Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Veldun (“Processor”) and the organization using the Veldun platform (“Controller”). It describes how Veldun processes personal data on behalf of the Controller and the obligations of each party.

This DPA applies to all personal data processed by Veldun in the course of providing the membership management platform. In the event of a conflict between this DPA and the Terms of Service, this DPA governs with respect to data processing matters.

• Personal Data means any information relating to an identified or identifiable natural person, including member names, email addresses, phone numbers, mailing addresses, and payment records.
• Controller means the organization that determines the purposes and means of processing Personal Data (i.e., your organization).
• Processor means Veldun, which processes Personal Data on behalf of the Controller.
• Sub-processor means a third-party service provider engaged by Veldun to assist in processing Personal Data.
• Data Subject means an identified or identifiable natural person whose Personal Data is processed (i.e., your organization's members).

Veldun processes Personal Data for the following purposes:

• Storing and displaying member records (names, emails, phone numbers, addresses, membership tier, join and renewal dates)
• Processing membership dues and event payments via the Controller's own Stripe account
• Sending transactional and campaign emails on behalf of the Controller via Resend
• Powering AI features (event creation, newsletter assembly, renewal alerts) by sending relevant content to Anthropic's Claude API for processing
• Hosting the Controller's public organization website

Veldun processes Personal Data only on the Controller's documented instructions. We do not sell Personal Data, use it for advertising, or process it for any purpose beyond providing and maintaining the platform.

As Processor, Veldun will:

• Process Personal Data only in accordance with the Controller's instructions and the Terms of Service
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement and maintain the technical and organizational security measures described in the Security section below
• Assist the Controller in responding to Data Subject requests (access, correction, deletion, portability)
• Notify the Controller of any Personal Data breach without undue delay and in any event within 72 hours of becoming aware of it
• Delete or return all Personal Data to the Controller upon termination of the agreement, as described in the Data Return and Deletion section below
• Make available to the Controller all information necessary to demonstrate compliance with this DPA

As Controller, the organization will:

• Ensure that it has a lawful basis for collecting and sharing member Personal Data with Veldun
• Provide appropriate privacy notices to its members regarding the use of Veldun as a data processor
• Promptly notify Veldun of any Data Subject requests that require Veldun's assistance
• Ensure that its instructions for processing Personal Data comply with applicable data protection laws

Veldun uses the following sub-processors to provide the platform. The Controller authorizes the use of these sub-processors as of the date of this DPA:

Veldun will notify the Controller by email at least 30 days before adding or replacing a sub-processor. If the Controller objects to a new sub-processor, either party may terminate the agreement with 30 days' notice. Veldun imposes data protection obligations on each sub-processor that are no less protective than those in this DPA.

Veldun implements the following technical and organizational measures to protect Personal Data:

• Encryption in transit: All data transmitted between clients and servers is encrypted using TLS
• Encryption at rest: All database and file storage is encrypted using AES-256
• Data isolation: Multi-tenant data is isolated using PostgreSQL Row-Level Security (RLS) policies on organization identifiers
• Access control: Database access uses IAM authentication. File uploads use signed URLs with expiration. Administrative access is limited to authorized personnel
• Payment security: Veldun is PCI SAQ A compliant. We never store credit card numbers or bank account details. All payment data is handled by Stripe
• Audit logging: Administrative actions are logged in an append-only audit trail with before/after change records
• Automated backups: Database backups are performed automatically with point-in-time recovery capability

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, Veldun will:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
• Provide the Controller with sufficient information to meet any obligation to report or inform Data Subjects of the breach
• Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach

Notification will include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

Veldun will assist the Controller in fulfilling Data Subject requests including access, rectification, erasure, restriction of processing, data portability, and objection.

The Controller's administrators can fulfill most requests directly through the platform: viewing, editing, and deleting member records, and exporting data. For requests that require Veldun's involvement, we will respond within 30 days.

Individual member deletion (GDPR Article 17) removes the member's personal data from all records - member directory, email send logs, and event registrations - without affecting the rest of the organization's data.

Upon termination of the subscription, the Controller's data enters a 90-day grace period:

• During this period, administrators can log in, view data in read-only mode, and export all data (member directory, payment history, event records, email archive, and documents)
• After 90 days, all Personal Data is permanently deleted from production systems. Backups are purged within an additional 90 days
• The Controller may request immediate deletion at any time during the grace period, subject to a 7-day cooling-off period before execution
• Payment records are anonymized (amounts and dates retained, personal identifiers removed) to meet financial record-keeping requirements

If the Controller uses its own Stripe account for member dues, that account is entirely the Controller's property. On termination, Veldun deletes its stored connection to the Controller's Stripe account. The Controller's Stripe account, payment history, and member billing relationships are unaffected.

The Controller may audit Veldun's compliance with this DPA. Audit requests must be made with reasonable advance notice (at least 30 days) and conducted during normal business hours. Audits will be limited to once per year unless a data breach has occurred or a supervisory authority requires an additional audit.

Veldun will cooperate with the audit and provide access to relevant documentation, systems information, and personnel. The Controller bears the cost of the audit unless it reveals material non-compliance by Veldun.

Personal Data is processed and stored in the United States. All sub-processors listed in this DPA are based in the United States. If the Controller is located outside the United States, the Controller consents to this transfer by entering into this DPA.

For Controllers in the European Economic Area, the parties agree that Standard Contractual Clauses (Module Two: Controller to Processor) as adopted by the European Commission apply to any transfer of Personal Data to the United States.

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law that cannot be limited under applicable law.

This DPA takes effect when the Controller accepts the Terms of Service and remains in effect for the duration of the subscription, plus any post-termination data retention period described above. The obligations relating to confidentiality and data deletion survive termination.

For questions about this DPA or to exercise audit rights, email privacy@veldun.com. We respond to every inquiry within 24 hours.