Sub-processor and Vendor Register — Veloxis
Effective date: [to be set on first publication] Last revised: 2026-05-24 Owner: CA Krishna Gujarathi Review cadence: Annual + on any vendor change
This register lists every third party that processes, stores, or transmits personal data, payment data, or other Class C3 / C4 information (see the Information Security Policy) on behalf of the Firm in connection with the Veloxis Platform.
It is the §8(2) DPDP-Act-and-Rules record of sub-processors, and is referenced from the Privacy Policy §6 and the AI Usage Disclosure §2.
1. AI providers (data processors under §8 DPDP Act)
| Vendor | Location | Data class processed | Purpose | Retention by vendor | Contract / terms |
|---|---|---|---|---|---|
| Anthropic, PBC | United States | Pseudonymised JSON snapshots + tokenised auditor questions | Smart Check, Ask Tool, AI Advisor, drafting helpers | ≤ 30 days for abuse-detection logs; trust-and-safety material longer where required by law | Anthropic Commercial Terms of Service + Anthropic Usage Policies (paid commercial API tier) |
| Google LLC | United States + global | Pseudonymised JSON snapshots + tokenised auditor questions (when Anthropic is unavailable) | Same | ≤ 24 hours for abuse-detection logs (paid Gemini API tier); trust-and-safety material longer where required by law | Gemini API Terms of Service + Google Cloud Terms (paid tier) |
For both providers, the Firm:
- Uses the paid commercial API tier only (never the free / consumer tier where training-use is permitted).
- Has not opted in to model-training use of API data.
- Pseudonymises personal-identifier content before transmission (see
ai-usage-disclosure.md).
2. Infrastructure providers
| Vendor | Location | Data class | Purpose | Contract / terms |
|---|---|---|---|---|
| Linode (Akamai Technologies, Inc.) | Indian datacentre region (Mumbai) | Class C2-C4 — primary compute + database | Production VM at 103.13.113.43; SSH-key authentication; SOC 2 Type II hosting facility | Linode Terms of Service |
| Cloudflare, Inc. | Global (DNS edge) | Class C2 — DNS records only | Authoritative DNS for veloxis.vkg.co.in. DNS-only mode (grey cloud) — Cloudflare does not terminate TLS or proxy HTTPS traffic. |
Cloudflare Free DNS Terms |
| Cloudflare, Inc. — R2 Object Storage | India region as available; otherwise auto-selected | Class C3 — documents uploaded by users; generated DOCX/XLSX outputs | Document storage; server-side encryption | Cloudflare R2 Terms |
| Let's Encrypt (ISRG) | N/A — root CA only | None | TLS certificates for veloxis.vkg.co.in |
Subscriber Agreement |
3. Identity and operations
| Vendor | Location | Data class | Purpose | Contract / terms |
|---|---|---|---|---|
| GitHub, Inc. (Microsoft Corporation) | United States | Class C2 — source code; no personal-data of clients | Source-code hosting for the Veloxis repository under github.com:kgujarathi/veloxis.git |
GitHub Terms of Service + Microsoft Customer Agreement |
| Sentry (Functional Software Inc.) | United States | Class C3 — error stack traces (PII-redacted at SDK layer) | Error monitoring | Sentry DPA (referenced) |
| Upstash, Inc. | Configured region | Class C3 — ephemeral rate-limit counters; no personal data | Redis-backed rate limiting | Upstash Terms of Service |
4. Payment + financial vendors
The Firm currently operates Veloxis on a single-firm internal basis. No paid customers; no payment processor in scope. If the Firm onboards external customers in future, the payment processor will be added here.
5. Out-of-scope vendors (Firm general operations)
The following vendors are used by the Firm for general operations but do not process Veloxis Platform data:
- VKG & Associates' general accounting software
- VKG & Associates' e-mail provider (Google Workspace) — used for engagement correspondence, not for Veloxis data plumbing
- VKG & Associates' bank, payment, and tax-portal logins
These are governed by the Firm's general data-handling practices and do not interact with this Platform's data plane.
6. Change procedure
A vendor is added to this register only after:
- The Managing Partner reviews the vendor's published privacy + security terms.
- The vendor confirms compliance with the data-handling expectations relevant to the data class (e.g., no training on customer data for AI providers; encryption at rest for storage providers).
- The vendor is added to the register with effective date.
Existing vendors are reviewed annually. Any material adverse change in a vendor's terms (e.g., a change in training-use posture, a change in retention period, a regulatory enforcement against the vendor) triggers an out-of-cycle review and, where necessary, vendor migration.
7. Cross-border transfer note
Anthropic, Google, GitHub, and Sentry process some traffic outside India. The Firm relies on §16 of the DPDP Act, 2023 for the transfer. Sectoral overlays (RBI, SEBI, IRDAI) on the underlying client may prohibit cross-border processing of certain data classes; in such cases the affected feature is disabled at the engagement level (see ai-usage-disclosure.md §10).
8. Sub-processor change notification
When a new vendor is added to §1 or §2 of this register (i.e., one that processes Class C3 / C4 data), the Firm provides notice to data principals through the Platform in-app banner at least thirty days before the new vendor receives data. Where the new vendor is engaged on an emergency basis (e.g., the existing vendor goes down), notice is provided as soon as practicable.
9. Vendor incident notification protocol
If any vendor listed above notifies the Firm of a security or data-protection incident affecting Veloxis data, the Plan owner treats the notification as a Veloxis incident under the Incident Response Plan §3, and the Firm's CERT-In and DPDP reporting timelines apply.