Velvr Data Processing Agreement (DPA)
Version: v1.0 (Beta) — effective 2026-05-27. Subject to update; see Section 13.3 (Amendments).
DATA PROCESSING AGREEMENT (DPA)
Effective Date: 2026-05-27 (or as indicated in the Velvr account dashboard upon Customer's acceptance, whichever is later)
BETWEEN:
(1) MAKOA LLC, a Florida limited liability company (Document No. L20000170991, EIN 85-2771522), having its principal place of business at 3833 Powerline Rd, Suite 201, Fort Lauderdale, FL 33309, United States, operating the software-as-a-service platform known as "Velvr" (collectively, the "Processor", "Velvr", "we", or "us"); and
(2) THE ENTITY OR INDIVIDUAL that has accepted the Velvr Terms of Service ("Terms") and is identified in the Velvr account dashboard (the "Controller", "Customer", or "you").
Processor and Controller are each referred to herein as a "Party" and collectively as the "Parties".
BACKGROUND:
(A) The Controller wishes to subscribe to and use the software-as-a-service platform known as "Velvr" (the "Service"), operated by the Processor, for the management of vault content, AI-assisted fan messaging, PPV package building, and revenue analytics on the Fanvue platform.
(B) In providing the Service, the Processor will process certain personal data on behalf of the Controller, including data of the Controller's fans on Fanvue. The Parties wish to set out their obligations in respect of such processing in this Data Processing Agreement (the "DPA").
(C) This DPA is incorporated into and forms an integral part of the Velvr Terms of Service. Capitalized terms not defined herein have the meaning given in the Terms or in Applicable Data Protection Law.
IT IS AGREED:
1. Definitions
1.1. "Applicable Data Protection Law" means: (i) Regulation (EU) 2016/679 (the "GDPR"); (ii) the UK GDPR and the UK Data Protection Act 2018; (iii) the California Consumer Privacy Act 2018 as amended by the California Privacy Rights Act 2020 (the "CCPA"); (iv) any other data protection or privacy laws applicable to the processing under this DPA.
1.2. "Authorised Sub-processor" means a third party listed in Annex III, authorized by the Controller to process Controller Personal Data on the Processor's behalf.
1.3. "Controller Personal Data" means any Personal Data processed by the Processor on behalf of the Controller under this DPA, as described in Annex I.
1.4. "Data Subject" means an identified or identifiable natural person whose data is included in the Controller Personal Data, including but not limited to fans on the Fanvue platform, the Controller's personas, and the Controller's organisation personnel.
1.5. "Fanvue" means the Fanvue social media and creator platform operated by Shift Holdings LTD (UK), to which the Controller has authorized the Processor's API access via OAuth 2.0 authorization.
1.6. "Instructions" means the documented directions of the Controller regarding the processing of Controller Personal Data, as set out in this DPA, the Terms, the Velvr Operational Defaults document (incorporated by reference, see Clause 2.3), or subsequent written communications.
1.7. "Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Personal Data.
1.8. "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of personal data to third countries, as set out in EU Commission Implementing Decision (EU) 2021/914, Module Two (Controller-to-Processor), or any subsequent version officially adopted.
1.9. "Velvr Operational Defaults" means the technical and algorithmic defaults applied by the Processor when providing the Service, as published at [app.velvr.app/legal/operational-defaults] and incorporated by reference into this DPA. The Velvr Operational Defaults describe the Validator Pipeline, Engine Logic, AI models used, data flow architecture, and Sub-Processor list.
1.10. "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Profiling" shall have the meanings ascribed to them in Applicable Data Protection Law.
2. Processing of Controller Personal Data
2.1. Roles of the Parties. The Parties acknowledge and agree that with regard to the processing of Controller Personal Data:
(i) the Controller is the Data Controller; and
(ii) the Processor is the Data Processor acting on the Controller's behalf.
