A Data Processing Addendum (DPA) is the GDPR (and similar law) contract module where a processor documents how it handles personal data on behalf of a controller. It covers subprocessors, international transfers, breach notification timelines, deletion on termination, and assistance with data subject requests.
Payment tokens may still implicate personal data when linked to identifiable customers (external_customer_id, email, account IDs). Even if PAN is tokenized, metadata in Veliro may be personal data requiring a DPA.
DPAs reference Standard Contractual Clauses (SCCs) or UK IDTA for cross-border transfers. Map where Veliro processes and stores data relative to your customers’ jurisdictions.
Veliro provides a DPA aligned with enterprise GDPR expectations alongside the MSA. Your privacy team should wire DPA subprocessors into the register of processing activities and customer-facing privacy notices where Veliro is disclosed.
Data subject access requests may require correlating tok_* references with customer profiles in your systems; the DPA should clarify how Veliro assists without exposing other tenants’ data.