Data Processing Addendum.

For customer tenants where applicable privacy law (HIPAA, GDPR, CCPA/CPRA, state privacy acts) requires a Data Processing Addendum. The DPA is part of our standard contract package alongside the Master Services Agreement and the Business Associate Agreement. Authoritative document sent on request.

What the DPA covers

• Roles — Velora as processor / business associate; customer as controller / covered entity.
• Scope of processing — billing reconciliation as set out in the MSA.
• Subprocessor list (current set: /subprocessors) and notice mechanism (30 days for new subprocessors handling PHI).
• Security measures — encryption at rest, audit logging, access control, incident response. Details on /trust.
• Data subject rights handling — access, deletion, portability per the law that governs the customer relationship.
• Breach notification — Velora notifies the customer's privacy contact within 72 hours of discovery, consistent with HIPAA + GDPR cadences.
• Cross-border transfers — Standard Contractual Clauses where applicable.
• Term — co-terminous with the MSA; survival of confidentiality + data-handling obligations.

Receive the DPA

Email hello@hellovelora.com with subject "DPA request — [Tenant name]". We send the current revision within one business day. Redlines welcome — we maintain a tracked redline log for procurement evidence.

Last updated: 2026-04-29