Effective: March 13, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the customer entity identified in the applicable subscription or order ("Customer" or "Controller") and Velnoro LLC ("Velnoro" or "Processor") for the Velnoro platform (the "Service"). This DPA applies to the extent that Velnoro processes Personal Data on behalf of Customer in connection with the Service.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
- "Data Protection Laws" means the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and any other applicable data protection legislation.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.
- "Subprocessor" means any third party engaged by Velnoro to process Personal Data on behalf of Customer.
2. Scope and Purpose of Processing
Velnoro processes Personal Data solely to provide the Service to Customer. The Service provides two categories of processing:
- Tenant scanning (read-only): Velnoro connects to Customer's Microsoft Power Platform tenant via read-only API access to collect resource metadata and generate governance intelligence, including health scores, builder attribution, and compliance reports. Velnoro never writes to, modifies, or deletes anything in Customer's Microsoft tenant.
- Customer-entered content: Customer users may create program governance documents, fill out templates, and upload files through the Program Resources feature. This content is stored in Velnoro's systems on behalf of Customer and is subject to the same security and retention measures described in this DPA.
3. Data Subjects
The categories of data subjects whose Personal Data is processed:
- Customer employees and authorized users who access the Velnoro platform (account data)
- Individuals identified in Customer's Microsoft Power Platform tenant as resource owners, builders, or environment administrators (tenant metadata)
4. Categories of Personal Data
Velnoro processes the following categories of Personal Data:
- Account data: Names, email addresses, authentication tokens
- Tenant metadata: Display names, user principal names, organizational titles (sourced from Microsoft Graph API)
- Resource ownership: Which users created or own specific Power Platform resources
- Customer-entered content: Program governance documents, templates, and form submissions entered by Customer users through the Program Resources feature, including uploaded files (PDF, DOCX, XLSX, images)
Velnoro does not process: flow definitions, app source code, business data processed by Customer's Power Platform apps, passwords, biometric data, or sensitive/special category data.
Note: Customer is solely responsible for the content it enters into Program Resources templates and uploads. Customer must not enter regulated data (health records, payment card numbers, government IDs) into free-text fields or upload documents containing such data unless Customer has independently determined this is compliant with applicable laws.
5. Obligations of the Processor
Velnoro shall:
- Process Personal Data only on documented instructions from Customer, including as described in this DPA, the Service agreement, and any applicable order.
- Ensure that persons authorized to process Personal Data have committed to confidentiality.
- Implement and maintain appropriate technical and organizational security measures as described in Section 7.
- Engage Subprocessors only in accordance with Section 8.
- Assist Customer in responding to data subject requests, including access, rectification, erasure, and portability, as described in Section 9.
- Assist Customer with obligations under Articles 32 to 36 of the GDPR (security, breach notification, impact assessments).
- At Customer's choice, delete or return all Personal Data after the end of the Service, as described in Section 10.
- Make available to Customer all information necessary to demonstrate compliance with this DPA.
6. Obligations of the Controller
Customer shall:
- Ensure it has a lawful basis for sharing Personal Data with Velnoro under applicable Data Protection Laws.
- Provide all necessary notices and obtain any required consents from data subjects whose Personal Data will be processed.
- Issue documented instructions for the processing of Personal Data that comply with Data Protection Laws.
7. Security Measures
Velnoro implements the following technical and organizational measures to protect Personal Data:
- Encryption at rest: All sensitive credentials (client IDs, client secrets, OAuth tokens) are encrypted using AES-256-GCM authenticated encryption with keys stored in environment variables, separate from the database. All other data at rest is protected by AES-256 disk encryption.
- Encryption in transit: All communications use TLS encryption, including browser-to-server, server-to-database, and server-to-Microsoft-API connections.
- Tenant isolation: Row-level security (RLS) policies on 100% of tenant-scoped database tables. Each query is automatically scoped to the authenticated user's account.
- Minimal permissions: Only two Microsoft API permission scopes requested, both read-only (Organization.Read.All, Resources.Read).
- Access control: Customer controls access to its Microsoft tenant through the Entra ID app registration it creates and manages. Access can be revoked at any time.
- Error monitoring: Sentry is used with PII scrubbing enabled. No customer business data appears in error reports.
8. Subprocessors
Customer authorizes Velnoro to engage the following Subprocessors. Velnoro will notify Customer of any changes to Subprocessors by updating this page and, where feasible, by email to the Customer's account administrator.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication | United States (AWS) |
| Vercel Inc. | Application hosting, edge functions | United States (Global CDN) |
| Inngest Inc. | Background job orchestration | United States |
| Sentry (Functional Software Inc.) | Error monitoring | United States |
| Stripe Inc. | Payment processing | United States |
| Upstash Inc. | Rate limiting | United States |
Velnoro ensures that each Subprocessor is bound by data protection obligations no less protective than those set out in this DPA.
9. Data Subject Rights
Velnoro will assist Customer in fulfilling data subject requests under applicable Data Protection Laws. The following self-service capabilities are available:
- Access: Users can view all data associated with their account through the Velnoro dashboard.
- Rectification: Users can edit account information and directory entries.
- Erasure: Account deletion permanently removes all associated data, including credentials, scan data, team membership, and audit records.
- Portability: Governance data export is available via PDF and CSV.
- Formal DSAR: Data Subject Access Requests can be submitted via the privacy policy DSAR form (powered by Termly), or by email to privacy@velnoro.com.
10. Data Return and Deletion
- During the term: Scan data is retained for 30 days (free tier) or 365 days (paid plans). Automated purge runs daily.
- Upon termination: Customer may export its data for 30 days after service termination. After the 30-day window, all Customer data is permanently deleted from Velnoro systems, including backups, within 90 days.
- Account deletion: Immediate cascade deletion of all associated data, credential zeroing, and billing cancellation.
11. Breach Notification
In the event of a Personal Data breach, Velnoro will notify Customer without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include:
- The nature of the breach, including categories and approximate number of data subjects affected
- Contact details for further information
- A description of the likely consequences
- A description of measures taken or proposed to address the breach
12. International Data Transfers
Velnoro and all Subprocessors are based in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, the parties agree to rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), which are incorporated into this DPA by reference.
In the context of the SCCs: Customer acts as the data exporter and Velnoro acts as the data importer. Module Two (Controller-to-Processor) applies.
13. Audit Rights
Customer may audit Velnoro's compliance with this DPA. Audits will be conducted:
- No more than once per 12-month period, unless a data breach has occurred
- With at least 30 days advance written notice
- During normal business hours
- Subject to reasonable confidentiality obligations
Velnoro may satisfy audit requests by providing relevant certifications, audit reports, or security documentation. For detailed security documentation, contact privacy@velnoro.com.
14. Term and Termination
This DPA is effective for the duration of the Service agreement between Customer and Velnoro. It automatically terminates when the Service agreement ends, subject to the data return and deletion provisions in Section 10.
Sections that by their nature should survive termination will survive, including confidentiality obligations, data deletion obligations, and audit rights (for a period of 12 months following termination).
15. Governing Law
This DPA is governed by the laws of the State of North Carolina, United States, except where Data Protection Laws require otherwise (in which case, the relevant Data Protection Law governs the data protection obligations herein).
16. Contact
For questions about this DPA or to exercise any rights described herein, contact:
Velnoro LLC
Attn: Privacy
4030 Wake Forest Road, Ste 349
Raleigh, NC 27609
Email: privacy@velnoro.com