Legal
Data Processing Agreement
Last updated: 7 June 2026
The terms under which we process personal data on behalf of a venue customer, as required by Article 28 GDPR.
1. Roles and scope
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Customer and Vibros LTD (“Veltflow”, “Vibros”). It applies only to Customer Personal Data that Vibros processes as processor on behalf of the Customer, including guest service requests, guest orders, guest messages, QR scan/session metadata, operational status data, and related venue records. For that data the Customer is the controller and Vibros is the processor.
This DPA does not apply to Vibros Account Data — including customer personnel account data, authentication data, billing data, support communications, platform security logs, sales and demo communications, and business-relationship data — for which Vibros acts as an independent controller under its Privacy Policy.
2. Processing instructions
Vibros processes Customer Personal Data only on the Customer’s documented instructions, including those given through ordinary use and configuration of the platform and through support requests, unless required to act otherwise by EU or member-state law (in which case Vibros will inform the Customer, where legally permitted).
3. Our obligations as processor
- process Customer Personal Data only on the Customer’s documented instructions, unless required by law;
- ensure persons authorised to process the data are bound by confidentiality;
- implement the technical and organisational measures set out in Annex 2;
- engage sub-processors only under written terms with equivalent obligations, and give notice of intended changes (Annex 3);
- taking into account the nature of processing, assist the Customer in responding to data-subject rights requests;
- assist the Customer with security, breach notification, and data-protection impact assessments;
- notify the Customer of personal-data breaches as described in section 4;
- delete or return Customer Personal Data at the end of the service as described in section 5;
- make available the information needed to demonstrate compliance, and allow for and contribute to audits as described in section 8.
4. Personal-data breach notification
Vibros will notify the Customer without undue delay and, where feasible, within 48 hours after becoming aware of a personal-data breach affecting Customer Personal Data, and will provide the information reasonably available to help the Customer meet its own notification obligations.
5. Return and deletion
On termination of the service, Vibros will delete or return Customer Personal Data in accordance with the Customer’s documented instructions, unless retention is required by applicable law.
6. International transfers
The primary database is hosted in the EU (Frankfurt region). Where a sub-processor processes Customer Personal Data outside the EEA, the transfer is covered by an appropriate safeguard such as the European Commission’s Standard Contractual Clauses, with additional transfer protections where required.
7. Liability and precedence
The liability terms of the Terms of Service apply to this DPA. In the event of a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA prevails.
8. Audit
On reasonable prior written notice, and no more than once per year unless required by a supervisory authority, Vibros will make available the information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and to not compromising the security of other customers.
Annex 1 — Details of processing
| Subject matter | Provision of the Veltflow SaaS platform to the Customer. |
|---|---|
| Duration | The term of the Customer’s agreement, plus any wind-down period. |
| Nature & purpose | QR-based guest ordering, guest service requests, operational management, and reporting. |
| Data subjects | The Customer’s venue guests, and Customer personnel to the extent they appear in operational records (for example, the staff member who actioned a request). |
| Categories of data | Guest-provided names and messages; request and order details; operational status data; QR scan/session metadata (IP-derived location, user-agent, timestamps). |
| Special categories | Not intentionally collected. The Customer must not use the platform to gather special-category data. |
| Instructions | Documented instructions given through the agreement, platform configuration, and support requests. |
Annex 2 — Technical and organisational measures
Vibros maintains technical and organisational measures appropriate to the risk, which currently include:
- encryption of data in transit (HTTPS/TLS);
- provider-managed encryption at rest where available;
- tenant separation by venue/customer account, enforced server-side on every authenticated query and action;
- role-based access controls and operator authentication via a dedicated identity provider (Clerk);
- signed (HMAC) QR tokens and short-lived guest sessions for the account-free guest entry point;
- per-IP and per-location rate limiting on guest entry points;
- restricted administrative access on a least-privilege basis;
- server-side input validation and parameterised database access;
- logging and monitoring of relevant events;
- environment-based secret management (secrets are never committed to source control);
- backup and restore procedures where implemented by our infrastructure providers;
- documented incident-response procedures;
- review of sub-processors before appointment;
- deletion or export of Customer Personal Data on termination.
Annex 3 — Sub-processors
The Customer authorises Vibros to engage the following sub-processors:
| Sub-processor | Purpose | Primary location |
|---|---|---|
| Neon | Managed Postgres database hosting | EU (Frankfurt) |
| Vercel | Application hosting & delivery | EU / global edge |
| Clerk | Operator authentication & session management | US (SCCs applied) |
| Cloudflare | Image/object storage (R2) & network/DNS | EU / global edge |
Vibros may appoint sub-processors provided it remains responsible for their processing activities, flows down equivalent data-protection obligations, and gives the Customer reasonable prior notice of material changes. The Customer may object on reasonable data-protection grounds.
Contact
Data-protection enquiries: privacy@veltflow.app — Vibros LTD, Nicosia, Cyprus.