Data Processing Agreement

Last updated: September, 2025.

About

This Data Processing Agreement (“DPA”) forms part of an agreement regarding Velory (a B2B commerce platform with asset management system) (“Agreement”) between 

(1) Velory AB, with company registration number 559118-9476 and registered address at Velory AB c/o IOFFICE Business Center, Sveavägen 34, 111 34 Stockholm, Sweden (“Processor”).

(2) The customer identified in the Agreement (“Controller”).

Controller and Processor may be referred to hereinafter collectively as the “Parties” and separately as a “Party”. 

This DPA details the Parties’ respective obligations regarding the protection of Personal Data, associated with the Processing of Personal Data on behalf of Controller, by Processor. The measures provided for in this DPA shall apply to all activities associated with the Agreement. The provisions set forth below apply where Processor processes Personal Data to perform the Services.

‍

1. DEFINITIONS

Under this DPA, the Parties agree that the terms “Personal Data Breach”, “Data Subject”, “Personal Data”, “Controller”, “Processor”, “Processing”, “Supervisory Authority” and “Third Party” shall have the meaning assigned to them in the GDPR, as defined below. 

In addition, the following terms shall have the meaning set out below: 

"Applicable Data Protection Law" shall mean the personal data protection laws, rules and regulations applicable in the country where the Controller is established. In particular, the GDPR shall apply to all Processings falling within its scope, and all additional regulations and rules in force in the relevant Member State(s) of the European Union applicable to the Processing.  It also includes, but is not limited to, judgements of the European Court of Justice ("ECJ") regarding data protection.

"GDPR" shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

"Subprocessor" shall mean any natural or legal person engaged by Processor only for the performance of the Processing under the Agreement and as authorised in advance, either generally or specifically, as agreed between the Parties, in writing by Controller. The list of Subprocessors is available at https://velory.com/legal/sub-processors.

"Third Party Country" shall mean any country, territory or specified sector within that country outside of the European Economic Area (EEA) that is not recognized by the European Commission or any competent authority (including supervisory authority) as ensuring an adequate level of protection.

“Technical and Organisational Security Measures” shall mean the security measures implemented by the Processor to ensure the protection of Personal Data as detailed in Appendix B.

‍

2. PARTIES RESPECTIVE ROLES AND RESPONSIBILITIES

2.1 Controller’s role, responsibilities and obligations 

Controller shall comply with its own obligations under Applicable Data Protection Law regarding the Processing conducted by Processor, as Processor, to provide the Services under the Agreement.

2.2 Processor’s role, responsibilities and obligations as Processor 

Velory AB, as Processor, processes the Personal Data on behalf of and in accordance with the documented instructions it receives from Controller. Accordingly, Velory AB, as Processor, shall process the Personal Data exclusively for the purpose of providing the Services under the Agreement with Controller. 

The Processor shall take appropriate technical and organisational measures to comply with the terms of this DPA. Therefore, Processor shall only be able to avoid liability for any breach to the provisions of this DPA by demonstrating that it is not responsible for such breach.

The Processor accepts and warrants that it will comply with the following:

2.3 Compliance with Applicable Data Protection Law 

Processor shall comply with Applicable Data Protection Law when performing its obligations under this DPA, in such a way as to not expose Controller to any violation of Applicable Data Protection Law. 

2.4 Compliance with Controller’s instructions 

Processor shall process Personal Data on behalf of Controller exclusively in order to provide the Services for the purposes defined by Controller as well as in accordance with the documented instructions received from Controller, unless Processor is required to do so by Union or Member State law to which Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before the start of the Processing, unless that law prohibits such information on important grounds of public interest. 

For the purpose of allowing Processor to comply with Controller’s documented instructions, it is specified that such instructions including, notably, the categories of Data Subjects, categories of Personal Data processed and categories of Processing activities as well as the list of Subprocessors, are set out below.  

If Processor becomes aware of the fact that all or part of the instructions it receives from Controller may constitute an infringement of Applicable Data Protection Law or any relevant applicable law, it shall, without delay, inform Controller of such potential infringement to request revised instructions, unless Applicable Data Protection Law or other relevant applicable law prohibits the provision of such information. To the extent strictly necessary, Controller shall adapt its instructions, and Processor shall assist Controller in doing so, in order to ensure that the Processing complies with Applicable Data Protection Law. Once the new instructions are defined, the Processor shall implement them without delay.

Controller shall be entitled to supplement its instructions in writing to Processor from time to time during the performance of the Agreement.

