Data Processing Addendum (DPA)
Velluto Last updated: 4 июня 2026 г.
This Data Processing Addendum (the "DPA") is entered into between:
- Ilia Kazakov, with its registered address at Phuoc Long 159, Nha Trang, 650000, Viet Nam ("Processor"); and
- the entity identified as "Customer" in the executed Order Form or in the Velluto account ("Controller"),
(each a "Party"; together the "Parties").
The DPA forms part of the Terms of Service ("Agreement") between the Parties and applies whenever the Processor processes Personal Data on behalf of the Controller in connection with the Services.
For Controllers based in the European Economic Area, the United Kingdom, or Switzerland, this DPA includes the European Commission's Standard Contractual Clauses 2021/914 ("SCCs"), Module 2 (controller-to-processor), by reference and as further specified in Annex C.
1. Definitions
Terms not defined here have the meaning given in the Agreement, the GDPR, or the UK GDPR as applicable.
- "Applicable Data Protection Law" — Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("nFADP"), the Kazakhstan Law on Personal Data and their Protection (No. 94-V dated 21 May 2013) ("KZ Law"), and any other data-protection law applicable to the processing.
- "Personal Data" — personal data (as defined in the GDPR) processed by the Processor on behalf of the Controller under the Agreement.
- "Subprocessor" — any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Restricted Transfer" — a transfer of Personal Data from the EEA, the UK, or Switzerland to a country not deemed adequate by the relevant authority.
2. Subject matter and duration
2.1. Subject matter. The processing of Personal Data by the Processor on behalf of the Controller in connection with the Services described in the Agreement.
2.2. Duration. From the effective date of the Agreement until the deletion of all Personal Data by the Processor under Section 10.
2.3. Nature and purpose. As described in Annex A.
2.4. Categories of data subjects and Personal Data. As described in Annex A.
3. Roles and instructions
3.1. With respect to Personal Data processed under the Agreement, the Controller is the controller and the Processor is the processor.
3.2. The Processor will process Personal Data only on the documented instructions of the Controller, including with regard to transfers to a third country, unless required to do so by applicable law. Where required to do so by applicable law, the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits doing so on important grounds of public interest.
3.3. The Controller's instructions are: (a) the Agreement (including the Order Form and the Services-specific terms); (b) the Controller's use of the Services; and (c) any further written instructions agreed by the Parties.
3.4. The Processor will inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.
4. Confidentiality
The Processor will ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security
5.1. The Processor will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, having regard to the state of the art and the nature, scope, context, and purposes of processing. The measures in force as of the effective date are set out in Annex B (TOMs).
5.2. The Processor may update the measures from time to time, provided that the updated measures do not result in a material reduction in the level of protection.
6. Subprocessors
6.1. The Controller authorises the Processor to engage Subprocessors. The current list of Subprocessors is published at https://velluto.io/subprocessors and in subprocessors.md.
6.2. The Processor will give the Controller at least thirty (30) days' prior notice of any addition or replacement of a Subprocessor (by updating the published list, by email to the Controller's notified address, or by in-product notification). The Controller may object on reasonable data-protection grounds within fifteen (15) days; if no resolution is reached, the Controller may terminate the affected portion of the Services and receive a pro-rata refund of unused prepaid fees.
6.3. The Processor will impose on each Subprocessor data-protection obligations no less protective than those in this DPA and will remain fully liable to the Controller for the performance of each Subprocessor.
7. Data subject rights
The Processor will assist the Controller, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights under Applicable Data Protection Law. Where a request is made directly to the Processor, the Processor will inform the Controller without undue delay and will not respond except on the Controller's instructions or as required by law.
8. Assistance to the Controller
The Processor will assist the Controller in ensuring compliance with the obligations under Articles 32-36 GDPR (security, breach notification, data-protection impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.
9. Personal data breach notification
The Processor will notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach affecting Personal Data processed under this DPA. The notification will include, to the extent known, the information required by Article 33(3) GDPR, and will be updated as further information becomes available.
10. Return or deletion
On termination of the Agreement, the Processor will, at the Controller's choice, return or delete all Personal Data, and delete existing copies, within ninety (90) days. The Processor may retain Personal Data to the extent required by applicable law, in which case the Processor will ensure the confidentiality of the retained data and will not actively process it.
11. Audits
11.1. The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, no more than once per year, on at least thirty (30) days' prior written notice, during normal business hours, and subject to reasonable confidentiality and security measures.
11.2. The Processor may satisfy this obligation by providing audit reports (e.g., SOC 2 Type II, ISO 27001 surveillance reports) where available.
11.3. The Controller will bear the costs of any audit unless the audit reveals material non-compliance, in which case the Processor will bear the Controller's reasonable costs.
