRM records as uploaded or synced by the Controller.
Categories of Data Subjects: Controller's customers, prospects, and business contacts whose data is synced through the platform.

3. Processor Obligations

Vela Cloud Ltd shall, in its capacity as Processor:

  • Process Personal Data only on documented instructions from the Controller, including for international transfers, unless required to do so by applicable law; in which case Vela Cloud Ltd will notify the Controller unless prohibited by law.
  • Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
  • Implement and maintain the technical and organisational security measures described in Section 6 of this DPA and on our Security page at usevela.io/security.
  • Assist the Controller in responding to Data Subject rights requests as described in Section 7.
  • Assist the Controller in meeting its obligations under Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and information available to Vela Cloud Ltd. Specific breach-notification timing is set out in Section 8.
  • At the Controller's choice, delete or return all Personal Data upon termination of the agreement, and delete existing copies unless applicable law requires retention.
  • Make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA.

4. Controller Obligations

The Controller represents and warrants that:

  • It has a valid legal basis under Applicable Data Protection Law for processing the Personal Data it submits to the platform and for instructing Vela Cloud Ltd to process it.
  • It has provided all required notices and obtained all required consents from Data Subjects to the extent required by Applicable Data Protection Law.
  • Its instructions to Vela Cloud Ltd comply with Applicable Data Protection Law, and it will notify Vela Cloud Ltd promptly if it believes any instruction infringes Applicable Data Protection Law.
  • It will not submit to the platform any special categories of Personal Data (as defined in Article 9 GDPR) unless agreed in writing with Vela Cloud Ltd in advance.

5. Subprocessors

The Controller provides general authorisation for Vela Cloud Ltd to engage subprocessors. Vela Cloud Ltd maintains a current public list of subprocessors at usevela.io/sub-processors and will notify the Controller of any intended additions or replacements with at least 14 days' prior notice via email or a notice in the platform.

If the Controller objects to a new subprocessor on reasonable data protection grounds, it must notify Vela Cloud Ltd in writing within 14 days of the notice. The parties will work in good faith to resolve the objection. If the objection cannot be resolved, the Controller may terminate the relevant services on 30 days' written notice without penalty.

Current subprocessors (as of May 18, 2026):

Cloudflare, Inc.

Infrastructure

Cloud infrastructure, compute, storage, and CDN. Processing location: globally distributed (EEA, US, and other regions). Certified: SOC 2 Type II, ISO 27001.

Clerk, Inc.

Authentication

User identity, authentication, and session management. Processing location: United States. Transfer mechanism: Standard Contractual Clauses (EC Decision 2021/914, Module 2). Certified: SOC 2 Type II. DPA: clerk.com/legal/dpa.

Paddle.com Market Ltd

Billing

Subscription management and payment processing. Acts as Merchant of Record. Processing location: United Kingdom and globally. Certified: PCI DSS Level 1.

Anthropic, PBC

AI Features

AI powered features and recommendations. Data submitted is not used to train models and is not retained beyond the immediate request. Processing location: United States. Transfer mechanism: Standard Contractual Clauses (EC Decision 2021/914, Module 2). Certified: SOC 2 Type II. DPA: anthropic.com/legal/commercial-terms.

Chatbase, Inc.

Support Chat

AI support chat widget. Stores support conversation history. Processing location: United States. Transfer mechanism: Standard Contractual Clauses (EC Decision 2021/914, Module 2). Privacy policy: chatbase.co/legal/privacy.

Note: DPA incorporated by reference in Chatbase Terms of Service. Available at chatbase.co/legal/dpa.

Resend

Email Delivery

Email delivery service. Processes recipient email addresses and email content for transactional messages (billing receipts, trial expiry notices, account alerts). Processing location: United States. Privacy policy: resend.com/legal/privacy-policy.

Vela Cloud Ltd imposes data protection obligations on all subprocessors by way of written agreement that provides at least the same level of protection as this DPA.

6. Security Measures

Vela Cloud Ltd implements and maintains appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include, at minimum:

  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • Encryption of Personal Data at rest using AES-256
  • Encryption of OAuth tokens and credentials before storage; no plaintext credential storage
  • Multi factor authentication available for all user accounts
  • Role based access controls and audit logging for internal system access
  • Strict tenant isolation; each customer's data is architecturally segregated
  • Weekly automated security scans and penetration testing against source code and live API endpoints
  • Remediation of Critical and High vulnerabilities within 14 days of identification

Full details of our security controls are available at usevela.io/security. Vela Cloud Ltd reserves the right to update these measures over time, provided the overall level of protection is not materially reduced.

