Data Processing Addendum
Last Update: April 2026
This Data Protection Addendum ("Addendum") between Alphastream.ai ("Alphastream.ai") and the Customer (as defined in the Agreement) forms part of the Alphastream.ai Terms and Conditions set forth at https://www.alphastream.ai/terms or such other written or electronic agreement incorporating this Addendum, in each case governing Customer's access to and use of the Services (the "Agreement"). Customer enters into this Addendum on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with Alphastream.ai.
1. Definitions
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1
Affiliate means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or Alphastream.ai, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.1.2
Customer Personal Data means any Personal Data provided by or made available by Customer to Alphastream.ai or collected by Alphastream.ai on behalf of Customer which is Processed by Alphastream.ai to perform the Services.
1.1.3
Controller to Processor SCCs means the standard contractual clauses for cross-border transfers published by the European Commission on June 4, 2021, including the EU SCCs, the UK Transfer Addendum adopted by the UK ICO, and any similar clauses adopted by a data protection regulator, including any successor clauses thereto.
1.1.4
Data Protection Laws means any local, state, or national law regarding the processing of Personal Data applicable to Alphastream.ai in the jurisdictions in which the Services are provided to Customer, including, without limitation, privacy, security, and data protection law.
1.1.5
EU Area means the European Union, European Economic Area, United Kingdom, and Switzerland.
1.1.6
EU Area Law means (i) Directive 95/46/EC and, from May 25, 2018, Regulation (EU) 2016/679 ("EU GDPR"); (ii) the Data Protection Act 1998 of the United Kingdom and the UK GDPR; (iii) the Swiss Federal Data Protection Act of 19 June 1992; (iv) any other applicable data protection or privacy law in the EU Area; or (v) any successor or amendments thereto.
1.1.7
Security Incident means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by Alphastream.ai.
1.1.8
Services means the services to be supplied by Alphastream.ai to Customer or Customer's Affiliates pursuant to the Agreement.
1.1.9
Third Country means countries that have not received an adequacy decision from an applicable authority relating to cross-border data transfers of Personal Data, including from the European Commission, UK ICO, or Swiss FDPIC.
The terms "Business", "Business Purpose", "commercial purpose", "Contractor", "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process", "Processor", "Sell", "Service Provider", "Share", "Subprocessor", "Supervisory Authority", and "Third Party" have the same meanings as described in applicable Data Protection Laws.
2. Scope of Addendum
This Addendum applies to Alphastream.ai's Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This Addendum is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.
2A. US State Privacy Laws
This Section applies to the extent Alphastream.ai Processes Personal Data of residents of US states with applicable privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Utah Consumer Privacy Act ("UCPA"), and the Virginia Consumer Data Protection Act ("VCDPA") (collectively, "US State Privacy Laws").
2A.1
Service Provider / Contractor Obligations. For purposes of the CCPA and other applicable US State Privacy Laws, Alphastream.ai acts as a Service Provider or Contractor (as applicable) with respect to Customer Personal Data. Alphastream.ai shall process Customer Personal Data only as instructed by Customer and solely for the Business Purposes set forth in this Addendum and the Agreement. Alphastream.ai shall not: (i) Sell or Share Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data outside the direct business relationship between the parties; (iii) combine Customer Personal Data with personal data received from other sources except as permitted under applicable US State Privacy Laws.
2A.2
Consumer Rights. To the extent Customer receives requests from California consumers or residents of other states exercising rights under applicable US State Privacy Laws (including rights of access, deletion, correction, and portability), Alphastream.ai shall provide Customer with reasonable cooperation and assistance to fulfil such requests within the timeframes required by applicable law.
2A.3
Sensitive Personal Information. Alphastream.ai shall not collect, use, or disclose sensitive personal information (as defined under the CCPA) beyond the purposes permitted under applicable US State Privacy Laws without Customer's prior written consent.
2A.4
Notification of Non-Compliance. Alphastream.ai shall notify Customer promptly if it determines it can no longer meet its obligations under applicable US State Privacy Laws. Upon such notice, Customer may take reasonable steps to stop and remediate any unauthorized processing.
2A.5
Cooperation with Regulators. Alphastream.ai shall cooperate with Customer and provide reasonable assistance in responding to any inquiry, investigation, or enforcement action brought by a US state privacy regulator, including the California Privacy Protection Agency.