The Processor shall process Controller Personal Data only on documented Instructions from the Controller, unless required to do so by EU or Member State law, US federal or state law, or UK law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
2.2. Controller's Instructions. The Controller's documented Instructions are defined by the combination of:
(a) the agreed-upon use of the Service as described in the Terms and Annex I;
(b) the Velvr Operational Defaults document, which the Controller affirmatively adopts as the Controller's documented technical and organizational instructions for the processing under this DPA;
(c) the Controller's activation of AI-Auto-Reply via the persona master switch and per-conversation controls (see Clause 3); and
(d) any subsequent written communications between the Parties.
Any additional or conflicting Instructions require prior written agreement between the Parties, including any adjustment to fees. The Processor shall inform the Controller without undue delay if, in its opinion, an Instruction infringes Applicable Data Protection Law. The Processor is under no obligation to conduct legal assessments of the Controller's Instructions beyond such notification.
2.3. Incorporation of Velvr Operational Defaults. By accepting this DPA, the Controller adopts the Velvr Operational Defaults as the Controller's documented technical and organizational instructions for the processing under this DPA, within the meaning of Article 28(3)(a) GDPR. The Processor shall:
(a) maintain the Velvr Operational Defaults at the publicly accessible URL stated in Clause 1.9;
(b) notify the Controller of substantial changes to the Velvr Operational Defaults in accordance with the update policy described therein (Re-Acceptance required for substantial changes); and
(c) implement only cosmetic changes (as defined in the Velvr Operational Defaults Section 8) without prior Controller acceptance, with notification via email.
2.4. Details of Processing. The subject-matter, nature, purpose, and duration of the processing, as well as the types of Personal Data and categories of Data Subjects, are specified in Annex I.
3. Affirmative Activation of AI-Auto-Reply [Velvr-specific]
This Clause sets out a Velvr-specific construction that differentiates this DPA from generic Controller-Processor agreements. It is material to the Parties' allocation of responsibilities.
3.1. Two-Layer Activation. The Controller controls AI-Auto-Reply through two layers: (a) a persona-level master switch, disabled by default, which the Controller must affirmatively enable per persona; and (b) a per-conversation toggle, enabled by default once the master switch is on, which lets the Controller mute AI-Auto-Reply for any individual conversation (and the corresponding Data Subject) at any time.
3.2. Documented Instruction Status. The Controller's affirmative enabling of the persona master switch — confirmed through the acknowledgement in Clause 3.5 — constitutes the Controller's documented Instruction, within the meaning of Article 28(3)(a) GDPR, to apply AI-based processing to conversations under that persona. The per-conversation toggle provides a per-Data-Subject withdrawal mechanism.
3.3. Continuous Supervision. The Controller retains the ability to review AI-generated replies through the Service's audit log, mute any conversation, disable the persona master switch, trigger a persona-wide kill-switch, and modify per-persona hard limits, all without engineering intervention by the Processor.
3.4. No Solely Automated Decision-Making Under Article 22 GDPR. The Processor does not make automated decisions producing legal or similarly significant effects within the meaning of Article 22 GDPR. Specifically:
(a) AI-Auto-Reply is enabled by the Controller's affirmative master-switch activation per persona (Clause 3.1), with per-conversation mute control;
(b) Pricing decisions for PPV (pay-per-view) content are configured exclusively by the Controller and are not automatically modified by the Service;
(c) Profiling functionality, such as fan spending propensity scoring, is provided as informational analytics only, and any consequential decisions based on such analytics are made by the Controller;
(d) Hard limits enforced through the Service's Limits-Guard validator (see Velvr Operational Defaults §2.5) operate as compliance safeguards configured by the Controller, not as autonomous decisions by the Processor.
3.5. Activation Acknowledgement. The Controller acknowledges that, upon first activation of the AI-Auto-Reply toggle for any given persona, the Service displays an acknowledgement modal informing the Controller of the consequences of AI-assisted replies and the Controller's continued responsibility for the content sent under their persona identity. Acceptance of this modal is recorded in the audit log.
4. Velvr's Mechanical Fan-Disclosure Obligation [Velvr-specific]
This Clause sets out a Velvr-specific obligation that exceeds the industry-standard practice of delegating fan-disclosure to the Controller.
