Data Processing Agreement

1. Parties and incorporation

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Customer (the “Controller”) and TODO: Veyro GmbH (the “Processor”) and applies whenever we process personal data on the Customer’s behalf in connection with Veyro. Where the Customer is itself a processor for a third party, references to “Controller” apply accordingly and we act as sub-processor.

2. Subject matter, nature and purpose

• Subject matter: processing of personal data to provide the support inbox, AI-assisted replies, chatbot automation and connected-store context.
• Nature and purpose: collection, storage, organisation, retrieval, transmission and deletion of personal data as needed to deliver the service and as instructed by the Controller.
• Duration: for the term of the Terms of Service and until deletion or return of the data as set out below.

3. Categories of data and data subjects

Categories of personal data

• Contact and identity data (names, email addresses, phone numbers).
• Communication content (emails, chatbot messages, attachments, notes).
• Commerce data (orders, returns, shipping and product information from connected stores).
• Any other personal data the Controller chooses to submit to the service.

Categories of data subjects

• The Controller’s customers and end users who contact support.
• The Controller’s staff, agents and team members who use the service.

4. Processing on documented instructions

We process personal data only on the Controller’s documented instructions, including with regard to international transfers, unless required to do otherwise by EU or member-state law; in that case we will inform the Controller before processing, unless that law prohibits it. The Terms of Service, this DPA and the configuration of the service constitute the Controller’s complete instructions. We will inform the Controller if, in our opinion, an instruction infringes the GDPR.

5. Confidentiality

We ensure that persons authorised to process the personal data are bound by confidentiality and are trained on their data-protection obligations. Access is granted on a need-to-know, least-privilege basis.

6. Security of processing (Art. 32)

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• encryption of data in transit (TLS) and at rest where supported by our infrastructure;
• logical isolation of each customer’s data;
• role-based access control and least-privilege access for personnel;
• hashed credentials and secure secret management;
• monitoring, logging and backup of production systems; and
• processes for restoring availability and access to data after an incident.

7. Sub-processors

The Controller provides general authorisation for us to engage the sub-processors listed on our Sub-processors page. We impose data-protection obligations on each sub-processor by contract that are no less protective than those in this DPA, and we remain liable for their performance. We will give the Controller advance notice of any intended addition or replacement of a sub-processor, allowing the Controller to object on reasonable data-protection grounds. If an objection cannot be resolved, the Controller may terminate the affected part of the service.

8. Assistance with data subject rights

Taking into account the nature of the processing, we assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests to exercise data-subject rights (access, rectification, erasure, restriction, portability, objection). Where a data subject contacts us directly, we will refer them to the Controller.

9. Personal data breaches

We notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, and provide information reasonably required for the Controller to meet its notification obligations under Art. 33/34 GDPR.

10. DPIA and prior consultation

We provide the Controller with reasonable assistance for data protection impact assessments and any prior consultation with a supervisory authority, taking into account the nature of the processing and the information available to us.

11. Return and deletion

On termination of the service, and at the Controller’s choice, we delete or return the personal data and delete existing copies, unless EU or member-state law requires storage. We provide an export capability for a limited period after termination before deletion.

12. Audits

We make available to the Controller information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates. Audits are conducted on reasonable prior notice, during business hours, subject to confidentiality, and in a manner that does not disrupt our operations; we may satisfy audit requests by providing existing documentation or third-party reports where available.

13. International transfers

Where processing involves a transfer of personal data outside the EEA, we ensure an appropriate transfer mechanism is in place (e.g. EU Standard Contractual Clauses, an adequacy decision, or the EU–US Data Privacy Framework), as reflected on our Sub-processors page.

14. Liability and precedence

Liability under this DPA is subject to the limitations agreed in the Terms of Service, to the extent permitted by applicable data-protection law. In case of conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA prevails.