2.5 Processor non-compliance 

If Processor cannot comply, for whatever reason, with any of the provisions set out in cl. 2.2, Processor must inform Controller promptly of its inability to comply, in which case Controller reserves the right to immediately and automatically suspend any Processing and/or terminate the Agreement without incurring any penalties or charges for such termination. 

Processor shall not modify, amend or alter the contents of the Personal Data unless expressly instructed to do so in writing by the Controller.

2.6 Compliance in case of subcontracting/subprocessing 

The Controller authorizes Processor’s use of third-party Subprocessors in connection with the provision of Services. As a condition to permitting a Subprocessor to Process the Personal Data, Processor will enter into a written agreement with the Subprocessor containing data protection obligations no less protective than those in this DPA with respect to Personal Data. Processor will restrict its Subprocessors’ access to only what is necessary to maintain the Services or to provide the Services to Controller. Subject to this section, Processor reserves the right to engage and substitute Subprocessors as it deems appropriate, but shall: (a) remain responsible to Controller for the provision of the Services and (b) be liable for the actions and omissions of its Subprocessors undertaken in connection with Processor’s performance of this DPA to the same extent Processor would be liable if performing the Services directly. The Controller may reasonably object to Processor’s use of an existent Subprocessor by providing a written objection to privacy@velory.com. In the event Controller reasonably objects to an existing Subprocessor, as permitted in the preceding sentences, Controller may, as a sole remedy, terminate the applicable Agreement and this DPA.

Processor shall, at the time of selection of a Third Party to become a Subprocessor and during the entire term of the Agreement ensure that Subprocessor provides sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of Applicable Data Protection Laws and the Agreement (including this DPA). Such subcontracting shall not release Processor from its responsibility for its obligations under the Agreement (including this DPA). Processor remains solely responsible for the work and activities of such Subprocessors, and Processor shall be held liable for the acts and omissions of any Subprocessor(s) to the same extent as if the acts or omissions were performed by Processor.

The Controller hereby authorizes and approves the Processor to engage Subprocessors for the purpose of providing the agreed Services, subject to the following conditions:

1. The Processor shall notify the Controller of any intended additions or replacements of Subprocessors, providing sufficient information to allow the Controller to assess the potential impact and, if necessary, raise objections to the engagement of a specific Subprocessor.
2. The Processor shall ensure that all Subprocessors are bound by a written agreement containing data protection obligations that are no less protective than those set forth in this DPA.
3. The Processor shall remain fully liable to the Controller for the performance and compliance of its Subprocessors with the terms of this DPA and all Applicable Data Protection Laws.

‍

3. OBLIGATION TO ASSIST CONTROLLER

3.1 Assistance in the management of Data Subject requests

The Processor shall assist the Controller in ensuring compliance with the Controller's obligations under Chapter III of the GDPR regarding Data Subjects' rights. This assistance shall include, but is not limited to, implementing appropriate technical and organizational measures to facilitate the Controller’s ability to respond to Data Subject requests efficiently and within statutory deadlines.

The Processor shall assist with requests related to:

• The right to be informed,
• The right of access,
• The right to rectification,
• The right to erasure,
• The right to restrict processing,
• The right to data portability,
• The right to object, and
• Rights related to automated decision-making, including profiling.

Where a Data Subject’s request is addressed directly to the Processor, the Processor shall not respond directly to the Data Subject unless explicitly instructed by the Controller. Instead, the Processor shall promptly forward such requests to the Controller for further handling, unless otherwise agreed in writing between the Parties.

3.2 Assistance in the management of relationships with Supervisory Authorities 

Upon request from Controller, Processor shall assist Controller to allow it to comply with its obligations towards competent Supervisory Authorities. For this purpose, Processor shall provide all relevant information requested either by Controller or directly by any competent Supervisory Authority in the context, notably, of the fulfilment of notification or prior consultation obligations, of addressing requests, controls and investigations or of the management of Personal Data Breaches. 

3.3 Assistance in the completion of Data Protection Impact Assessments (DPIA)

Upon the Controller's request, Processor shall provide Controller, at Controller’s cost, with reasonable assistance needed to fulfil Controller’s obligation under the GDPR to carry out a DPIA related to Controller’s use of the Service, to the extent such information is available to Processor. Processor shall provide Controller, at Controller’s cost, reasonable assistance to Controller in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 3, to the extent required under the GDPR. 