4.1. Mechanical Fan-Disclosure Layer. Notwithstanding that the Controller is the Data Controller for fan data, the Processor undertakes to mechanically ensure compliance with the disclosure requirement under Article 50 of Regulation (EU) 2024/1689 (the "EU AI Act") on behalf of the Controller, by way of a validator-guaranteed AI-disclosure mechanism applied to the first AI-generated reply in each new conversation. Details of the mechanism are described in the Velvr Operational Defaults §2.6.
4.2. Allocation Between the Parties. The Controller acknowledges that:
(a) the Processor's mechanical disclosure obligation does not relieve the Controller from any of its responsibilities as Data Controller;
(b) the Controller remains responsible for additional disclosures that may be required under Applicable Data Protection Law beyond Article 50 of the EU AI Act (for example, comprehensive Privacy Notices to Data Subjects);
(c) the mechanical disclosure mechanism is provided as a best-effort technical safeguard; the Processor does not warrant absolute prevention of edge-case failures, but undertakes to monitor disclosure success rates and remedy systemic failures within reasonable timeframes.
4.3. Wording and Localization. Disclosure wording is provided in eight languages (English, German, Italian, Spanish, French, Portuguese, Japanese, Korean) by default, plus six additional languages activatable per persona. The Controller may preview wording per persona before activation but may not modify the disclosure wording.
5. OAuth-Mediated Action Attribution [Velvr-specific]
5.1. Action Attribution. The Processor executes API calls to the Fanvue platform on behalf of the Controller using OAuth 2.0 credentials that the Controller has affirmatively granted to the Processor through Fanvue's authorization flow. All API actions performed via the Service occur within the scope of the Controller's authenticated session and are legally attributable to the Controller's authenticated identity, not to the Processor as an independent actor.
5.2. Processor's Role in Action Execution. The Processor provides the orchestration and processing layer that triggers and shapes API actions; the executed actions themselves are the Controller's actions. The Processor's responsibilities are limited to:
(a) executing actions in accordance with the Controller's Instructions (per Clause 2);
(b) implementing the Velvr Operational Defaults consistently across all customers;
(c) maintaining the technical security of the OAuth credentials in accordance with Annex II.
5.3. Limits of Action Attribution. The action attribution under Clause 5.1 does not extend to (i) processor-side bugs that cause unintended API actions, or (ii) actions that exceed the scope explicitly authorized by the Controller through the Velvr dashboard.
6. Controller's Obligations and Warranties
The Controller represents, warrants, and undertakes that:
6.1. It has provided all necessary notices and obtained all required consents, authorizations, and legal bases under Applicable Data Protection Law for the processing of Controller Personal Data, including for analytics, profiling, scoring, and international transfers to the Processor.
6.2. It has a valid and enforceable contractual or legal basis for managing the Fanvue account(s) connected to the Service, and has the authority to authorize the Processor to access such account(s) via OAuth.
6.3. It shall comply with all of its obligations as a Data Controller under Applicable Data Protection Law, including conducting any required Data Protection Impact Assessments (DPIAs) for the use of the Service.
6.4. It has full authority and legal right to provide the Controller Personal Data to the Processor for the purposes set out in this DPA and the Terms.
6.5. The Controller Personal Data provided is accurate, complete, and necessary for the purposes of the processing.
6.6. Where the Controller Personal Data may include special categories of personal data within the meaning of Article 9 GDPR (in particular, data concerning the Data Subjects' sex life), the Controller represents that it has established a valid lawful basis under Article 9(2) GDPR — typically explicit consent from the Data Subjects through the Fanvue platform's subscriber agreement and/or the Controller's own bio-stated AI-disclosure (Velvr enforces a mechanical Reply-1 AI-disclosure footer as a defense-in-depth backstop, see Section 3 and Annex IV).
6.7. The Controller will inform the Processor without undue delay of any complaints, requests, or proceedings by Data Subjects, supervisory authorities, or third parties relating to the processing of Controller Personal Data through the Service.
