Back to home

Data Processing Addendum (DPA)

Last updated: July 1, 2026

This DPA is a contract template to be attached to or adapted within customer agreements. It should be reviewed by legal counsel before signature with large enterprises, regulated entities or public-sector customers.

1. Parties and roles

This DPA governs personal data processing performed by ALAMIA, registered under 942 819 400 R.C.S. Paris, registered office 60 rue François 1er, 75008 Paris, France. The customer acts as controller where it determines the purposes and means of processing for its users, audits, tickets, documents, obligations, sites, evidence and workflows. ALAMIA acts as processor where it processes personal data on the customer's documented instructions.

2. Subject matter

The DPA defines how ALAMIA processes personal data for the customer in connection with SaaS, AI, compliance, regulatory intelligence, QHSE, support, integration and automation services.

3. Processing activities

Processing may include hosting, user/account management, document and ticket processing, extraction, classification, summarization, AI-assisted workflows, technical support, security logging, monitoring, backups and continuity operations.

4. Categories of data

Data may include professional identity/contact data, roles, permissions, activity history, customer-provided content, tickets, comments, files, audit evidence, technical logs and usage metadata. Sensitive data should only be processed where expressly covered by the applicable agreement, configuration and security measures.

5. Subprocessors

Declared subprocessors: Microsoft (Microsoft Azure, hosting, cloud infrastructure, security and related services — under applicable Microsoft contracts and DPA) and Google (professional productivity, email, collaboration or cloud services where used — under applicable Google contracts and DPA). ALAMIA will inform customers of material subprocessor changes where required by the contract.

6. Security

ALAMIA implements measures appropriate to the risk, including access controls, authentication, environment separation, logging, backups, access restrictions, incident management, cloud hosting controls, subprocessor controls and human review for critical AI-assisted outputs.

7. International transfers

Where processing involves transfers outside the EEA, ALAMIA relies on available contractual and organizational safeguards, including data processing agreements, standard contractual clauses, provider security commitments, regional configuration and access restrictions as applicable.

8. Data subject requests and assistance

ALAMIA will reasonably assist the customer in responding to data subject requests, managing security incidents, documenting processing and supporting DPIAs where applicable.

9. Breach notification

ALAMIA will notify the customer without undue delay after becoming aware of a personal data breach affecting customer data, with reasonably available information about the nature of the incident, affected data, measures taken and recommended next steps.

10. Return or deletion

At contract end, ALAMIA will delete, return or archive data according to customer instructions, technical constraints and applicable legal/contractual obligations.

11. AI and no-training

ALAMIA does not use customer data to train shared AI models without explicit written customer authorization. For critical workflows, ALAMIA follows a human-in-the-loop principle: AI assists, controls validate, people remain accountable.

Talk to an expert