3. Roles of the Parties
3.1
The Parties acknowledge that with regard to the Processing of Customer Personal Data, Customer acts as a Business or Controller, and Alphastream.ai acts as a Service Provider or Processor. This Addendum shall apply solely to the Processing of Customer Personal Data by Alphastream.ai acting as a Processor, Subprocessor, or Third Party (as specified in Annex 1).
3.2
Customer shall be solely responsible for ensuring timely communications to Customer's Affiliates or the relevant Controller(s) who receive the Services, insofar as such communications may be required under applicable Data Protection Laws.
3.3
Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any obligations to give notices to government authorities, affected individuals, or others relating to any Security Incidents.
4. Description and Purpose of Personal Data Processing
4.1
In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the subject matter and details of the Processing of Customer Personal Data. The Parties may make reasonable amendments to Annex 1 on mutual written agreement as necessary to meet the requirements of Data Protection Laws. Annex 1 does not create any obligation or rights for any Party.
4.2
The purpose of Processing under this Addendum is the provision of the Services pursuant to the Agreement and any Order Form(s).
5. Data Processing Terms
5.1 Customer Obligations
Customer shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum and the Processing of Customer Personal Data. Customer shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to Alphastream.ai of Customer Personal Data. Customer warrants that it has a valid lawful basis under Article 6 of the GDPR for each processing activity. Customer agrees not to provide Alphastream.ai with any special categories of personal data as defined in Article 9 of the GDPR.
5.2 Alphastream.ai Obligations
Alphastream.ai shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data and shall:
5.2(a)
Process Customer Personal Data solely for the purposes of the Agreement as set out in Annex 1, and otherwise solely on the documented instructions of Customer. Alphastream.ai shall not Sell or Share Customer Personal Data, nor use it outside of its business relationship with Customer or for any commercial purpose, except as required or permitted by law. Alphastream.ai shall immediately inform Customer if it determines it is no longer able to meet its obligations under Data Protection Laws.
5.2(b)
Implement and maintain measures to ensure that Alphastream.ai personnel authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2(c)
Implement and maintain appropriate technical and organizational security measures, including:
- Pseudonymization and encryption of Customer Personal Data;
- Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems;
- Restoring availability and access to Customer Personal Data in a timely manner following an incident;
- Regularly testing and evaluating the effectiveness of security measures.
5.2(d)
Engage Sub-processors only as authorized, with at least thirty (30) calendar days advance written notice of any intended changes. Alphastream.ai shall include data protection obligations in contracts with each Sub-processor that are materially the same as those in this Addendum, and shall remain liable for each Sub-processor's performance. Customer may object to new Sub-processors on data protection grounds within thirty (30) days of notice.
5.2(e)
To the extent legally permissible, promptly notify Customer of any legally binding requests for disclosure of Customer Personal Data and maintain a record of all such disclosures.
5.2(f)
Promptly notify Customer of any communication from a Data Subject or Supervisory Authority relating to Customer Personal Data, and reasonably assist Customer in fulfilling obligations under Chapter III of the GDPR.
5.2(g)
Notify Customer of a confirmed Personal Data Breach without undue delay, and in any event within the timeframes required by applicable Data Protection Laws, including all information reasonably required to comply with data breach reporting obligations, including the seventy-two (72) hour deadline to Supervisory Authorities under Article 33 of the GDPR. Such notification is not an acknowledgement of fault or liability by Alphastream.ai.
5.2(h)
Provide reasonable assistance with Customer's obligations pursuant to Articles 32–36 of the GDPR, including Data Protection Impact Assessments and prior consultation requirements.
5.2(i)
Cease Processing Customer Personal Data upon termination or expiry of the Agreement, and within thirty (30) days either return or securely delete all copies of Customer Personal Data and provide written certification, unless retention is required by applicable law.
5.2(j)
Maintain records of all categories of processing activities carried out on behalf of Customer in accordance with Article 30(2) of the GDPR, and make such records available to competent Supervisory Authorities on request.
5.2(k)
Make available all information reasonably necessary to demonstrate compliance with this Addendum and allow for audits, including inspections, by Customer or an independent third-party auditor with reasonable prior notice. Audits shall be conducted no more than once per calendar year under normal circumstances; provided, however, that Customer may conduct additional audits (i) upon the instruction of a competent Supervisory Authority, or (ii) if a Security Incident has occurred involving Customer Personal Data, in each case with reasonable prior written notice.
6. Warranties
The Parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the term of the Agreement.
7. Restricted Transfers
7.1(a)
For Customer Personal Data protected by the EU GDPR, the EU SCCs (Module Two — controller to processor) will apply, governed by Irish law, with disputes resolved before the courts of the Republic of Ireland.