12. International data transfers
12.1. Where the Processor or any Subprocessor processes Personal Data subject to GDPR, UK GDPR, or nFADP in a country that is not the subject of an adequacy decision, the Parties incorporate the SCCs as set out in Annex C.
12.2. For UK Restricted Transfers, the Parties incorporate the International Data Transfer Addendum (B.1.0) issued by the UK ICO as set out in Annex C.
12.3. For Swiss Restricted Transfers, references to GDPR in the SCCs are deemed to include the nFADP, and references to the supervisory authority and courts include the Swiss Federal Data Protection and Information Commissioner and the Swiss courts.
13. Liability
The liability of each Party under this DPA is subject to the limitations and exclusions in the Agreement.
14. General
14.1. Conflict. In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to data-protection matters.
14.2. Governing law. This DPA is governed by the law specified in the Agreement, except that the SCCs are governed by the law of an EU Member State that allows third-party beneficiary rights (Ireland is selected by default).
14.3. Severability. If any provision is unenforceable, the remaining provisions remain in force.
Annex A — Description of processing
| Item | Detail |
|---|---|
| Nature and purpose | Provision of AI text-to-speech, voice cloning, audio storage, account management, and related Services under the Agreement. |
| Duration | For the term of the Agreement plus retention periods in the Privacy Policy. |
| Categories of data subjects | The Controller's end-users (where the Controller uses the Services for its own customers), the Controller's employees and contractors, and third parties whose voices the Controller uploads. |
| Categories of Personal Data | Identifiers (name, email, account ID); usage data (IP truncated, browser, OS, request logs); content (text, audio uploads, generated audio); voice / biometric data where the Controller uploads voice samples for cloning; billing data via payment processors. |
| Special categories | Voice / biometric data under GDPR Art. 9, processed only with the Controller's express documented instruction and only on the basis of the data subject's explicit consent obtained by the Controller. |
| Frequency of processing | Continuous for the term of the Agreement. |
| Sub-processors | As listed at https://velluto.io/subprocessors. |
Annex B — Technical and organisational measures (TOMs)
- Encryption in transit — TLS 1.2 or higher for all network communications.
- Encryption at rest — AES-256 for stored Content, voice models, and credentials.
- Authentication — password hashing with Argon2 or bcrypt; optional multi-factor authentication; hardware-bound device licensing.
- Access control — least-privilege role-based access; periodic access reviews; mandatory off-boarding procedure.
- Audit logging — administrative actions logged with timestamp, actor, and target; logs retained for at least 12 months.
- Network security — perimeter firewall; private networking for backend; CDN-level DDoS protection.
- Vulnerability management — automated dependency scanning; patching of high/critical CVEs within 7 days; annual penetration test (planned).
- Backups — encrypted backups of databases; tested restore procedure; retention up to 90 days.
- Incident response — documented incident-response plan; on-call rotation; breach notification within 48 hours per Section 9.
- Vendor due diligence — security questionnaire and contractual security obligations on Subprocessors.
- Physical security — cloud-hosted; physical security inherited from underlying providers (AWS / GCP / Vast.ai / Cloudflare).
- Personnel — confidentiality obligations on all staff and contractors with access to Personal Data.
Annex C — SCCs and addenda
C.1. EU SCCs (Regulation (EU) 2021/914), Module 2
- Docking clause (Clause 7): included.
- Sub-processors (Clause 9): Option 2 (general written authorisation), with 30 days' prior notice for changes per Section 6.
- Redress (Clause 11): the optional language is not included.
- Liability (Clause 12): as written.
- Supervisory authority (Clause 13): the supervisory authority of Ireland, where the Controller has no establishment in the EU; otherwise the authority of the Controller's lead establishment.
- Governing law (Clause 17): Ireland.
- Choice of forum (Clause 18): courts of Ireland.
Annex I (Parties) and Annex II (Description of transfer): as set out in Annex A above.
Annex III (Technical and organisational measures): as set out in Annex B above.
Annex IV (List of sub-processors): as published at https://velluto.io/subprocessors.
C.2. UK IDTA (Version B.1.0, in force 21 March 2022)
Where Personal Data of UK data subjects is the subject of a Restricted Transfer, the EU SCCs above are amended by the UK International Data Transfer Addendum. The Approved Addendum is incorporated by reference; Tables 1-3 are populated with the corresponding details from this DPA and Annexes A-C.
C.3. Swiss transfers
For Swiss Restricted Transfers, references to "GDPR" in the SCCs are read as references to the nFADP; references to "EU Member State" are read as references to Switzerland; the competent supervisory authority is the FDPIC.
Execution
This DPA is incorporated by reference into the Agreement and accepted by the Controller's continued use of the Services after the Effective Date. The Parties may also execute a signed counterpart on request to the Processor at [email protected].