3.4 Assistance with Compliance under Articles 32–36 of GDPR

The Processor shall provide reasonable assistance to the Controller in meeting its obligations under Articles 32 to 36 of the GDPR, including:

• Implementing and maintaining appropriate security measures under Article 32.
• Assisting with the notification of Personal Data Breaches to the Supervisory Authority (Article 33) and, where applicable, communication of such breaches to Data Subjects (Article 34).
• Conducting and documenting Data Protection Impact Assessments (Article 35).
• Consulting with the Supervisory Authority where high-risk processing cannot be mitigated (Article 36).

‍

4. CONFIDENTIALITY AND TRAINING

4.1 Authorisation and granted access

Processor shall ensure that the authorised persons who are granted access to the Personal Data under the Agreement are properly trained on the Processing of Personal Data and are only granted access to such Personal Data on a need-to-know basis subject to obligation of confidentiality. Processor shall also take steps to ensure that the authorised persons only process Personal Data in accordance with the terms of this DPA, unless required to do so by Union or Member State law, in which case, Processor shall immediately inform Controller, unless prohibited by applicable law. 

Processor guarantees that any authorised persons entrusted with Processing Personal Data hereunder are legally or contractually bound to an obligation of confidentiality or secrecy and have been duly instructed about the Applicable Data Protection Law. As the case may be, Controller may require the signature of additional confidentiality agreements by such persons and Processor shall be responsible for ensuring that such confidentiality agreements are duly signed. 

During the term of the Agreement (including this DPA), Processor shall implement and maintain up to date trainings and awareness programs for its employees and Subprocessors processing Personal Data on Controller’s behalf regarding compliance with Applicable Data Protection Law, including, notably, principles and rules regarding the implementation of adequate technical and organizational measures for the security of Personal Data. 

The confidentiality obligations under this article will survive expiration or termination of the Agreement and this DPA respectively.

4.2 Records of processing activities 

Processor shall maintain a record of all categories of Processing activities carried out on behalf of Controller, in the performance of the Agreement. Such records of Processing activities shall contain, at least, the name and contact details of the of Processor and its representatives (including, for instance, Processor’s data protection officer, if any), the categories of processing activities carried out, the transfers of personal data to a Third Country and the technical and organizational security measures implemented by Processor. 

Processor shall make such records of Processing activities available upon request to any competent Supervisory Authority and/or to Controller.

‍

5. SECURITY AND CONFIDENTIALITY MEASURES

The Processor shall implement and maintain appropriate technical and organizational measures to ensure the security of Personal Data, as outlined in Appendix B. 

‍

6. TRANSFERS OF PERSONAL DATA

The Processor may transfer Personal Data to, or allow Processing by, Subprocessors located outside the EU/EEA, provided that such actions Subprocessors are listed on Velory’s webpage and that appropriate safeguards in accordance with Applicable Data Protection Law  (such as the EU Commission’s Standard Contractual Clause) are in place. 

If Processor intends to add or replace a Subprocessor that involves Processing of Personal Data in a third country not previously notified, Processor shall inform Controller at least thirty (30) days before the engagement. Controller may object to such change by providing written notice before the end of the notice period. In case of objection, Controller may terminate the affected Service(s) without penalty.

For avoidance of doubt, Controller acknowledges and accepts the Processing of Personal Data by Subprocessors listed on the above webpage, including those located outside the EU/EEA, as of the date of signing this DPA.

‍

7. PERSONAL DATA BREACH

In the event of a Personal Data Breach arising during the performance of the Services by Processor, Processor shall, at its own costs notify Controller about the Personal Data Breach without undue delay after becoming aware of it and in any case within a time period that will allow Controller to comply with its potential notification obligations. Where GDPR applies, Processor shall notify the Personal Data Breach to Controller immediately when becoming aware of it in order to allow Controller to evaluate the Personal Data Breach and determine which obligations it may have to comply with (notification to authorities, communication to Data Subjects, etc.). Accordingly, Processor shall notify Controller of the Breach within seventy-two (72) hours of becoming aware of it.

The notification by Processor shall include at least information about:

• the nature of the Personal Data Breach including where possible the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned,
• the name and contact details of Processor’s data protection officer or other contact point where more information can be obtained,
• the likely consequences of the Personal Data Breach,
• the measures taken or proposed to be taken to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects,

If such information only becomes available to Processor progressively, it shall communicate such information to Controller immediately after it has obtained it. 