7.1(b)
For Customer Personal Data protected by the Swiss DPA, the EU SCCs apply with modifications to reflect Swiss law, the Swiss FDPIC as the competent supervisory authority, and Swiss courts for dispute resolution.
7.1(c)
For Customer Personal Data protected by the UK GDPR, the EU SCCs apply as modified by the UK Addendum (Part 2: Mandatory Clauses), with conflicts resolved per Sections 10 and 11 of the UK Addendum.
7.1(d)
Alphastream.ai shall process Personal Data using AI and machine learning technologies on AWS infrastructure as described in the Agreement and applicable Order Forms. Such AI processing is limited to the provision of Services. Alphastream.ai shall not use Customer Personal Data to train, fine-tune, or improve any AI or machine learning model without the prior written consent of Customer.
7.2
Alphastream.ai shall not participate in any other Restricted Transfers of Customer Personal Data unless such transfer is in compliance with applicable Data Protection Law and pursuant to the relevant Standard Contractual Clauses.
7.3
Customer should routinely review all international transfers of Personal Data on a case-by-case basis and implement additional safeguards (such as encryption or pseudonymization) to mitigate identified risks.
7.4–7.6
Where a party outside the EEA receives Personal Data, the relevant Transfer Mechanism applies, which may include Standard Contractual Clauses (June 2021), the ICO International Data Transfer Agreement, or the ICO International Data Transfer Addendum. If the Transfer Mechanism is insufficient, the data importer will implement supplementary measures. When required to respond to public authority requests, the data importer will challenge such requests where legally permissible, notify the data exporter, and disclose only the minimum required Personal Data.
8. Precedence
In the event of any inconsistency, provisions take priority in the following order:
- 1Cross-Border Transfer Mechanisms — Standard Contractual Clauses or equivalent measures agreed between the parties
- 2This Addendum
- 3The Agreement
In the event that any provision of this Addendum and/or the Agreement contradicts, directly or indirectly, the Controller to Processor SCCs, the Controller to Processor SCCs will control.
9. Indemnity and Limitation of Liability
9.1
To the extent permissible by law, Customer shall defend Alphastream.ai and its Affiliates from and against any claims, demands, suits, or proceedings brought by any third party, and indemnify and hold harmless the Indemnified Parties from and against any losses, damages, liabilities, fines, penalties, settlements, and costs (including reasonable legal, investigatory, and consultancy fees) arising from any breach by Customer of this Addendum or of its obligations under applicable Data Protection Laws. Alphastream.ai may participate in the defense and/or settlement of a claim with counsel of its choosing at its own expense.
9.2
To the extent permissible by law, Alphastream.ai shall defend Customer and its Affiliates from and against any claims, demands, suits, or proceedings brought by any third party, and indemnify and hold harmless Customer from and against any losses, damages, liabilities, fines, penalties, settlements, and costs (including reasonable legal, investigatory, and consultancy fees) arising from any breach by Alphastream.ai of this Addendum or of its obligations under applicable Data Protection Laws.
9.3
The aggregate liability of either Party to the other under or in connection with this Addendum, whether arising in contract, tort (including negligence), breach of statutory duty, or otherwise, shall be subject to and governed by the limitations of liability set out in the Agreement. Nothing in this Addendum shall limit either Party's liability for fraud, wilful misconduct, or any other liability that cannot be excluded or limited by applicable law.
10. Severability
If any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.
11. Miscellaneous
This Addendum has been designed with the following principles and obligations in mind:
- Privacy by Design and Default
- Achieving security of Processing
- Notification of breaches to the relevant Supervisory Authority within seventy-two (72) hours of becoming aware (Article 33 GDPR)
- Notification of breaches to Customer without undue delay, and within the timeframes required by applicable Data Protection Laws
- Conducting Data Protection Impact Assessments (DPIAs) pursuant to Article 35 of the GDPR where Processing is likely to result in high risk to individuals
- Assurance of Alphastream.ai's assistance if prior consultations with Supervisory Authorities are needed under Article 36 of the GDPR
11.1
Alphastream.ai shall comply with all applicable statutory and regulatory requirements, including ISO 27001:2022,SOC 2 Type 2, and the EU GDPR.
11.2
Alphastream.ai confirms that no temporary files containing Customer Personal Data are generated or retained outside of the processing environment during the provision of the Services.
11.3
This Addendum shall be reviewed and updated at least annually, or sooner if required by changes to applicable Data Protection Laws or Alphastream.ai's processing activities.
