Data Processing Addendum (DPA)

Last Updated: October 5, 2025

1. Parties and Purpose

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between the customer entity that is a party to the Agreement ("Controller" or "Customer") and Triple Alpha AB ("Processor" or "Aient"). This DPA governs Aient's processing of personal data on behalf of Customer to provide the Services under the Agreement.

2. Definitions

Capitalized terms not defined here have the meanings in the Agreement. "Personal Data" has the meaning set out in GDPR. "Subprocessor" means any third party engaged by Aient to process Personal Data.

3. Roles

Customer is the Controller and Aient is the Processor. Customer instructs Aient to process Personal Data to provide the Services.

4. Processing Details

Subject Matter: Provision of the Services as described in the Agreement.

Duration: Term of the Agreement plus deletion period.

Nature and Purpose: Hosting, storage, analysis (including AI inference), support, billing, and security.

Types of Personal Data: As described in the Privacy Policy (accounts, telemetry that may include identifiers).

Data Subjects: Users authorized by Customer and individuals whose data appears in telemetry or source code.

5. Processor Obligations

Process Personal Data only on documented instructions from Customer.
Ensure personnel confidentiality and training.
Implement appropriate technical and organisational measures (see Security Measures).
Assist Customer with data subject requests and impact assessments where appropriate.
Notify Customer of Personal Data Breaches without undue delay after becoming aware.
Delete or return Personal Data at termination in accordance with the Agreement.
Make information available to demonstrate compliance and allow audits as agreed (with reasonable limits).

6. Subprocessors

Customer authorizes Aient to engage subprocessors listed at /legal/subprocessors. Aient will impose data protection terms on subprocessors consistent with this DPA and remain responsible for their performance. Aient will provide reasonable advance notice of changes to subprocessors on that page.

7. International Transfers

International transfers will be conducted under the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework for certified providers, or an adequacy decision. Where such safeguards do not apply, Customer consents to transfers under Article 49(1)(a).

8. Security Measures

Aient maintains appropriate technical and organisational measures, including encryption in transit (TLS) and at rest (AES-256), access controls, logging and monitoring, regular backups, and vulnerability management. Details are available upon request.

9. Audit

Upon reasonable prior notice and no more than annually, Customer may audit Aient's compliance with this DPA via independent audit reports, questionnaires, or on-site visits coordinated to minimize disruption. Audits are subject to confidentiality and reimbursement of Aient's reasonable costs for on-site efforts.

10. Term and Termination

This DPA terminates automatically upon termination of the Agreement. Sections intended to survive (confidentiality, audits, international transfers) will survive as applicable.