Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of, and is subject to, the agreement between Alpomi Ltd ("Alpomi", "we", "us" — Processor) and the customer named in that agreement ("Customer" — Controller) for the provision of the Alpomi platform (the "Service"). It takes effect from the effective date of the underlying subscription or order form. If there is any conflict between this DPA and the underlying agreement, this DPA prevails on matters of data protection.

This DPA is written to satisfy the requirements of Article 28 of the UK GDPR and EU GDPR. It incorporates (a) the UK International Data Transfer Addendum to the EU Commission SCCs ("UK Addendum"), and (b) the 2021 EU Standard Contractual Clauses ("SCCs"), Modules Two and Three, which are incorporated by reference where applicable.

If you wish to have a signed copy countersigned by an authorised Alpomi signatory, email privacy@alpomi.com with your company name, registered address and the email address of your authorised signer. We will return a countersigned PDF within five business days.

1. Definitions

"Applicable Data Protection Law" means the UK GDPR, the EU GDPR, the UK Data Protection Act 2018, and any successor or equivalent law applicable to the processing.
"Customer Personal Data" means any Personal Data within the Customer Data (as defined in the underlying agreement) processed by Alpomi on behalf of the Customer.
"Data Subject", "Personal Data", "Processing", "Processor", "Controller", "Sub-processor" and "Supervisory Authority" have the meanings given in Applicable Data Protection Law.
"Restricted Transfer" means a transfer of Customer Personal Data from the UK or EEA to a country that does not benefit from an adequacy decision.
"Security Incident" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.
"Sub-processors" are listed at alpomi.com/sub-processors.

2. Roles

The parties acknowledge that, for the purpose of this DPA, the Customer is the Controller and Alpomi is the Processor of Customer Personal Data. Where the Customer acts as processor for a third party (e.g. an agency managing data on behalf of its own clients), Alpomi is a Sub-processor, and this DPA will apply as if references to "Customer" are to the third-party controller.

3. Scope and Instructions

Alpomi will process Customer Personal Data only on the Customer's documented instructions and only to:

provide, secure, maintain and improve the Service;
enable Customer to compute analytics, attribution, AI recommendations and reports;
perform any service described in an applicable order form or product documentation;
comply with a legal obligation applicable to Alpomi (with notice to the Customer unless prohibited).

Use of the Service in accordance with the underlying agreement constitutes documented instructions. Alpomi will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

4. Details of Processing (Annex I to the SCCs)

Item	Description
Subject matter	Processing of Customer Personal Data to provide the Alpomi business-intelligence Service.
Duration	For the term of the Customer's subscription and any post-termination deletion window (up to 30 days).
Nature and purpose	Ingestion, storage, cross-referencing, aggregation, automated analysis (including machine learning), reporting and presentation.
Categories of Data Subject	Customer's staff and end-users, Customer's own customers and prospects (where Customer uploads / connects such data).
Categories of Personal Data	Contact details (name, email, role), company information, online identifiers (cookies, device IDs), commercial data (orders, transactions), advertising-account data, analytics events, IP addresses, pixel events, content submitted to AI features.
Special-category / criminal-convictions data	The Service is not designed to process Article 9 special-category or Article 10 criminal-convictions data. Customer must not upload such data without Alpomi's prior written agreement.
Frequency of transfer	Continuous during the term.
Retention	Duration of the subscription + up to 30 days for deletion and backup rotation. Backup immutability periods may extend this for specific backup volumes.
Competent supervisory authority	UK Information Commissioner's Office for UK SCCs / IDTA; the lead EEA supervisory authority of the Customer for EU SCCs where Customer is in the EEA.

5. Confidentiality

Alpomi will ensure that personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory) and are trained on data-protection and security responsibilities.

6. Security (Annex II to the SCCs)

Alpomi will implement and maintain the technical and organisational measures set out below, designed to provide a level of security appropriate to the risk:

Encryption of Customer Personal Data in transit (TLS 1.2+) and at rest (AES-256 at the database layer).
Row-level security in Postgres isolating each Customer's data by company identifier.
Role-based access control with principle of least privilege; production access limited to authorised engineers.
Multi-factor authentication on administrative consoles (database, hosting, source control, sub-processor management).
Centralised secrets management for API keys and OAuth tokens with automatic rotation where supported.
Continuous dependency and platform patching with a formal backlog for advisory items.
Audit logging of security-relevant events, retained for at least 12 months.
Backup and recovery procedures with tested restore capability.
Periodic internal security reviews, dependency scanning, and architecture reviews before material releases.
Formal incident-response runbook covering detection, triage, notification and post-incident review.
Sub-processor selection weighted towards providers holding SOC 2 Type II or ISO 27001 certification.

7. Sub-processors

The Customer grants Alpomi a general authorisation to engage Sub-processors, subject to the safeguards in this clause.