12. Data Protection Officer
In accordance with Articles 37–39 of the GDPR, Alphastream.ai has designated a Data Protection Officer ("DPO") responsible for informing and advising Alphastream.ai on GDPR obligations, monitoring compliance, providing advice on DPIAs, and acting as the contact point for Supervisory Authorities.
PS
Prasanna Subramanian
Data Protection Officer — Alphastream.ai
104, W 40th St. 5th Floor, New York, NY 10018, USA
Data Subjects may contact the DPO to exercise their rights under Chapter III of the GDPR, including rights of access, rectification, erasure, restriction of processing, data portability, and the right to object to processing.
Annex 1
Description of Processing Activities for Customer Personal Data
List of Parties
Data Exporter — Controller
| Name | Customer (as defined in the Agreement) |
| Address | As set forth in the relevant Order Form |
| Contact Person | As set forth in the relevant Order Form |
| Activities | Recipient of the Services provided by Alphastream.ai in accordance with the Agreement |
| Role | Controller |
Data Importer — Processor
| Name | Alphastream.ai |
| Address | 104, W 40th St. 5th Floor, New York, NY 10018, USA |
| Contact Person | Prasanna Subramanian, DPO —privacy@alphastream.ai |
| Activities | Provision of the Services to the Customer in accordance with the Agreement |
| Role | Processor |
Competent Supervisory Authorities
| Jurisdiction | Supervisory Authority |
|---|---|
| EU / EEA | As determined by application of Clause 13 of the EU SCCs |
| UK | The Information Commissioner's Office (ICO) |
| Switzerland | The Federal Data Protection and Information Commissioner (FDPIC) |
Processing Information
| Data Subjects | Customer's authorized users of the Services |
| Personal Data Transferred | Processed automatically: Names, Email addresses. Processed where provided by Customer in connection with audit services: Address, Date of birth, Past employment details |
| Sensitive Data | None |
| Frequency of Transfer | Continuous |
| Nature of Processing | Provision of Services to Customer. Alphastream.ai receives identifying Customer Personal Data to permit querying, cleansing, standardizing, enriching, and storing query information |
| Purpose of Transfer | To facilitate the performance of the Services as described in the Agreement and accompanying order forms |
| Retention Period | As described in the Agreement. Alphastream.ai will delete or return all Customer Personal Data within thirty (30) days of termination unless otherwise required by law |
| Subprocessor Transfers | As described in the Agreement, Addendum, Annex 2, and accompanying order forms |
Technical and Organisational Security Measures
Security Management
OrganizationQualified security personnel responsible for development, implementation and maintenance of the Information Security Program
PoliciesManagement reviews all security-related policies annually
AssessmentsIndependent third-party risk assessments at least once annually
Risk TreatmentPenetration testing, vulnerability management and patch management
StandardsISO/IEC 27001:2022 and SOC 2 Type 2
Personnel Security
Background ChecksAppropriate background checks on employees with access to client data
ConfidentialityPersonnel execute confidentiality agreements at hire
TrainingPrivacy and security training for all personnel; additional role-based requirements for personnel handling Customer Personal Data
Access Controls
Access ManagementFormal process for request, review, approval and provisioning of personnel
MFA / SSOAll administrators and end users must authenticate via MFA or SSO
Least PrivilegeSystems designed on principles of "least privilege" and "need to know"
Audit TrailsSystem access is logged for full accountability
Data Centre & Network
InfrastructureAWS — region(s) as specified in the Agreement and applicable Order Forms
ResiliencyMulti-Availability Zones; regular Backup Restoration Testing
EncryptionHTTPS/TLS for data in transit; encryption for data at rest
Vulnerability ManagementRegular scans; Critical, High and Medium patches installed as soon as commercially possible
Annex 2
List of Approved Sub-processors
The following Sub-processors are approved by Customer pursuant to Section 5.2(d) of this Addendum. Alphastream.ai will provide at least thirty (30) days' advance notice of any intended changes to this list.
| Sub-processor | Provider | Purpose |
|---|---|---|
| Amazon Bedrock (Claude) | Amazon Web Services, Inc. | AI language model inference via AWS Bedrock managed service |
| Azure OpenAI Service (GPT models) | Microsoft Corporation | AI language model inference for provision of Services |
| Anthropic API | Anthropic, PBC | AI language model inference via the Anthropic Claude API |
| Google Gemini | Google LLC | AI language model inference for provision of Services |
For questions regarding sub-processors or to receive advance notice of changes, contact the DPO at privacy@alphastream.ai.