Furthermore, Processor shall, at its own costs: 

• after investigating the causes of such Personal Data Breach, take such actions as may be necessary or reasonably expected in the state of the art to minimize the effects of any Personal Data Breach, 
• take all actions as may be required by Applicable Data Protection Law, and more generally provide Controller with reasonable assistance in relation to Controller’ obligations to notify the Personal Data Breach to the Supervisory Authority and to the Data Subjects as the case may be,
• maintain a record of all information relating to the Personal Data Breach, including the results of its own investigations (including any root cause analysis report which shall systematically be conducted to record all events, causes, actions and remedies relating to the Personal Data Breach) and authorities’ investigations and make such record available to Controller upon request,
• cooperate with Controller and take all measures as necessary to prevent future Personal Data Breach from occurring again.
• where Controller determines that a Personal Data Breach notification is required under Applicable Data Protection Law, Processor shall reimburse Controller for all reasonable costs associated with providing notification to Data Subjects and Supervisory Authorities, unless Processor demonstrates that the Personal Data Breach was caused by Controller’s negligence or wilful misconduct. The Processor shall not make notification to the Supervisory Authorities on its own motion.

‍

8. OBLIGATION TO INFORM CONTROLLER

Processor shall promptly notify Controller, and shall answer appropriately and without delay to all inquiries from Controller regarding:

• Processor’s Processing of Personal Data;
• any legally binding request for disclosure of the Personal Data by a law enforcement authority (having requested such authority to direct the request to Controller directly), unless otherwise legally prohibited (such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation); where GDPR applies and such law enforcement authority is not located in the European Union, such transfer or disclosure should be compliant with Article 48 of the GDPR;
• any notification received from a Supervisory Authority alleging infringement of the Applicable Data Protection Law during the provision of the Services, or of the exercise by a Supervisory Authority of any of its powers provided by the Applicable Data Protection Law where such exercise is related to, or has an effect upon, the provision of the Services.

‍

9. DATA MINIMISATION AND RETENTION

The Processor agrees to process Personal Data in a manner consistent with the principles of data minimization. Data shall not be retained for longer than is necessary for the purposes for which it was collected or as required by law. Personal Data that is no longer needed shall be deleted within 90 (ninety) days following the termination of the Agreement, unless a longer retention period is mandated by law or necessary for the Processor to defend against legal claims or comply with regulatory obligations.

‍

10. LIABILITY AND INDEMNIFICATION

10.1 Damages and administrative fines for damage caused to the data subjects 

Each party is obliged to pay a proportion of the damages and administrative fines imposed that corresponds to the level of liability assigned to it by the Data Protection Supervisor or the court in the final decision on the damages.

10.2 Damages between the parties

The liability of either party for damages to the other party shall be limited to direct damages up to the amount specified in the Agreement. However, no limitation of liability shall be applicable to damage or losses arising out of a breach of an act of gross negligence or willful misconduct.

‍

11. AUDIT

Upon Controller’s 30 days prior written request at reasonable intervals (no more than once every 12 months), the Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. This may include, where appropriate, third-party certifications, audit reports, or summaries thereof (e.g. ISO 27001, SOC 2) covering the relevant subprocessors and facilities. 

The Controller may conduct an on-side audit of the Processor’s premises and practices relating to the Processing of Personal Data, provided such audit is conducted during normal business hours, does not unreasonably interfere with the Processor’s Business, and is subject to appropriate confidentiality undertakings. 

The Processor shall ensure that its Subprocessors are subject to regular independent audit or certifications 

In addition to the audits provided for in the Agreement, Controller shall, in the event of a Personal Data Breach, be entitled to trigger at any time any controls or audits it deems necessary regarding Processor’s compliance with its obligations under this DPA and with regards to the causes, consequences and remediation actions related to said Personal Data Breach. 

The Processor is obliged to cooperate, so that an audit can be carried out. The Processor is obliged to admit the auditor of the Controller and to ensure that the auditor also has access to the Subprocessors engaged by the Processor, as well as cloud, data center or server supplier. The auditor will only perform the audit, or have it carried out after a prior notification to the Processor.

The Controller, responsible employees and auditor are obliged to treat all information regarding these audits as confidential and the Controller shall sign a non-disclosure agreement (NDA) with the relevant employees and auditor.

The costs of the audit are for the account of the Controller, unless the findings of the audit show that the Processor has not complied with the provisions of this agreement. In that case, the audit costs will be borne by the Processor.

‍

12. TERMINATION, RESTITUTION AND OR DESTRUCTION OF THE PERSONAL DATA

Upon termination of this DPA, regardless of the reason, the Processor shall cease processing any Personal Data on behalf of the Controller. At the Controller's discretion, the Processor shall:

1. Return all Personal Data, documents, and files processed on behalf of the Controller, without retaining any copies (digital or otherwise), including backups and personal notes.
2. Permanently delete all Personal Data, documents, and files processed in all forms and locations, in accordance with the security standards outlined in Article 32 of the GDPR.