7. Processor's Obligations
7.1. Confidentiality. The Processor shall ensure that persons authorized to process Controller Personal Data are subject to a strict duty of confidentiality, either through written undertakings or appropriate statutory obligations of confidentiality.
7.2. Security of Processing. The Processor shall implement and maintain the technical and organizational measures ("TOMs") specified in Annex II to ensure a level of security appropriate to the risk, including protection against Security Breaches. The Processor will review and update the TOMs as appropriate to reflect evolving security standards.
7.3. Sub-processors.
(a) The Controller grants the Processor general authorization to engage the Authorised Sub-processors listed in Annex III.
(b) The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors via the Service dashboard and email at least 14 days before the change takes effect. The Controller may object on reasonable grounds within that period.
(c) The Processor shall impose data protection obligations on each Sub-processor that are substantially equivalent to those in this DPA.
(d) The Processor remains liable to the Controller for the performance of each Sub-processor's obligations.
7.4. Assistance to Controller. Taking into account the nature of processing, the Processor shall assist the Controller by:
(a) providing necessary information to demonstrate compliance with this DPA and allowing for audits as per Clause 9;
(b) providing reasonable assistance to the Controller in fulfilling its obligations to respond to Data Subject requests under Chapter III of the GDPR. The Processor may route Data Subject requests received directly to the Controller for the Controller's primary response. Costs incurred by the Processor in providing assistance shall be borne by the Controller, except where prohibited by Applicable Data Protection Law;
(c) providing reasonable assistance to the Controller in ensuring compliance with its security, breach notification, and DPIA obligations.
7.5. Security Breach Notification. The Processor shall notify the Controller without undue delay, and in any event within 48 hours upon becoming aware of a Security Breach. The notification shall include all information reasonably available at the time of notification, including:
(a) the nature of the Security Breach, the categories of Data Subjects and Personal Data affected, and the approximate number thereof;
(b) the likely consequences of the Security Breach;
(c) measures taken or proposed to address the Security Breach and mitigate its possible adverse effects.
The Controller is solely responsible for notifying supervisory authorities and affected Data Subjects within the timeframes required by Applicable Data Protection Law.
8. International Data Transfers
8.1. The Processor may transfer and process Controller Personal Data in any country where the Processor, its Affiliates, or its Sub-processors maintain processing facilities, as specified in Annex III.
8.2. Where such transfers are made from the European Economic Area, the United Kingdom, or Switzerland to a country not recognized by the European Commission as providing an adequate level of protection, they shall be governed by the Standard Contractual Clauses (Module Two: Controller-to-Processor), which are incorporated by reference and form an integral part of this DPA. For transfers from the United Kingdom, the UK International Data Transfer Addendum to the SCCs shall apply.
8.3. The Parties agree that for the purpose of the SCCs:
(i) the Controller is the "data exporter";
(ii) the Processor is the "data importer";
(iii) Annex I, Annex II, and Annex III of this DPA shall serve as Annex I.A, Annex I.B, Annex II, and Annex III of the SCCs respectively;
(iv) the optional docking clause (Clause 7 of the SCCs) is not used;
(v) the general written authorization for Sub-processors is elected (Clause 9, Option 2);
(vi) the optional redress language in Clause 11 is not used;
(vii) the competent supervisory authority is the Irish Data Protection Commission (DPC), as is typical for non-EU controllers using the EU Standard Contractual Clauses; [lawyer review post-MVP per VEL-145]
(viii) the governing law and choice of forum for the SCCs is the law of the Republic of Ireland and the courts of Ireland respectively. [lawyer review post-MVP per VEL-145.]
8.4. Where transfers are made under the EU-US Data Privacy Framework, the Processor relies on the certification of relevant Sub-processors that are certified under the framework.
9. Audit Rights
9.1. The Controller has the right to audit the Processor's compliance with this DPA. Such audits shall be:
(a) conducted no more than once per calendar year, except where a regulatory investigation or material Security Breach justifies an additional audit;
(b) requested with at least 60 days' prior written notice;
(c) limited to business hours and conducted in a manner that minimizes disruption to the Processor's business operations;
(d) scoped to the Processor's policies, procedures, and controls relevant to the processing of Controller Personal Data under this DPA.
