This Data Processing Agreement (the “DPA”) is offered as a template to customers who need a written data-processing agreement for their use of Pondria, operated by Velta BV (“Velta”). It supplements the Terms of Service. A countersigned copy is available on request by emailing help@pondria.ai. Where this DPA and the Terms of Service conflict on the processing of personal data, this DPA prevails.
1. Parties and roles
This DPA is between the customer and Velta BV, Beekstraat 17, 3545 Halen, Belgium; VAT and enterprise number BE 1024.208.746. For the personal data contained in Customer Data (the planning content the customer enters), the customer is the controller and Velta BV is the processor, processing that data only on the customer’s behalf. This DPA governs that processing and sets out the processor’s obligations under Article 28 GDPR.
Account, billing, and security data are not processed under this DPA. For that data Velta acts as a controller in its own right, as described in the Privacy Policy.
2. Subject matter and duration
The subject matter is the provision of the Pondria service as described in the Terms of Service. Processing continues for as long as the customer uses the Service and until the data is returned or deleted in accordance with this DPA.
3. Nature and purpose of processing
Velta processes personal data to host, operate, secure, and support the capacity-planning and revenue-forecasting functionality that the customer uses. Processing is limited to what is necessary to provide the Service.
4. Categories of personal data and data subjects
- Data subjects: the individuals the customer records as persons or contacts within its planning data.
- Categories of data: the personal data contained in Customer Data (the planning content), including persons, allocations, projects, clients, and comments. Account, billing, and security data are handled by Velta as a controller under the Privacy Policy and fall outside this DPA. No special categories of personal data are required by the Service.
5. Processor obligations
Velta, as processor, will:
- process personal data only on the customer’s documented instructions;
- ensure that persons authorized to process the data are bound by an obligation of confidentiality;
- implement appropriate technical and organizational measures under Article 32 GDPR (see Annex 2);
- assist the customer, taking into account the nature of processing, in responding to data-subject requests;
- assist the customer in meeting its obligations under Articles 32 to 36 GDPR, including security, breach notification, and data-protection impact assessments;
- notify the customer without undue delay after becoming aware of a personal-data breach;
- at the customer’s choice, delete or return the personal data at the end of the provision of the Service, as described in Annex 1 and the retention terms below;
- make available the information necessary to demonstrate compliance and allow for audits as set out below.
6. Subprocessing
The customer provides general authorization for Velta to engage the subprocessors listed in Annex 3. Velta imposes data-protection obligations on each subprocessor that are no less protective than those in this DPA. Velta will inform the customer of any intended change concerning the addition or replacement of subprocessors, giving the customer the opportunity to object on reasonable data-protection grounds.
7. International transfers
Primary processing takes place in the EU/EEA. Where a subprocessor processes personal data outside the EEA, that transfer is covered by the EU Standard Contractual Clauses or the provider’s EU-US Data Privacy Framework certification, as set out in that provider’s data processing agreement.
8. Personal-data breach
Velta will notify the customer without undue delay and in any event within 72 hours of becoming aware of a personal-data breach affecting the customer’s personal data, and will provide the information reasonably available to help the customer meet its own notification obligations.
9. Audit rights
Velta will make available to the customer the information necessary to demonstrate compliance with Article 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by the customer or an auditor it mandates, on reasonable prior notice and subject to confidentiality, in a manner that does not disrupt the Service or compromise the security of other customers.
10. Return and deletion of data
On termination or expiry of the Service, personal data is deleted within the 30-day grace window described in the Terms of Service, unless the customer requests its return first. After deletion Velta retains only (a) the salted, irreversible hash of the email address, used to prevent trial abuse, and (b) billing and invoice records that Velta and Stripe are required by law to keep, currently seven years under Belgian accounting law, as described in the Privacy Policy.
11. Liability
Liability under this DPA is subject to the limitations and cap set out in the Terms of Service, to the extent permitted by applicable law.
12. Governing law
This DPA is governed by the laws of Belgium, consistent with the governing-law and jurisdiction terms of the Terms of Service.
Annex 1: Details of processing
- Subject matter: provision of the Pondria capacity-planning and revenue-forecasting service.
- Duration: for the term of the customer’s use of the Service, plus the 30-day grace window before deletion.
- Nature and purpose: hosting, operating, securing, and supporting the Service on the customer’s behalf.
- Types of personal data: the personal data contained in Customer Data (the planning content), including persons, allocations, projects, clients, and comments. Account, billing, and security data are processed by Velta as a controller under the Privacy Policy, outside this DPA.
- Categories of data subjects: the individuals recorded in the customer’s planning data.
Annex 2: Technical and organizational measures
- HttpOnly session cookies for authentication, with no session token exposed to scripts;
- encryption of personal data in transit and at rest;
- row-level security in the database to isolate each organization’s data;
- least-privilege access controls for staff and systems;
- EU-region hosting for primary processing.
Annex 3: Approved subprocessors
- Supabase: database and authentication hosting (EU region).
- Vercel Inc. (United States): static frontend hosting and edge request routing over a global edge network; does not store Customer Data; transfers safeguarded by EU Standard Contractual Clauses (SCCs).
- Amazon Web Services: backend hosting and transactional email through Amazon SES (EU, Frankfurt / eu-central-1).
- Sentry: error monitoring (EU/Frankfurt region).
- Stripe: payment processing (United States).
- Google, Microsoft, and GitHub: social sign-in identity providers, used only when a user chooses to sign in with one of them (United States).
This subprocessor list matches the one in our Privacy Policy. Anthropic is listed there as a planned future subprocessor for AI features that are not active in v1.
Signatures
This DPA may be signed by both parties. A countersigned copy is available on request by emailing help@pondria.ai.
For the customer (controller)
Name: -
Title: -
Date: -
For Velta BV (processor)
Name: -
Title: -
Date: -