alpha
Docs Open the app
← Back to Legal

Legal

Data Processing Addendum

Effective May 25, 2026

1. Scope and roles

This Data Processing Addendum ("DPA") forms part of the Terms of Service between [Legal Entity Name] ("we", "us", "Processor") and the Customer ("you", "Controller"). It applies to our processing of personal information on your behalf when you use the Alpha service (the "Service").

For purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), we are your "service provider" with respect to personal information processed under the Service, and you are the "business." For purposes of other applicable US state privacy laws that use similar concepts, we act as a "processor" or equivalent role.

2. Processing instructions

We will process personal information only:

  • To provide and support the Service as described in the Terms of Service;
  • On your documented instructions, including instructions given through your configuration and use of the Service; and
  • As required by applicable law, in which case we will inform you of the legal requirement before processing unless that law prohibits notice.

We will not: (a) sell or "share" personal information (as those terms are defined under the CCPA/CPRA); (b) retain, use, or disclose personal information for any purpose other than the business purposes specified in the Terms of Service and this DPA, or as otherwise permitted by the CCPA/CPRA; (c) retain, use, or disclose personal information outside the direct business relationship between you and us; or (d) combine personal information received from you with personal information from another source, except as permitted by the CCPA/CPRA.

3. Confidentiality of personnel

We will ensure that our personnel authorized to process personal information are bound by appropriate obligations of confidentiality.

4. Security

We will implement and maintain appropriate technical and organizational measures designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, at a minimum:

  • Encryption of personal information in transit and at rest;
  • Role-based access controls and least-privilege provisioning;
  • Logging and monitoring of access to systems that process personal information;
  • Vulnerability management and timely application of security patches;
  • Network and infrastructure controls implemented through our cloud provider;
  • Personnel training on data protection and security; and
  • Periodic review of these measures.

5. Sub-processors

You authorize us to engage sub-processors to assist in providing the Service. The current list of sub-processors is described in our Privacy Policy and is also available on request. When we engage a sub-processor, we will:

  • Impose data-protection obligations on the sub-processor that are no less protective than those in this DPA;
  • Remain responsible to you for the sub-processor's performance of those obligations; and
  • Provide notice (which may be by updating our published sub-processor list) of any new sub-processor before authorizing the sub-processor to process personal information. You may object to a new sub-processor on reasonable data-protection grounds; if we cannot reasonably accommodate your objection, you may terminate the Service in accordance with the Terms of Service.

6. Assistance with data-subject requests

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance — through appropriate technical and organizational measures, and to the extent possible — to help you respond to verifiable requests from individuals exercising their rights under applicable law (such as rights to know, correct, delete, or limit use). Where a request is made directly to us, we will, except where prohibited, advise the individual to direct the request to you.

7. Security incident notification

If we become aware of a personal-data breach affecting personal information we process on your behalf, we will:

  • Notify you without undue delay after becoming aware;
  • Provide such information as we reasonably have available, including: the nature of the incident, the categories and approximate number of individuals and records affected (to the extent known), the likely consequences, and the measures taken or proposed to address the incident; and
  • Reasonably cooperate with you in investigating, mitigating, and (where legally required) notifying the incident.

Our notification is not, and will not be construed as, an acknowledgment of fault or liability.

8. Return or deletion at termination

On termination of the Service, we will, at your choice, return or delete the personal information we process on your behalf, subject to:

  • A limited transition period during which exports may be made available;
  • Routine backup rotation, which will overwrite residual copies in the ordinary course; and
  • Retention required to comply with applicable law.

9. Audit cooperation

On reasonable advance written request, and no more than once per twelve-month period (except where required by applicable law or following a personal-data breach), we will make available the information reasonably necessary to demonstrate compliance with this DPA. We may satisfy this obligation by providing summaries of independent third-party audits, certifications, or security questionnaires.

10. International transfers

The Service is operated from the United States. We do not currently provide the Service to data exporters in jurisdictions whose transfer rules would require Standard Contractual Clauses or equivalent transfer mechanisms. If we do in the future, we will work with you in good faith to put an appropriate transfer mechanism in place.

11. Conflict and order of precedence

To the extent there is a conflict between this DPA and the Terms of Service or the Privacy Policy with respect to the processing of personal information on your behalf, this DPA controls. In all other respects, the Terms of Service and Privacy Policy remain in full force and effect.

12. Changes to this DPA

We may update this DPA from time to time to reflect changes in applicable law, in our practices, or in the Service. When we make material changes, we will update the "Effective" date above and, where appropriate, provide notice through the Service or by email.

13. Contact

[Legal Entity Name]
[Mailing Address]
legal@alpha.example