02 · GDPR

Privacy as an operating condition.

Velqory works with documents and sensitive business information. Our GDPR approach separates commercial data, tenant data, and data processed on behalf of customers, as defined by contract, DPA, and project scope.

Institutional position

Public position

Institutional pages clarify Velqory public positioning. The concrete relationship with each customer still depends on proposal, contract, SOW, DPA, or approved document.

Velqory may act as an independent controller for its own commercial data.

When processing personal data on behalf of a customer or partner, Velqory acts as processor under agreed terms.

A DPA is activated only when personal data is processed on behalf of another party.

How we frame responsibilities

Each relationship must identify who defines purposes and means, who performs technical processing, and which documented instructions apply.

Commercial relationship: each party processes its own contacts as an independent controller.
Tenant or contracted project: controller and processors are defined in the contract, SOW, or DPA.
Technical subprocessors are identified when the project requires actual processing.

Operational measures

Concrete measures depend on the subscribed plan, infrastructure, integrations, and customer requirements.

Access control, tenant segregation, and least privilege.
Activity logs, permission review, and deletion or return procedures.
Retention defined by contract, operational need, and applicable legal periods.
Incident handling with communication proportional to risk and contractual context.

Limits and validation

What this page does not mean

It does not replace a privacy policy, contract, SOW, DPA, or legal advice.
It does not state universal compliance for every customer or project.
Retention, location, and provider lists must be confirmed per project.

Talk to us about data and contracts.

Contact Velqory View commercial terms