Draft legal document
DRAFT — Requires review by qualified legal counsel before publication.
Data Processing Agreement
This draft Data Processing Agreement sets out controller, processor, sub-processor, security, breach, audit, rights request, and deletion terms for VS Ai customer data.
Draft status: customer-facing review copy for lawyer assessment.
1. Purpose and scope
This Data Processing Agreement applies where Veyron Systems processes personal data for a customer through VS Ai. It should be read with the Terms of Service, Privacy Policy, order form, and any signed enterprise agreement.
2. Controller and processor roles
The customer acts as controller for personal data submitted to VS Ai unless the parties agree otherwise in writing. Veyron Systems acts as processor when it processes that data on the customer’s documented instructions. Veyron Systems may act as controller for account administration, billing, security, fraud prevention, legal compliance, and service management records.
3. Processing instructions
Veyron Systems will process customer personal data to provide VS Ai, support users, secure the service, maintain evidence records, manage billing, meet legal duties, and follow the customer’s lawful documented instructions. If an instruction appears unlawful or unsafe, Veyron Systems may pause processing and request clarification.
4. Sub-processors
Approved sub-processors may include OpenAI, Anthropic, Google, Stripe, Neon, Vercel, Cloudflare, and Resend. These providers may process data for AI generation, model routing, payments, database hosting, application hosting, network security, email delivery, logging, and support functions.
5. Security measures
Veyron Systems will maintain technical and organisational measures designed to protect customer personal data, including access controls, workspace separation, audit logs, transport encryption, provider-supported storage encryption, operational access limits, secret handling, and incident review procedures.
6. Data subject rights
Veyron Systems will assist the customer with data subject requests where reasonably possible and where the request relates to personal data processed through VS Ai. The customer remains responsible for deciding how to respond unless Veyron Systems acts as controller for the relevant record.
7. Breach notification
Veyron Systems will notify affected customers without undue delay after confirming a personal data breach involving customer personal data. The notice should describe the known facts, likely impact, affected data categories, containment steps, and contact path for follow-up.
8. Audit rights
Customers may request reasonable evidence of security and processing controls. Enterprise audit rights, notice periods, confidentiality, scope, frequency, cost allocation, and access limits should be set in the final signed agreement.
9. Deletion and return
On contract termination, Veyron Systems will delete or return customer personal data within a reasonable period unless law, billing obligations, dispute handling, security investigations, backup cycles, or Evidence Ledger retention requirements require continued storage.
10. International transfers
VS Ai uses US-based infrastructure and may involve international processing by approved sub-processors. Transfer terms, safeguards, and country-specific addenda must be reviewed by qualified legal counsel before publication or enterprise signing.