PreVeil Cloud Drive is here: performant cloud-first storage with the same end-to-end encryption—download it today!

Data Processing Addendum (DPA)

Last Updated: May 26, 2026

This Data Processing Addendum (“DPA”) forms part of the PreVeil Enterprise Services Agreement (“Agreement”) between PreVeil, Inc. (“PreVeil” or Processor) and the Customer identified in the applicable Order Form (“Customer” or Controller).

This DPA applies when PreVeil processes Personal Data on behalf of Customer in connection with the Services.

1. DEFINITIONS

Unless otherwise defined in this DPA, capitalized terms have the meaning given in the Agreement.

Applicable Data Protection Laws
All applicable laws relating to the protection of Personal Data including:

  • EU General Data Protection Regulation (GDPR)
  • UK GDPR
  • CCPA/CPRA where applicable
  • Other applicable privacy regulations.

Controller
The entity determining the purposes and means of processing Data.

Processor
The entity processing Personal Data on behalf of the Controller.

Personal Data
Any information relating to an identified or identifiable natural person.

Processing
Any operation performed on Personal Data including collection, storage, transmission, or deletion.

Subprocessor
A third party engaged by PreVeil to process Personal Data on behalf of Customer.

2. ROLES OF THE PARTIES

For purposes of this DPA:

Customer acts as Controller.

PreVeil acts as Processor except that Preveil acts as a Controller to further process Personal Data only to the extent comprised of system usage data such as account logins and audit or usage logs for the limited business purposes which are incidental to the provision of the Services, including detecting security incidents, protecting against malicious, fraudulent, or illegal activity, contract management and improving Services. Preveil will comply with its obligations, as an independent Controller with respect to such uses.

3. SCOPE OF PROCESSING

Subject Matter

Provision and use of the PreVeil secure email and file storage & sharing services.

Duration

For the duration of the Agreement and until Personal Data is deleted or returned.

Nature and Purpose

Processing necessary to provide the Services, including:

  • End-to-end encrypted email
  • End-to-end encrypted file storage and sharing
  • compliance functionality
  • system operations

Categories of Data Subjects

May include:

  • Customer employees
  • Customer contractors
  • Customer clients
  • Customer partners
  • email recipients

Categories of Personal Data

May include:

  • names
  • email addresses
  • communications metadata
  • content transmitted through the Services (which may contain Personal Data)

4. PROCESSOR OBLIGATIONS

PreVeil will:

  1. Process Personal Data only in accordance with Customer’s instructions, including to provide the Services.
  2. Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
  3. Implement reasonable technical and organizational measures to protect Personal Data.
  4. Reasonably assist Customer in responding to data subject requests where required.
  5. Reasonably assist Customer in meeting obligations relating to:
    • security of processing
    • breach notification
    • data protection impact assessments
  6. Notify Customer of a Security Incident involving Personal Data within 24 hours of discovery.
  7. Not sell Personal Data
  8. Not use or disclose Personal Data except:
    • to provide the Services
    • as required by law.

5. SECURITY MEASURES

PreVeil will implement and maintain reasonable technical and organizational security measures designed to protect Personal Data.

Security measures include:

  • End-to-end encryption of emails and files
  • access control systems
  • monitoring and intrusion detection
  • secure infrastructure
  • employee security training

PreVeil’s architecture is designed such that Customer retains control of decryption keys, and PreVeil does not have the ability to decrypt Customer Content.

6. SUBPROCESSORS

PreVeil does not use subprocessors.

7. INTERNATIONAL DATA TRANSFERS

Where Personal Data is transferred outside the EEA or UK, PreVeil will ensure appropriate safeguards are in place including:

  • Standard Contractual Clauses (SCCs)
  • other lawful transfer mechanisms recognized by Applicable Data Protection Laws.

8. DATA SUBJECT REQUESTS

If PreVeil receives a request from a data subject regarding Personal Data processed on behalf of Customer, PreVeil will:

  • promptly notify Customer (unless prevented by law from doing so)
  • not respond directly unless legally required.

Customer remains responsible for responding to such requests.

9. AUDITS

PreVeil will provide applicable security assessment reports (e.g. SOC-2, FedRAMP Body of Evidence) upon request.  Such requests will be subject to confidentiality obligations.

10. DATA RETURN AND DELETION

Upon termination of the Agreement:

  • Customer may export Customer Content for 60 days.
  • After that period, PreVeil may securely delete Customer data unless retention is required by law.

11. CCPA / CPRA PROVISIONS

To the extent the California Consumer Privacy Act or other state data privacy law applies:

PreVeil acts as a Service Provider.

PreVeil will not:

  • sell Personal Information
  • retain Personal Information outside the scope of the Agreement
  • use Personal Information for purposes other than to provide the Services.

12. LIABILITY

Liability under this DPA is governed by the Limitation of Liability provisions in the Agreement.

13. GOVERNING LAW

This DPA is governed by the governing law specified in the Agreement.

14. ORDER OF PRECEDENCE

If there is a conflict between this DPA and the Agreement:

  • This DPA governs with respect to Personal Data protection obligations.
  • The Agreement governs in all other respects.

PROUDLY MADE IN THE USA

PreVeil is 100% Designed & Developed in the USA