9.2. The Controller may, at its own expense, appoint an independent, reputable third-party auditor, subject to the Processor's reasonable confidentiality requirements. The Controller shall bear all costs of the audit.
9.3. Audit Alternatives. In lieu of a physical audit, the Processor may, at its discretion, provide the Controller with:
(a) an annual audit report from a recognized independent security firm (e.g., SOC 2 Type II, ISO 27001) once such certification has been obtained by the Processor; or
(b) written responses to a Controller-provided security questionnaire.
9.4. Regulatory Audits. Where legally required, the Processor shall permit supervisory authorities to conduct a data protection audit with regard to the processing carried out by the Processor.
9.5. DPIA Assistance. Where the Controller is required by Applicable Data Protection Law to perform a Data Protection Impact Assessment or prior consultation with authorities, the Processor shall provide such documents as are generally available regarding the Service. Any additional assistance shall be subject to mutual agreement between the Parties.
10. Liability, Indemnification, and Legal Hold
10.1. Liability. Each Party's liability arising from this DPA is subject to the limitations and exclusions of liability set forth in the Terms. Notwithstanding the foregoing, the Processor's total aggregate liability under this DPA shall not exceed 100% of the total fees paid by the Controller to the Processor in the twelve (12) months preceding the event giving rise to the claim, except in cases of fraud, willful misconduct, or where such limitation is not permitted by Applicable Data Protection Law.
10.2. Controller's Indemnity. The Controller shall indemnify, defend, and hold harmless the Processor from and against any and all claims, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or in connection with:
(a) any breach of the Controller's warranties in Clause 6;
(b) any claim by a Data Subject, third-party platform (including Fanvue), regulatory authority, or other third party alleging that the Controller lacked authority, consent, or legal basis for the processing under this DPA;
(c) the Controller's violation of any third-party platform terms of service (including the Fanvue Terms and Acceptable Use Policy) in connection with its use of the Service;
(d) any content, messages, or communications created or sent through the Service that violate Applicable Law or the rights of third parties, except where such violation is directly caused by a failure of the Processor's mechanical safeguards described in the Velvr Operational Defaults.
10.3. Legal Hold. Notwithstanding Clause 11, the Processor shall be entitled to retain encrypted copies of Controller Personal Data for the duration of any legal dispute, regulatory investigation, or law enforcement request related to the Controller's use of the Service, or as necessary for the establishment, exercise, or defense of legal claims by either Party.
11. Data Return and Deletion
11.1. Upon termination or expiration of the Controller's subscription to the Service, at the Controller's written choice exercised within 30 days of termination, the Processor shall either:
(a) delete all Controller Personal Data and existing copies thereof; or
(b) return all Controller Personal Data to the Controller in a structured, commonly used, and machine-readable format,
unless EU, US, or UK law to which the Processor is subject requires retention of the data, in which case the Processor will implement reasonable measures to prevent the data from further processing.
11.2. Deletion Timeline. Deletion or return shall be completed within 90 days of the termination date or Controller's written election, whichever is later.
11.3. Legal Hold Exception. The Processor may retain one encrypted archival copy of the Controller Personal Data for an additional period solely for the purposes of Clause 10.3 (Legal Hold), subject to continued adherence to the security measures in Annex II.
11.4. Sub-processors. The Processor shall procure that all Sub-processors comply with deletion or return obligations consistent with this Clause.
12. Term and Termination
12.1. Term. This DPA shall commence on the Effective Date and shall continue in full force and effect until the termination of the Controller's subscription to the Service.
12.2. Survival. Clauses 7 (Confidentiality), 10 (Liability, Indemnification, Legal Hold), and 11 (Data Return and Deletion) shall survive the termination of this DPA.