7. Data Subject Rights

Vela Cloud Ltd will notify the Controller promptly (and in any event within 5 business days) upon receiving any request from a Data Subject exercising rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

Vela Cloud Ltd will not respond directly to Data Subject rights requests unless instructed by the Controller or required by applicable law. Vela Cloud Ltd will provide reasonable technical assistance to enable the Controller to fulfil its obligations in responding to such requests, including by making available relevant tools and data exports within the platform.

Where a Data Subject submits a deletion or erasure request directly to Vela Cloud Ltd, Vela Cloud Ltd will forward the request to the Controller and, if the Controller does not respond within a reasonable period, may delete the relevant data at its discretion in compliance with applicable law.

8. Security Incidents

In the event of a Security Incident involving Personal Data, Vela Cloud Ltd will:

  • Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the incident, to the email address associated with the Controller's account. This window is set to enable the Controller to meet its own 72-hour notification obligation under Article 33 GDPR.
  • Provide, to the extent then known: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of Data Subjects and Personal Data records concerned; (c) the likely consequences of the incident; and (d) the measures taken or proposed to address the incident.
  • Cooperate with the Controller and provide any further information reasonably required to allow the Controller to meet its own notification obligations to supervisory authorities and Data Subjects.

Notification of a Security Incident by Vela Cloud Ltd is not an acknowledgement of fault or liability.

9. International Data Transfers

Personal Data processed under this DPA may be transferred to and processed in countries outside the European Economic Area (EEA) or the United Kingdom. Where such transfers occur, Vela Cloud Ltd ensures that one of the following safeguards is in place:

  • The recipient country benefits from an adequacy decision by the European Commission or the UK Secretary of State.
  • The transfer is covered by Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 3: Processor to Processor, where applicable), or by the UK International Data Transfer Addendum.
  • The recipient Sub Processor has implemented binding corporate rules or another approved transfer mechanism.

By entering into these Terms, the Controller authorises Vela Cloud Ltd to execute Standard Contractual Clauses with subprocessors on the Controller's behalf where required. Copies of applicable transfer mechanisms are available upon written request to privacy@usevela.io.

10. Audit Rights

The Controller may, upon reasonable written notice of at least 30 days and no more than once per calendar year, request an audit of Vela Cloud Ltd's processing activities and compliance with this DPA. The Controller shall bear its own costs in connection with any audit.

Vela Cloud Ltd may satisfy an audit request by providing: (a) a current SOC 2 Type II report or equivalent third party audit report; (b) written responses to a reasonable questionnaire; or (c) facilitating an inspection by a mutually agreed independent third party auditor, subject to reasonable confidentiality obligations.

Any audit must be conducted in a manner that does not unreasonably disrupt Vela Cloud Ltd's operations or compromise the security of other customers' data.

11. Data Retention and Deletion

Upon expiry or termination of the subscription, Vela Cloud Ltd will, at the Controller's written election:

  • Return: Provide a machine readable export of the Controller's Personal Data within 30 days of the termination date; or
  • Delete: Securely delete all Personal Data from Vela Cloud Ltd's systems within 30 days of the termination date, and certify such deletion in writing upon request.

If the Controller does not provide written instructions within 30 days of termination, Vela Cloud Ltd will delete the Personal Data. Notwithstanding the above, Vela Cloud Ltd may retain Personal Data for a longer period where required by applicable law (for example, financial records required for tax compliance), and will notify the Controller of any such retention.

12. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Use. To the extent permitted by Applicable Data Protection Law, the total aggregate liability of each party under or in connection with this DPA shall not exceed the cap set out in the Limitation of Liability section of the Terms of Use.

Nothing in this DPA limits either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded or limited by applicable law.

13. Governing Law

This DPA is governed by the laws of the State of Israel, without regard to its conflict of law provisions, and the parties submit to the exclusive jurisdiction of the competent courts of Tel Aviv, Israel, in accordance with the governing law clause in the Terms of Use. Where mandatory local law in the Controller's jurisdiction imposes different requirements, those requirements apply to the extent they cannot be contractually varied.

14. Contact and Data Protection Enquiries

For questions about this DPA, to exercise audit rights, or to request copies of transfer mechanisms:

Vela Cloud Ltd

28 HaArba'a St, Tel Aviv 6473925, Israel

Privacy enquiries: privacy@usevela.io

Legal enquiries: legal@usevela.io

Website: usevela.io