The Processor shall provide written certification to the Controller, confirming that all Personal Data has been deleted or returned, as per the Controller's instructions. If any retention of Personal Data is required by law, the Processor shall notify the Controller and ensure such data is only retained for the minimum period required by the applicable legal obligation.

‍

13. GOVERNING LAW

This DPA shall be governed by and construed in accordance with the laws of Sweden. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Sweden.

‍

14. Appendix A - Processing Operations and Instructions

A.1 The personal data is processed for the following purpose:

• Velory has developed a B2B commerce platform (the “Platform”) that unites (in a single ecosystem) resellers or distributors of goods, software licenses and services (the “Equipment”) with potential buyers of said goods, software licenses and services. The Platform consists of various software modules with differentiated functionality and interfaces. Personal data is processed when users buy products and/or services, use Velory´s apps, portals and websites or otherwise communicate with Velory. Velory also collect information about users to improve apps, portals and websites. Velory process data to keep track of users´ purchases of Equipment.
• Assist Velory Platform users in the administration of user accounts, sales, leasing and shipments of products and services over the Velory platform. Assist a company in setting up Velory to onboard users, devices and spaces. Assist customers and end-users in curating the portfolio of products shown in Velory Platform. 
• Nature of processing measures are:
  
  • Adding users based on personal data such as email addresses, names and unique electronic devices
  • Assisting users in placing orders
  • Answering questions from users
  • Assess the needs of Company by reading data on device usage and the expiration of leasing contracts
  • Distribute and provide users’ hardware devices with apps, new installations and security measures (applicable for MDM)

A.2 Data Subjects 

The personal data processed concerns the following categories of data subjects: 

• Employee data 
• Customer contact details 

A.3 Categories of data

The personal data transferred concern the following categories of data:

• Name
• Address
• Employment (title, employer, workplace)
• Telephone number
• Email address
• IP address
• Device identification number (serial or IMEI number)

A.4 Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data:

N/A‍

A.5 Processing operations

The personal data transferred will be subject to the following basic processing activities:

Processing, registering, accessing, reading, using, aligning, erasing, hosting, storing personal data as part of providing the services.

‍

15. Appendix B - Technical and Organisational security measures 

This appendix outlines the technical and organizational measures implemented by the Processor to ensure the protection of Personal Data as required under the GDPR and detailed in the main body of the Data Processing Agreement (DPA).

B.1. Technical Measures

B.1.1 Data Encryption:

• All data in transit is encrypted using TLS 1.2 or higher.
• Data at rest is encrypted using established security standards (e.g., AES-256).

B.1.2 Access Control:

• Velory actively works with role-based permissions and access controls to ensure only authorized personnel can access Personal Data.
• Multi-factor authentication (MFA) is implemented for access to critical systems.‍

B.1.3 System Configuration:

• Standard security blueprints and operating system default security configurations are implemented and regularly reviewed.

B.1.4 Monitoring and Vulnerability Management:

• Velory uses tools like Detectify for continuous vulnerability scanning.
• Logs are collected and monitored using Datadog, with alerts configured for unusual activities.
• Network traffic is monitored and protected by Cloudflare to prevent unauthorized access or DDoS attacks.

B.1.5 Backup and Disaster Recovery:

• Regular backups of critical data are conducted and stored securely.
• Disaster recovery plans are in place and periodically tested to ensure business continuity.

B.2. Organizational Measures

B.2.1 Employee Training:

• All employees receive regular training on data protection, security awareness, and GDPR compliance.

B.2.2 Policies and Frameworks:

• Velory follows established frameworks for service delivery, including risk assessments and compliance checks.
• Internal policies for data handling, access permissions, and incident management are enforced and reviewed annually.

B.2.3 Incident Management:

• A documented incident response plan is in place to identify, report, and manage potential security incidents or data breaches.
• Personal Data Breaches are communicated to the Controller within 24 hours of detection.

B.2.4 Vendor and Subprocessor Management:

• All subprocessors are evaluated for GDPR compliance prior to engagement.
• Contracts with subprocessors include clauses that align with Velory’s data protection obligations.

B.3. Physical Security Measures

B.3.1 Data Center Security:

• Personal Data is hosted in ISO 27001-certified data centers with restricted physical access.
• Facilities are secured using biometric controls and monitored through CCTV.

B.3.2 Environmental Controls:

• Data centers are equipped with fire suppression systems, climate control, and uninterruptible power supply (UPS).

B.4. Regular Review and Updates

The Processor regularly reviews and updates these measures to ensure they remain effective and appropriate to mitigate risks related to the Processing of Personal Data.