This DPA governs AlphaClone's processing of personal data on behalf of business customers in compliance with GDPR, POPIA, and applicable data protection law.

Who this applies to: This DPA applies to all paying AlphaClone customers who process personal data of their own customers, employees, or contacts through the AlphaClone platform. It forms part of and is incorporated into the AlphaClone Terms of Service.

1. Roles & Responsibilities

Customer (Data Controller)

The business or individual subscribing to AlphaClone. The Controller determines the purposes and means of processing personal data of their clients, contacts, and team members. The Controller is responsible for ensuring their instructions to AlphaClone are lawful.

AlphaClone Systems LLC (Data Processor)

AlphaClone processes personal data only on behalf of and according to the documented instructions of the Controller. AlphaClone acts as a Controller only for its own account administration data (billing, authentication).

2. Processing Details

Subject Matter	Operation of the AlphaClone Business OS on behalf of the Customer
Duration	For the term of the subscription and post-termination retention period (90 days)
Nature	Storage, retrieval, display, transmission, and deletion of personal data
Purpose	To provide CRM, billing, contract, project management, and communication features to the Customer
Categories of Data	Names, email addresses, phone numbers, company info, financial records, contract data, correspondence
Data Subjects	Customer's clients, leads, employees, team members, and contractors

3. AlphaClone's Obligations as Processor

Process personal data only on documented instructions from the Customer, including transfers to third countries
Ensure that all staff authorised to process personal data are bound by appropriate confidentiality obligations
Implement appropriate technical and organisational security measures (see Section 6 of our Privacy Policy)
Assist the Customer in responding to data subject rights requests (access, erasure, portability)
Assist the Customer in meeting GDPR obligations regarding security, breach notification, DPIAs, and prior consultation
Delete or return all personal data to the Customer on termination of the service, at the Customer's choice
Make available all information necessary to demonstrate compliance with this DPA
Notify the Customer without undue delay (and within 72 hours where possible) upon becoming aware of a personal data breach

4. Sub-processors

AlphaClone uses the following authorised sub-processors. All sub-processors are bound by data processing agreements no less protective than this DPA. The Customer grants general authorisation for AlphaClone to use these sub-processors.

Sub-processor	Purpose	Location	Safeguard
Supabase, Inc.	Database & authentication	US (AWS us-east-1)	SCCs + DPA
Stripe, Inc.	Payment processing	US	SCCs + DPA
Cloudflare, Inc.	CDN, DDoS, bot protection	Global (US HQ)	SCCs + DPA
Vercel, Inc.	Application hosting	US (AWS)	SCCs + DPA
Resend / SendGrid	Transactional email	US	SCCs + DPA
Sentry, Inc.	Error monitoring	US	SCCs + DPA

AlphaClone will notify the Customer of any intended addition or replacement of sub-processors by updating this DPA and sending an email notification at least 14 days before the change takes effect. The Customer may object to a new sub-processor in writing within 14 days.

5. International Data Transfers

Where personal data is transferred from the EEA, UK, or Switzerland to countries not recognised as providing adequate protection (including the United States), AlphaClone relies on the following safeguards:

Standard Contractual Clauses (SCCs) — EU Commission Decision 2021/914, Module 2 (Controller to Processor)
UK International Data Transfer Addendum (IDTA) for transfers from the UK
Binding Corporate Rules where applicable

Copies of the applicable SCCs are available on request from [email protected].

6. Audit Rights

AlphaClone shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA. The Customer may conduct an audit (or commission a third-party auditor) of AlphaClone's data processing activities, subject to:

Giving at least 30 days' written notice to [email protected]
Audits being conducted during normal business hours and no more than once per calendar year
The auditor executing a non-disclosure agreement acceptable to AlphaClone
The Customer bearing all costs of the audit

7. Personal Data Breach Notification

Upon becoming aware of a personal data breach affecting data processed under this DPA, AlphaClone will:

Notify the Customer without undue delay, and where feasible within 72 hours of becoming aware
Provide the Customer with: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed to address the breach
Assist the Customer in notifying the relevant supervisory authority and affected data subjects as required

8. Data Deletion & Return

Upon termination or expiry of the subscription, AlphaClone will, at the Customer's election:

Return all personal data to the Customer in CSV/JSON format within 30 days of a written request
Securely delete all personal data within 90 days of account deletion
Provide written confirmation of deletion upon request
Backup snapshots containing personal data are purged within 30 days of account deletion

9. Contact & DPA Requests

To request a signed copy of this DPA, or for any data processing queries:

Privacy & DPA: [email protected]

Legal: [email protected]

Data Processing Agreement (DPA)