12.3. Termination for Cause. The Processor may terminate this DPA and suspend the Service with immediate effect by written notice to the Controller if:
(i) the Controller is in material breach of its warranties under Clause 6;
(ii) the Processor reasonably believes the Controller's Instructions violate Applicable Data Protection Law and the Controller fails to remedy such Instructions within 14 days of notification.
13. General Provisions
13.1. Governing Law and Jurisdiction. This DPA shall be governed by the laws of the State of Florida, United States, without regard to its conflict-of-laws principles. The state and federal courts located in Broward County, Florida shall have exclusive jurisdiction over any disputes arising out of or relating to this DPA, except that:
(a) for transfers governed by the SCCs, the SCCs' choice of law and jurisdiction (as set out in Clause 8.3) shall prevail;
(b) the Processor may bring proceedings for injunctive relief in any court of competent jurisdiction to protect its intellectual property, confidential information, or to enforce the security and integrity of the Service.
[Florida choice-of-law applies per Section 13.1; Delaware-forum-selection-clause for IP-litigation is reserved for future amendment based on lawyer review post-MVP per VEL-145.]
13.2. Order of Precedence. In the event of any conflict or inconsistency, the following order of precedence shall apply: (1) the SCCs (where applicable); (2) this DPA; (3) the Velvr Operational Defaults; (4) the Terms; (5) any other referenced document.
13.3. Amendments. This DPA may only be amended by a written instrument signed or otherwise affirmatively accepted by both Parties (such as through the Re-Acceptance mechanism described in the Velvr Operational Defaults).
13.4. Notices. Notices to the Controller shall be sent to the email address associated with the Controller's Velvr account. Notices to the Processor shall be sent to dpo@velvr.app. Formal legal notices (service of process) shall be delivered to the Processor's Registered Agent: Northwest Registered Agent LLC, 7901 4th St N, Ste 300, St. Petersburg, FL 33702.
13.5. Severability. If any provision of this DPA is held by a court of competent jurisdiction to be unenforceable, such provision shall be excluded and the remainder shall remain in effect.
Annex I: Details of the Processing
A. List of Parties
Data Exporter (Controller): Name and address as provided in the Velvr account dashboard.
Data Importer (Processor): MAKOA LLC (Florida, USA, Doc No. L20000170991), 3833 Powerline Rd, Suite 201, Fort Lauderdale, FL 33309.
B. Description of the Transfer
Categories of Data Subjects:
- Fans on the Fanvue platform who interact with the Controller's personas
- The Controller's personas (AI-character identities created by the Controller)
- The Controller's organisation personnel and authorized representatives (if applicable)
Types of Personal Data:
- Account Identification Data: Fanvue handles, display names, nicknames, avatar URLs, registration timestamps
- Conversation Data: Inbound and outbound message contents, timestamps, attachment metadata
- Behavioural Data: Read/unread status, online status, response patterns
- Transactional Data: PPV purchase history, tipping data, subscription state, spending lifetime aggregates
- Analytical Data: AI-generated predictive scores (e.g., spending propensity), funnel stage tracking, conversion attribution
- Content Data: Media files in the Vault, captions, message templates
- Technical Data: IP addresses (for security/audit purposes), session identifiers
- OAuth Tokens: Encrypted Fanvue access and refresh tokens
Special Categories of Personal Data (Article 9 GDPR): The processing may include data concerning the Data Subjects' sex life or sexual orientation insofar as such data is voluntarily disclosed by the Data Subjects through their interactions on the Fanvue platform. The Controller represents that it has a valid lawful basis under Article 9(2) GDPR for such processing (see Clause 6.6). The Processor does not request special category data independently.
Frequency of Transfer: Initial bulk-load upon Customer's OAuth-authorization of the Service for a given Fanvue persona (existing subscribers and followers are imported via GET /subscribers and GET /followers Fanvue API endpoints), followed by continuous incremental updates via Fanvue webhook events (subscription.new, subscription.canceled, follow.new, message.received, purchase.new, tip.new, message.read, creator.logout) and periodic reconciliation polls for the duration of the Service subscription.
