Data Processing Agreement

Data Processing Agreement

Last Updated: 9 April 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between VeloxMedia (“Processor,” “we,” “us”) and you, the client (“Controller,” “you”), for the provision of hosting services as described in our Terms of Service.

This DPA is entered into to ensure compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable (collectively, “Data Protection Laws”).

---

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the services.
• “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
• “Data Subject” means the individual to whom Personal Data relates.
• “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

2. Scope and Purpose of Processing

2.1 Nature of Processing

VeloxMedia provides hosting infrastructure (VPS, dedicated servers, and related services) on which you may store and process Personal Data. Our processing of your data is limited to:

• Storage of data on our infrastructure as directed by you.
• Transmission of data across our network as part of normal service operation.
• Maintaining backups where included in your service plan.
• Providing technical support when you grant us access to your environment.

2.2 Categories of Data Subjects

Data Subjects may include your customers, employees, suppliers, and any other individuals whose Personal Data you choose to store on our infrastructure.

2.3 Types of Personal Data

The types of Personal Data processed are determined by you as Controller and may include names, email addresses, postal addresses, phone numbers, IP addresses, financial data, and any other data you choose to store.

3. Obligations of the Processor

VeloxMedia shall:

1. Process Personal Data only on your documented instructions, unless required to do so by applicable law. If legally compelled to process data beyond your instructions, we will inform you before such processing unless prohibited by law.
2. Ensure that persons authorised to process Personal Data have committed to confidentiality or are under statutory obligation of confidentiality.
3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 5.
4. Not engage another processor (sub-processor) without your prior general or specific written authorisation, subject to Section 6.
5. Assist you, taking into account the nature of processing, in responding to requests from Data Subjects to exercise their rights under Data Protection Laws.
6. Assist you in ensuring compliance with your obligations regarding data security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
7. At your choice, delete or return all Personal Data to you after the end of the provision of services, and delete existing copies unless retention is required by applicable law.
8. Make available to you all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

4. Obligations of the Controller

You shall:

1. Ensure that your processing of Personal Data is lawful and complies with Data Protection Laws.
2. Provide documented instructions for the processing of Personal Data.
3. Ensure that you have obtained all necessary consents and provided all necessary notices to Data Subjects.
4. Be responsible for the security of your own applications, configurations, and access credentials.

5. Security Measures

VeloxMedia implements the following technical and organisational security measures:

5.1 Physical Security

• Data centres with 24/7 security, biometric access controls, and CCTV surveillance.
• Redundant power and cooling systems.

5.2 Network Security

• DDoS mitigation and traffic filtering.
• Firewall protection at the network edge.
• Encrypted management access (SSH, HTTPS).
• Network segmentation between client environments.

5.3 Access Controls

• Role-based access control for VeloxMedia staff.
• Multi-factor authentication for administrative access.
• Principle of least privilege for all access.
• Access logging and monitoring.

5.4 Data Protection

• TLS encryption for data in transit.
• Isolated virtual environments for VPS clients.
• Secure data erasure procedures upon service termination.

6. Sub-processors

6.1 Authorised Sub-processors

You provide general authorisation for VeloxMedia to engage sub-processors. Our current sub-processors include:

Sub-processor	Purpose	Location
Cloudflare, Inc.	CDN, DDoS protection, DNS	Global (US-headquartered)
Stripe, Inc.	Payment processing	United States
PayPal Holdings, Inc.	Payment processing	United States

6.2 Changes to Sub-processors

We will inform you of any intended changes to sub-processors, giving you the opportunity to object. If you reasonably object and we cannot accommodate your objection, you may terminate the affected services.

6.3 Sub-processor Obligations

We impose data protection obligations on all sub-processors that are no less protective than those in this DPA.

7. International Transfers

Where Personal Data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) as approved by the UK ICO or European Commission.
• Transfers to countries with an adequacy decision.
• Additional technical measures where required following transfer impact assessments.

8. Personal Data Breach Notification

1. VeloxMedia shall notify you of a Personal Data Breach without undue delay and in any event within 48 hours of becoming aware of the breach.
2. The notification shall include:
   • A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
   • The name and contact details of our point of contact.
   • A description of the likely consequences of the breach.
   • A description of the measures taken or proposed to address the breach.
3. VeloxMedia shall cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

9. Audits

Upon reasonable written request (no more than once per year), VeloxMedia shall:

• Provide information and documentation demonstrating compliance with this DPA.
• Permit and contribute to audits, including inspections, conducted by you or a qualified third-party auditor, subject to reasonable advance notice (at least 30 days), confidentiality obligations, and scheduling during business hours.

You shall bear the costs of any audit unless the audit reveals a material breach of this DPA by VeloxMedia.

10. Duration and Termination

This DPA shall remain in effect for the duration of our service agreement. Upon termination, VeloxMedia shall, at your election:

• Return all Personal Data to you in a standard format; or
• Securely delete all Personal Data within 30 days.

We may retain copies where required by applicable law, in which case we shall continue to protect such data in accordance with this DPA.

11. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

12. Contact

For questions about this DPA or to exercise your rights:

• Email: [email protected]
• Address: 301 Grant Street, Pittsburgh, PA 15219, United States