Data Processing Addendum
Effective Date: May 8, 2026
This Data Processing Addendum ("DPA") is incorporated into the Alta Terms of Service (the "Agreement") between Apex Aspire LLC d/b/a Alta ("Alta" / "Processor") and the operator subscribing to the Service ("Operator" / "Controller"). This DPA applies whenever Alta processes Personal Data (as defined below) on behalf of the Operator. In the event of any conflict, this DPA governs the Personal-Data processing relationship; the Agreement otherwise prevails.
1. Definitions
- Applicable Law — every data-protection or privacy law applicable to the parties' processing under this DPA, including the GDPR, the UK GDPR, the Swiss FADP, the CCPA (as amended by CPRA), and any other US state privacy laws.
- Personal Data — any information relating to an identified or identifiable natural person processed by Alta on behalf of the Operator under the Agreement.
- Sensitive Personal Data — Personal Data categories defined as "special category" / "sensitive" under Applicable Law (race, religion, health, biometric, geolocation, children, etc.). The parties agree Sensitive Personal Data must not be processed through the Service.
- Sub-processor — any third party engaged by Alta to process Personal Data on behalf of the Operator.
- SCCs — the Standard Contractual Clauses (Commission Decision 2021/914 of 4 June 2021), Module 2 (Controller→Processor).
- UK Addendum — the International Data Transfer Addendum issued by the UK Information Commissioner's Office, version B.1.0.
2. Scope, roles, and instructions
- The Operator is the Controller of Personal Data processed via the Service; Alta is the Processor.
- Alta processes Personal Data only on the Operator's documented instructions, which include (a) the Agreement, (b) this DPA, and (c) the Operator's use of the Service's configuration and admin controls.
- Alta will inform the Operator if it believes an instruction violates Applicable Law (without obligation to assess legality comprehensively).
The subject-matter, nature, purpose, duration, categories of data, and categories of data subjects are described in Annex I.
3. Confidentiality
Alta ensures that its personnel authorised to process Personal Data are subject to written confidentiality obligations or are under an appropriate statutory duty of confidentiality.
4. Security measures
Alta implements the technical and organisational measures described in Annex II, which include encryption in transit and at rest, role-based access controls, audit logging, vulnerability management, backup and disaster recovery, and personnel training. Alta will maintain a written information-security program reasonably designed to protect Personal Data against unauthorised access, disclosure, alteration, or destruction.
5. Sub-processing
The Operator generally authorises Alta to engage Sub-processors, provided that:
- Alta will maintain a current list of Sub-processors at
getalta.ai/legal/subprocessorsand notify the Operator at least 30 days in advance of adding or replacing one (via email and an in-product banner). - The Operator may object on reasonable data-protection grounds within that 30-day window. If the parties cannot resolve the objection within 30 additional days, the Operator may terminate the affected portion of the Service for convenience.
- Alta binds each Sub-processor by a written agreement containing data-protection obligations no less protective than this DPA.
- Alta remains liable for its Sub-processors' acts and omissions.
Current Sub-processors include AWS (hosting), Stripe (payments), Twilio (telephony), SendGrid (email), Sentry (errors), and selected LLM providers under their enterprise data-protection terms.
6. Data-subject rights
Taking into account the nature of the processing, Alta provides reasonable assistance to the Operator (through technical features in the dashboard or, where not available, through manual support) to respond to data-subject requests for access, rectification, erasure, restriction, portability, and objection.
7. Personal-data breach notification
Alta will notify the Operator without undue delay, and in any case within 72 hours, of any confirmed Personal-Data Breach. The notification will describe (a) the nature of the breach, (b) the likely consequences, and (c) the measures taken or proposed to address it. Alta will cooperate with the Operator's investigation and notification efforts to the extent reasonably required.
8. Cross-border transfers
Where Alta transfers Personal Data outside the EEA, UK, or Switzerland to a country that does not provide an adequate level of protection, the SCCs (Module 2) apply, supplemented by the UK Addendum for UK data and by the Swiss data-protection-equivalent adaptations for Swiss data. The selections under the SCCs are:
| Clause | Selection |
|---|---|
| Clause 7 — Docking clause | Applicable |
| Clause 9 — Sub-processors | Option 2 (general written authorisation; 30-day) |
| Clause 11 — Redress | Independent dispute-resolution body not included |
| Clause 17 — Governing law | Republic of Ireland |
| Clause 18 — Jurisdiction | Republic of Ireland |
| Annex I, II, III | Annexes I and II of this DPA; III lists current Sub-processors |
9. Audits
Alta will make available to the Operator the information needed to demonstrate compliance with this DPA, including its most recent SOC 2 Type II report (under NDA). No more than once per 12-month period (or as required by a Supervisory Authority), the Operator may, on 30 days' prior written notice, conduct an audit limited to the systems and personnel relevant to the processing, during normal business hours, in a manner that does not unreasonably interfere with Alta's operations. The Operator will bear the costs of any audit it requests.
10. Return / deletion of Personal Data
Within 90 days after termination of the Agreement, Alta will, at the Operator's choice, delete or return all Personal Data, except where Applicable Law requires retention. Alta will provide written certification of deletion on request.
11. Limitation of liability
Each party's liability under this DPA is subject to the limitation- of-liability provisions of the Agreement.
12. Order of precedence
If any conflict exists between the SCCs and this DPA or the Agreement, the SCCs prevail with respect to the personal data they govern. Otherwise this DPA prevails for personal-data processing, and the Agreement prevails for all other matters.
Annex I — Description of processing
- Subject-matter: Provision of the Service under the Agreement.
- Nature & purpose: AI-powered customer-communication, scheduling, marketing, and analytics for local service businesses.
- Duration: For the term of the Agreement plus the retention periods set out in the Privacy Policy.
- Categories of data subjects: Operator personnel, Consumers (end-customers of the Operator's business).
- Categories of Personal Data: Contact data, conversation content (SMS, voice transcripts, email), appointment data, service history, device & log data.
Annex II — Technical & organisational measures
See docs/security/security_overview.md for the canonical list.
Summary: TLS 1.2+ in transit, AES-256 at rest, HSM-backed secrets,
role-based access controls, MFA on all admin accounts, quarterly
penetration tests, annual SOC 2 Type II audit, 24×7 monitoring,
incident-response runbook, business-continuity plan, secure
software-development lifecycle.
Annex III — Sub-processors
The current Sub-processor list is maintained at
getalta.ai/legal/subprocessors. This list is incorporated by
reference and updated per Section 5.
This document is a template intended for review by qualified legal counsel before publication.