Data Processing Agreement
For the data you put into Veillo, you are the controller and we are your processor under the GDPR. This page summarises the DPA; the signable version is available to customers.
Last updated 28 May 2026. This is the current version. It reflects how Veillo operates today and is confirmed by counsel before public launch. It is not legal advice.
1. The parties and their roles
Veillo is an Arbos Techne product, operated by Arbos Folk, a sole proprietorship registered in Denmark. You can reach us at hello@veillo.eu.
You act as controller for the personal data in your workspace. Arbos Folk, as processor, handles that data only on your documented instructions, including those given through normal use of the product.
2. What is processed
- Subject matter: providing the Veillo service to you.
- Duration: for as long as your account is active, plus the deletion window in section 9.
- Nature and purpose: hosting, storing, classifying, and generating documents from the data you enter.
- Types of data: the personal data you choose to include in your AI inventory, use cases, documents, and team records, plus account and contact details of your users.
- Data subjects: your staff and any individuals you reference in your compliance records.
3. Our obligations as processor
We process personal data only on your instructions and for the purposes above, keep it confidential, and make sure the people who handle it are bound to confidentiality. We help you meet your own GDPR duties, including responding to data-subject requests and carrying out impact assessments, as set out below.
4. Security
We apply technical and organisational measures appropriate to the risk, in line with Article 32: encryption in transit, EU-region storage, role-based access within isolated workspaces, and an append-only audit log. See our security and data residency page.
5. Sub-processors
We use a limited set of sub-processors, each under a written agreement with terms no weaker than this one, and each chosen for EU data handling. The DPA lists them with their purpose and location, and commits us to telling you before we add or change one, so you can object.
6. Helping you respond to people
If one of your data subjects asks to access, correct, or delete their data, we give you the tools and, where needed, the help to respond. If anyone contacts us directly about data in your workspace, we refer them to you.
7. Personal data breaches
If we become aware of a breach affecting your data, we notify you without undue delay and give you the information you need to meet your own notification duties.
8. Audits
We give you the information you reasonably need to show that we meet this DPA, and we support audits on reasonable notice, in a way that respects the security and confidentiality of our other customers.
9. Return and deletion
When your account ends, you can export your data for a reasonable window. After that, we delete or anonymise it, and instruct our sub-processors to do the same, unless the law requires us to keep certain records.
10. International transfers
We keep data in the EU wherever we can. Where a sub-processor operates outside the EEA, the transfer relies on an adequacy decision or Standard Contractual Clauses.
11. Liability and governing law
Liability under the DPA follows the limits in our Terms of Service. The DPA is governed by the laws of Denmark and the European Union, alongside the GDPR.
12. Getting the DPA in place
Email hello@veillo.eu and we will send the signable version. For most customers, the DPA is offered as part of signing up.