Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of, and is incorporated into, the agreement (the “Agreement”) between Alguna Inc., a Delaware corporation, or its Affiliate contracting entity (“Alguna”) and the counterparty to the Agreement (“Customer”).

This Addendum applies to Alguna’s Processing of Personal Data under the Agreement. In case of conflict between this Addendum and the Agreement, this Addendum will prevail with respect to Processing of Personal Data.

1. Definitions

Unless otherwise defined in this Addendum, capitalized terms have the meaning given in the Agreement.

• Affiliate – Any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where “control” means ownership of more than 50% of the voting interests.
• Applicable Data Protection Laws – All applicable privacy and data protection laws, including GDPR, the UK Data Protection Act 2018, UK GDPR, and the CCPA, each as amended or replaced.
• Controller – The entity which determines the purposes and means of Processing Personal Data.
• Contact Data – Personal Data that Alguna Processes as a Controller, such as account, billing, and support contact information.
• Customer Personal Data – Personal Data Processed by Alguna on behalf of Customer under the Agreement.
• Data Subject – An identified or identifiable natural person, including similar defined terms under Applicable Data Protection Laws (e.g., “consumer” under CCPA).
• Processing – Any operation performed on Personal Data, whether by automated means, including collection, storage, use, disclosure, or deletion.
• Personal Data – Any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.
• Security Incident – Any confirmed unauthorized or unlawful access, loss, disclosure, alteration, or destruction of Customer Personal Data. Unsuccessful attempts (e.g., failed logins, port scans, denial-of-service attacks) are excluded.
• Service-Generated Data – Usage data and metadata generated through Customer’s use of the Services. To the extent it constitutes Personal Data, Alguna is the Controller.
• Services – The services provided by Alguna to Customer under the Agreement.
• Subprocessor – Any third party engaged by Alguna to Process Customer Personal Data in connection with the Services.

2. General

• This Addendum supplements the Agreement; all other provisions remain in force.
• Any liabilities under this Addendum are subject to the limitations of liability in the Agreement.
• This Addendum is governed by the Agreement’s governing law and jurisdiction, unless required otherwise by Applicable Data Protection Laws.
• This Addendum remains in effect until deletion of Customer Personal Data in accordance with Section 8.

3. Roles of the Parties

• Customer as Controller. Customer is the Controller of Customer Personal Data and is responsible for ensuring a lawful basis for Processing and for obtaining all necessary consents.
• Alguna as Processor. With respect to Customer Personal Data, Alguna acts as Processor and shall Process such data only on documented instructions from Customer (Exhibit A).
• Alguna as Controller. With respect to Contact Data and Service-Generated Data, Alguna acts as Controller and Processes such data in accordance with its Privacy Policy.

4. Processor Obligations

Alguna shall:

• Process Customer Personal Data only on documented instructions of Customer, unless required by law.
• Ensure personnel authorized to Process Customer Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational measures (“TOMs”) to ensure a level of security appropriate to risk, including:
• Encryption of Personal Data at rest and in transit.
• Access controls, role-based permissions, and audit logging.
• Resilience and recovery measures (backups, disaster recovery).
• Regular security testing and monitoring.
• Assist Customer, to the extent reasonable, with obligations under GDPR Articles 32–36, including data protection impact assessments and breach notifications.
• Make available to Customer all information necessary to demonstrate compliance and allow audits under Section 7.

5. Subprocessing

• Customer provides a general authorization for Alguna to appoint Subprocessors.
• Current Subprocessors are listed in Exhibit B.
• Alguna shall notify Customer of any new Subprocessor at least 30 days before engagement. Customer may object on reasonable grounds. If unresolved, Customer may terminate the impacted Services and receive a pro-rata refund.
• Alguna will ensure Subprocessors are bound by materially equivalent obligations. Alguna remains responsible for their performance.
• Where Subprocessor access involves international transfers, Alguna is authorized to enter into appropriate transfer mechanisms (e.g., Standard Contractual Clauses) on Customer’s behalf.

6. Breach Notification

• Alguna shall notify Customer without undue delay and in any event no later than 48 hours after becoming aware of a Security Incident.
• Notification shall include:
• The nature of the breach (categories and approximate numbers of affected Data Subjects and records).
• Contact details of Alguna’s data protection contact.
• Likely consequences of the breach.
• Measures taken or proposed to mitigate the breach.
• Alguna shall provide updates as more information becomes available.

7. Audits

• Customer may audit Alguna’s compliance with this Addendum, subject to:
• Reasonable advance written notice.
• Audits during normal business hours, minimizing disruption.
• No access to other customers’ data or Alguna’s confidential information.
• Any third-party auditor being bound by confidentiality.
• Customer bearing its own costs and reimbursing Alguna’s reasonable expenses.

8. Data Return and Deletion

Upon termination or expiration of the Agreement, Alguna shall delete or return Customer Personal Data (at Customer’s option), unless retention is required by law.

Exhibit A – Processing Details

• Purpose: Provision of pricing, billing, and invoicing services to Customer.
• Nature of Processing: Collection, storage, retrieval, use, modification, hosting, deletion.
• Duration: For the term of the Agreement, unless earlier deletion requested.
• Types of Personal Data:
• Customer employees: name, email, job title, login data, device/IP identifiers.
• End-customers: billing contact details as provided by Customer.
• Data Subjects: Customer’s employees and end-customers of Customer.
• Special Categories: None.
• Technical & Organizational Measures: Encryption, access controls, monitoring, backups, disaster recovery, security testing.

Exhibit B – Subprocessors

Infrastructure:

• Amazon Web Services – Cloud hosting (EU)
• Encore – Cloud hosting (EU)
• ClickHouse – Usage metering data warehouse (EU)

Customer Data Services:

• Axiom – Log management (EU)
• Clerk – Authentication (US)
• Vercel – Dashboard hosting (Global)
• Posthog – Analytics (EU & US)
• Postmark – Transactional email (US)

Support & Internal Tools:

• BetterUptime – Monitoring & status page (US)
• Google Workspace – Email & storage (EU & US)
• Slack – Customer support (EU & US)

Signature

If Customer wishes to execute this DPA, please email [email protected] with your request. Alguna will provide a countersignature copy for your records.

For Alguna Inc. (or its Affiliate contracting entity):
Signature: ______________________
Name:
Title:
Date:

For Customer:
Signature: ______________________
Name:
Title:
Date: