1. Parties & roles
This Addendum supplements the Terms of Service. The Customer is the data Controller; Veirox is the data Processor. Where Customer collects data on behalf of an end-user (e.g. their own customers), Customer remains the Controller.
2. Scope of processing
Categories of data subjects
- Customer's employees and contractors using the Service
- Customer's end-users whose data flows into the Service via webhooks, integrations, or agent sessions
Categories of data
- Identifiers (email, name, account IDs)
- Operational telemetry (sessions, tool calls, audit events)
- Customer content submitted to the agent (prompts, files, integration outputs)
- Webhook payloads (subject to redaction rules Customer configures)
Purposes of processing
- Provide the Veirox SaaS as described in the Terms
- Generate agent responses (which involves submitting prompts to Anthropic's API — see §5)
- Maintain audit logs as required by §6 of the Terms
- Detect abuse and enforce quotas
Duration
For the term of the Customer's subscription, plus the deletion grace period documented in §9 of the Terms (default 30 days).
3. Processor obligations
Veirox will:
- Process data only on documented Customer instructions (the Service configuration counts as such instructions).
- Ensure personnel with data access are bound by confidentiality.
- Implement appropriate technical and organisational measures (see Security page).
- Engage subprocessors only with prior general written authorisation; the current list is at /legal/subprocessors.html.
- Notify Customer of new subprocessors at least 14 days in advance via email.
- Assist Customer in fulfilling Data Subject Requests (DSRs).
- Notify Customer without undue delay (within 72 hours where feasible) of any personal data breach.
- On termination, delete or return Customer Data per Customer's choice; default is deletion after the 30-day grace period.
4. Security measures
We maintain measures including (non-exhaustive):
- Encryption in transit (TLS 1.3) and at rest (per-org Fernet vault key).
- Argon2id password hashing; MFA via TOTP and WebAuthn.
- Append-only audit log with monthly partitioning (SOC 2 CC6.1 / CC7.2).
- Sandboxed agent execution (env scrubbing + SDK path restriction + bwrap mount namespace).
- Three-layer tenant verification on Connect tunnelled commands.
- Regular dependency scanning (Dependabot, Trivy).
- Incident response runbook with named on-call rotation.
5. Subprocessors
The current subprocessor list is the canonical, current source: /legal/subprocessors.html. Material entries:
- Anthropic — agent inference (your prompts and the agent's outputs are sent to Anthropic's API for processing).
- Stripe — billing.
- DigitalOcean — infrastructure hosting.
- Cloudflare — DNS and DDoS protection.
Customer may object to a new subprocessor within 14 days of notification by emailing legal@veirox.com. We'll work in good faith to resolve; if unresolvable, Customer may terminate without further obligation.
6. Data Subject Requests
Customer is responsible for handling DSRs received from data subjects. Veirox provides tooling to assist:
- Console:
/console/<org>/settings/governance - CLI:
veirox governance dsr create --request-type {export|erasure}
Veirox responds to direct data-subject requests by routing them to the relevant Customer.
7. International transfers
Veirox is hosted in the EU/US region (current: DigitalOcean ams3, may change with subprocessor list updates). Transfers outside the EEA rely on Standard Contractual Clauses (SCCs) where applicable.
8. Audits
Veirox will make available all information necessary to demonstrate compliance. Customer may request an audit, conducted at Customer's expense and reasonable notice (≥30 days), no more than once per year, subject to confidentiality.
Where SOC 2 Type II / ISO 27001 reports are available (see Security page for status), Customer may rely on them in lieu of an audit.
9. Liability
The liability cap in §11 of the Terms applies, except liability arising from breach of GDPR obligations cannot be capped below the relevant GDPR thresholds.
10. Changes
Material changes are announced 30 days in advance via email to org owners.
11. Contact
DPO / privacy contact: legal@veirox.com.