Nature and Purpose of Processing: To provide the Velvr Service, including:
- Vault content management (synchronization with Fanvue, captioning, organization)
- AI-assisted fan messaging (auto-reply, suggestion composer, translator mode)
- PPV package building, scheduling, and delivery
- Revenue analytics, conversion tracking, fan segmentation
- Audit logging and compliance monitoring
- Customer support, as instructed by the Controller
Period for Retention: For the term of the Service subscription, plus any applicable Legal Hold period as per Clause 10.3, plus retention periods for specific data categories as set forth in the Velvr Operational Defaults §7.
C. Competent Supervisory Authority
As Velvr is established in the United States (Florida) and has no EU establishment, EU/EEA-based Controllers should engage with the supervisory authority of their own member state of establishment (the "one-stop-shop mechanism" under GDPR does not apply to non-EU controllers). For EU SCCs, the Irish Data Protection Commission (DPC) acts as the competent supervisory authority per Section 8.3(vii). [lawyer review post-MVP per VEL-145.]
Annex II: Technical and Organizational Measures (TOMs)
The Processor shall implement and maintain the following measures:
1. Information Security Program
The Processor maintains a written information security program. This program includes:
(a) annual security review and testing, with remediation of identified gaps;
(b) annual risk assessment aligned with industry standards (e.g., ISO 27001 or SOC 2 framework);
(c) documented risk remediation plans where appropriate.
2. Security Official
A designated management-level Security Official is responsible for the development, implementation, and ongoing maintenance of the information security program. The Security Official has appropriate qualifications in information security.
3. Access Control
Access rights to Controller Personal Data are assigned based on the need-to-know principle with least-privilege role-based permissions. Access rights are reviewed regularly. Multi-factor authentication is required for all administrative access.
4. Encryption
(a) In transit: TLS 1.3 for all external connections, TLS 1.2 minimum for internal service-to-service communication.
(b) At rest: AES-256 encryption for database storage. Sensitive fields (OAuth tokens, encryption keys) additionally encrypted with AES-GCM using Processor-managed keys.
(c) Backups: Encrypted backups with key rotation, stored in a separate region from primary storage.
5. Physical Security
The Processor does not maintain dedicated physical infrastructure. All processing occurs on infrastructure provided by Authorised Sub-processors (see Annex III), which implement industry-standard physical security measures (e.g., SOC 2 Type II certified data centers).
6. Logical Access Control
Password policies require minimum 10 characters, no expiry, with breached-password checking. Session timeout of 15 minutes for idle administrative sessions. Endpoint devices used for production access are encrypted, patched, and monitored.
7. Incident Response
The Processor maintains documented incident response procedures, including:
(a) 24/7 monitoring and alerting on production systems;
(b) defined escalation paths and points of contact;
(c) post-incident review procedures.
8. System Testing and Maintenance
(a) Critical security patches applied within 30 days of publication;
(b) Other patches and updates applied within 90 days;
(c) Automated vulnerability scanning of dependencies;
(d) Independent penetration testing — Velvr commits to performing this annually starting in Year 2 of operations; for Year 1 (MVP-Phase), Velvr relies on the inherited security posture of its Tier-1 sub-processors (Supabase SOC 2 Type II, Vercel SOC 2 Type II, Cloudflare ISO 27001, Stripe PCI-DSS Level 1).
9. Availability and Resilience
(a) Multi-region database replication;
(b) Automated daily backups with disaster recovery procedures;
(c) Service-level monitoring and uptime tracking.
10. Audit Logging
Comprehensive audit logs are maintained for security-relevant events, including authentication, data access by Processor personnel, and configuration changes. Audit logs are retained per the schedule in the Velvr Operational Defaults §7.
11. Security Awareness and Training
Annual security and privacy training is required for all Processor personnel with access to Controller Personal Data, including disciplinary measures for violations of the information security program.
Annex III: List of Authorised Sub-processors
The Controller authorizes the engagement of the following Sub-processors. The current list and any updates are also maintained at [app.velvr.app/legal/operational-defaults] §6.
