Data Processing Addendum

1. Purpose

This DPA governs VeeSafe's processing of Client Data in connection with the platform.

2. Roles

Client is the Data Controller. VeeSafe is the Data Processor. Subprocessors are Lovable, Supabase, Vercel, and Cloudflare.

3. Categories of data

Authentication data, compliance documentation, evidence uploads, assessment responses, and metadata.

4. Processing activities

To provide the platform, generate documentation, maintain security, and provide support.

5. Subprocessors

Lovable (application), Supabase (database and auth), Vercel (frontend), Cloudflare (DNS and edge security). Client authorizes these subprocessors. See subprocessor list.

6. Security measures

Aligned with NIST SP 800-171 and CMMC Level 2 practices. Includes encryption in transit and at rest, MFA, row level security, audit logging, and least privilege access.

7. Data subject rights

VeeSafe assists the Client in responding to access, correction, and deletion requests.

8. Incident response

VeeSafe will notify the Client without unreasonable delay if a security incident affects Client Data.

9. International transfers

Data is stored in U.S. regions unless otherwise specified.

10. Return or deletion

On termination, data is available for export for sixty days. After sixty days, data may be deleted.

11. Audit rights

VeeSafe will provide documentation reasonably necessary to demonstrate compliance with this DPA.