Data Processing Addendum (DPA)
Last updated: July 1, 2026
This DPA is a contract template to be attached to or adapted within customer agreements. It should be reviewed by legal counsel before signature with large enterprises, regulated entities or public-sector customers.
1. Parties and roles
This DPA governs personal data processing performed by ALAMIA, registered under 942 819 400 R.C.S. Paris, registered office 60 rue François 1er, 75008 Paris, France. The customer acts as controller where it determines the purposes and means of processing for its users, audits, tickets, documents, obligations, sites, evidence and workflows. ALAMIA acts as processor where it processes personal data on the customer's documented instructions.
2. Subject matter
The DPA defines how ALAMIA processes personal data for the customer in connection with SaaS, AI, compliance, regulatory intelligence, QHSE, support, integration and automation services.
3. Processing activities
Processing may include hosting, user/account management, document and ticket processing, extraction, classification, summarization, AI-assisted workflows, technical support, security logging, monitoring, backups and continuity operations.
4. Categories of data
Data may include professional identity/contact data, roles, permissions, activity history, customer-provided content, tickets, comments, files, audit evidence, technical logs and usage metadata. Sensitive data should only be processed where expressly covered by the applicable agreement, configuration and security measures.
5. Subprocessors
Declared subprocessors: Microsoft (Microsoft Azure, hosting, cloud infrastructure, security and related services — under applicable Microsoft contracts and DPA) and Google (professional productivity, email, collaboration or cloud services where used — under applicable Google contracts and DPA). ALAMIA will inform customers of material subprocessor changes where required by the contract.
6. Security
ALAMIA implements measures appropriate to the risk, including access controls, authentication, environment separation, logging, backups, access restrictions, incident management, cloud hosting controls, subprocessor controls and human review for critical AI-assisted outputs.
7. International transfers
Where processing involves transfers outside the EEA, ALAMIA relies on available contractual and organizational safeguards, including data processing agreements, standard contractual clauses, provider security commitments, regional configuration and access restrictions as applicable.
8. Data subject requests and assistance
ALAMIA will reasonably assist the customer in responding to data subject requests, managing security incidents, documenting processing and supporting DPIAs where applicable.
9. Breach notification
ALAMIA will notify the customer without undue delay after becoming aware of a personal data breach affecting customer data, with reasonably available information about the nature of the incident, affected data, measures taken and recommended next steps.
10. Return or deletion
At contract end, ALAMIA will delete, return or archive data according to customer instructions, technical constraints and applicable legal/contractual obligations.
11. AI and no-training
ALAMIA does not use customer data to train shared AI models without explicit written customer authorization. For critical workflows, ALAMIA follows a human-in-the-loop principle: AI assists, controls validate, people remain accountable.