Infrastructure
| Sub-processor | Purpose | Processing Region | Compliance Mechanism |
|---|---|---|---|
| Vercel Inc. | Web hosting, edge routing, preview deployments | US (edge: global) | EU SCCs, Vercel DPA |
| Supabase Inc. | PostgreSQL database, authentication, storage | US-East | EU SCCs, Supabase DPA |
| Cloudflare Inc. | R2 object storage, DNS, image resizing, CSAM scanning | EU + US | EU SCCs, Cloudflare DPA |
| Inngest Inc. | Background job orchestration | US | EU SCCs, Inngest DPA |
AI / Machine Learning
| Sub-processor | Purpose | Processing Region | Compliance Mechanism |
|---|---|---|---|
| xAI Corp. | LLM inference (Grok models for AI-Auto-Reply, language detection, vision captioning) | US | EU SCCs, xAI API Policy |
Payments
| Sub-processor | Purpose | Processing Region | Compliance Mechanism |
|---|---|---|---|
| Stripe Inc. | Billing for off-Fanvue Enterprise plans only. Processes Controller billing data only, not fan data. | US | EU SCCs, Stripe DPA |
Communications
| Sub-processor | Purpose | Processing Region | Compliance Mechanism |
|---|---|---|---|
| Resend Inc. | Transactional email (onboarding, notifications) | US/EU | EU SCCs |
Observability
| Sub-processor | Purpose | Processing Region | Compliance Mechanism |
|---|---|---|---|
| Sentry (Functional Software Inc.) | Error tracking, performance monitoring. PII scrubbing active. | US/EU | EU SCCs, Sentry DPA |
| PostHog Inc. | Product analytics, feature flags, session replay. Controller usage data only, no fan PII. | EU region | EU SCCs, EU hosting selected |
Platform Integration
| Counterparty | Role | Compliance Mechanism |
|---|---|---|
| Fanvue (Shift Holdings LTD, UK) | API counterparty, OAuth provider, and merchant-of-record for App-Store-listed subscription plans (handles billing, tax, and refunds for those plans). Not a Sub-processor in the strict sense, as Fanvue is the platform on which fan data originates. | Fanvue API Policy (2026-02-05), OAuth 2.0 PKCE authorization by Controller |
Annex IV: Aggregated and Anonymized Data [Velvr-specific clarification]
A. Independent Controller Role. Notwithstanding the Processor's primary role as Data Processor under Clause 2.1, the Processor may generate aggregated, anonymized, or irreversibly de-identified statistical data derived from Controller Personal Data for internal analytics, security, fraud prevention, product improvement, and AI model fine-tuning purposes. Such aggregated data shall not constitute Controller Personal Data where it no longer identifies any Data Subject. With respect to such aggregated data, the Processor acts as an Independent Controller under Article 4(7) GDPR.
B. Purposes. Aggregated data is used for the following purposes:
(a) measuring validator override rates by language and persona type;
(b) benchmarking engine performance and conversion rates;
(c) AI model quality comparison and selection;
(d) detection of systemic patterns indicating security or compliance issues.
C. No Re-Identification. The Processor undertakes not to re-identify aggregated data or use it to inform decisions about individual Data Subjects.
D. Retention. Aggregated data may be retained beyond the deletion of the underlying Controller Personal Data, subject to compliance with Applicable Data Protection Law.
SIGNATURE PAGE
This DPA is accepted by the Controller upon affirmative click-through acceptance during the Velvr account onboarding flow, and is effective as of the date recorded in the Controller's audit log.
For MAKOA LLC (Processor):
Name: Wolfgang Kriesel Title: Manager (Sole Manager per Florida Sunbiz Filing, Document No. L20000170991) Date: [effective upon publication on app.velvr.app/legal]
For the Controller:
The Controller's acceptance is recorded electronically in the Velvr account dashboard. The Controller's name, account identifier, and acceptance timestamp constitute the Controller's signature for the purposes of this DPA.
Version 1.0 (Beta) — subject to update. Questions: legal@velvr.app.