Alpomi maintains a current list of Sub-processors at alpomi.com/sub-processors.
Alpomi will notify the Customer of any intended addition or replacement of a Sub-processor at least 30 days in advance by updating that list and (if the Customer has subscribed to notifications) by email.
Within 14 days of notification, the Customer may object on reasonable and legitimate data-protection grounds. The parties will discuss in good faith; if no resolution is found, the Customer may terminate the affected part of the Service and receive a pro-rata refund of any prepaid fees.
Alpomi will impose on each Sub-processor data-protection obligations substantially similar to those set out in this DPA, via a written contract.
Alpomi remains fully liable to the Customer for the performance of each Sub-processor's obligations.

8. International Transfers

Where a Restricted Transfer is necessary, Alpomi relies on one or more of the following:

UK or EU adequacy decisions for the destination country;
the EU SCCs (2021), Module Two (controller-to-processor) or Module Three (processor-to-processor), as applicable, which are incorporated into this DPA by reference and completed as follows: data-exporter = Customer, data-importer = Alpomi (or its relevant affiliate or Sub-processor), Annex I.A populated from the order form, Annex I.B from Section 4 above, Annex II from Section 6 above, Annex III from the Sub-processor list; Clause 7 (docking clause) included; Clause 9 option (a) "specific authorisation" selected at 30 days' notice; Clause 11(a) optional redress not used; Clause 13(a) competent authority as in Section 4; Clause 17 governed by Irish law; Clause 18 jurisdiction in Ireland;
the UK International Data Transfer Addendum (version B1.0) attaching the EU SCCs as incorporated above, with Tables 1-4 completed consistently;
the EU–U.S. Data Privacy Framework and its UK Extension, where a Sub-processor is certified.

Alpomi will assist the Customer, on reasonable request, to complete transfer-impact assessments for specific Sub-processors.

9. Assistance to Customer

Taking into account the nature of processing and the information available, Alpomi will assist the Customer:

in responding to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, objection, withdraw consent);
in fulfilling the Customer's obligations under Articles 32-36 of the UK/EU GDPR (security, breach notification, DPIAs, prior consultation).

Where a Data Subject contacts Alpomi directly in relation to Customer Personal Data, Alpomi will (unless legally prohibited) forward the request to the Customer without undue delay and will not respond directly except to acknowledge receipt.

10. Security Incident Notification

Alpomi will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of a Security Incident affecting Customer Personal Data. The notification will include, to the extent known, the nature of the incident, the categories and approximate number of Data Subjects and records concerned, the likely consequences and the measures taken or proposed. Alpomi will keep the Customer informed of material developments.

11. Audit Rights

Alpomi will make available to the Customer on reasonable request information necessary to demonstrate compliance with this DPA, including Sub-processor due-diligence summaries and current SOC 2 / ISO 27001 reports held by Sub-processors where those reports are available to Alpomi.

The Customer may, no more than once per year (unless a material Security Incident justifies an additional audit), request an audit on 30 days' written notice, conducted by the Customer or a mutually agreed third-party auditor who is not a competitor of Alpomi and is bound by confidentiality. Audits must take place during business hours and must not unreasonably interfere with Alpomi's operations. The Customer bears its own audit costs; Alpomi may charge a reasonable fee for time spent supporting the audit.

12. Return and Deletion

On termination of the Service, Alpomi will, at the Customer's choice expressed within 30 days of termination, either return all Customer Personal Data in a commonly used format (via API export or a downloadable archive) or permanently delete it, and delete any existing copies (subject to legal retention obligations).

Backup copies will be rotated out within the standard backup-retention window (up to 30 days). Alpomi will certify deletion on written request.

13. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, under statute or otherwise, is subject to the limitations of liability set out in the underlying agreement. Nothing in this clause limits any liability that cannot be excluded under Applicable Data Protection Law (including liability to Data Subjects under Article 82 of the UK/EU GDPR).

14. General

Order of precedence: in the event of a conflict between this DPA and the SCCs / UK Addendum incorporated into it, the SCCs / UK Addendum prevail on data-protection matters.
Changes: Alpomi may update this DPA as reasonably required by changes in Applicable Data Protection Law or guidance from Supervisory Authorities. Material changes will be notified 30 days in advance.
Governing law and jurisdiction: as set out in the underlying agreement, except that the SCCs are governed by Irish law and the UK Addendum by the laws of England and Wales.
Severability: if any provision is found unenforceable, it is modified to the minimum extent necessary and the remainder continues in full force.

15. Contact

Privacy enquiries and DPA countersignature requests: privacy@alpomi.com.

Alpomi Ltd
3 Centenary Sq, Birmingham B1 2DR, United Kingdom

By clicking through to accept our Terms of Service, subscribing to the Service, or otherwise using the Platform, the Customer accepts this DPA. A countersigned PDF is available on request and is functionally equivalent to click-through acceptance for the purposes of Article 28(9) of the UK/EU GDPR.