Data Processing Agreement
Effective 15 May 2026
This Data Processing Agreement (the “DPA”) forms part of the master agreement between Aletis B.V. (in oprichting), with its operating office in Eindhoven, the Netherlands (“Aletis”, “Processor”), and the Customer entity identified in the applicable order form (the “Customer”, “Controller”). It governs the processing of personal data carried out by Aletis on the Customer's behalf in connection with the platform described in the Terms of service and supplements those Terms.
1. Definitions
Capitalised terms not defined in this DPA have the meanings given to them in the GDPR (Regulation (EU) 2016/679) and the UK GDPR. “Customer Personal Data” means personal data that Aletis processes on behalf of the Customer in providing the platform. “EU SCCs” means the European Commission's Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (controller to processor). “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner.
2. Roles, subject matter and duration
The Customer is the Controller and Aletis is the Processor in respect of all Customer Personal Data processed under the master agreement. Aletis processes Customer Personal Data only for the purpose of providing the platform and only on the documented instructions of the Customer, including with regard to transfers of Customer Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which Aletis is subject. Processing continues for the term of the master agreement and ceases when the Tenant is archived following termination, typically within 30 calendar days of termination notice.
3. Nature and purpose of processing
The platform (a) authenticates end users via Google Identity; (b) stores prompts, the CLAUDE.md instruction file, and files attached for automation runs in the Customer's dedicated Tenant; (c) invokes Anthropic's Claude model against that content on the end user's request; (d) writes an audit log of identified user actions; and (e) writes operational logs and traces from which e-mail addresses are removed outside the audit log. No marketing, profiling, behavioural advertising, or model-training processing of Customer Personal Data takes place.
4. Categories of data and data subjects
Data subjects: the Customer's end users and any natural persons whose personal data those end users include in their prompts, automations, or uploaded files.
Categories of personal data: identification data (e-mail address, display name); session metadata (IP address, user-agent, session lifetimes); content data (prompts, files, automation outputs); audit data (sign-in attempts, actions taken in the product, IP / user-agent at sign-in). Aletis does not knowingly process special-category data (Article 9 GDPR) and asks Customers not to upload such data; if they do, the Customer remains responsible for ensuring an Article 9 lawful basis exists.
5. Customer instructions
The Customer's instructions to Aletis as Processor are (a) to provide the platform described in the master agreement, (b) to enable the platform's documented configuration options exercised by the Customer's administrator, and (c) any other written instruction provided by the Customer's administrator to ask.aletis@gmail.com. Aletis will inform the Customer immediately if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.
6. Confidentiality
Aletis ensures that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to production environments is restricted to those Aletis personnel whose role requires it.
7. Security
Aletis implements the technical and organisational measures described in Annex B. Aletis reviews those measures periodically and updates them as required to maintain a level of security appropriate to the risk.
8. Sub-processors
The Customer authorises Aletis to engage the sub-processors listed in Annex A. Aletis enters into a written agreement with each sub-processor imposing data-protection obligations no less protective than those in this DPA. Aletis remains liable to the Customer for the performance of each sub-processor's obligations.
Aletis will give the Customer at least 30 calendar days' written notice of any intended addition or replacement of a sub-processor. The Customer may object on reasonable grounds within that window; if Aletis is unable to accommodate the objection for the Customer's Tenant, the Customer may terminate the affected order form without penalty.
9. International transfers
Tenant data resides in the cloud region chosen by the Customer at onboarding. Where Aletis or a sub-processor transfers Customer Personal Data outside the EEA, the transfer relies on (a) an adequacy decision under Article 45 GDPR, (b) the EU–U.S. Data Privacy Framework where the recipient is DPF-certified, and/or (c) the EU SCCs (and the UK Addendum where applicable). The specific mechanism per sub-processor is recorded in Annex A. Aletis will provide a copy of the executed EU SCCs on the Customer's request.
10. Personal data breaches
Aletis notifies the Customer without undue delay and in any case within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data, providing the information required by Article 33(3) GDPR to the extent then known, and supplementing that notice as the investigation proceeds. Aletis assists the Customer in fulfilling the Customer's own notification obligations to supervisory authorities and, where required, to affected data subjects.
11. Data-subject requests
The platform provides the Customer administrator with the tooling to fulfil data-subject requests directly, including an in-product deletion flow that irrevocably removes a user's identity data, personal automations, and personal workspace. For requests requiring Aletis-side action, Aletis assists within 14 calendar days of a clearly identified request from the Customer administrator. Aletis forwards rather than answers data-subject requests received directly from end users, except where Aletis is legally required to respond.
12. Audit and information rights
Aletis makes available to the Customer all information necessary to demonstrate compliance with this DPA. The Customer may carry out an audit (including inspection) of Aletis's processing once per calendar year on 30 calendar days' prior written notice, subject to reasonable confidentiality undertakings. Where a SOC 2 or ISO 27001 audit report becomes available, Aletis will provide it as a substitute for the in-person audit, at the Customer's option. Audits during a confirmed material breach are not subject to the annual frequency limit or notice period.
13. Deletion or return of data
On termination of the master agreement and at the Customer's option, Aletis returns or deletes all Customer Personal Data within 30 calendar days, except to the extent that Union or Dutch law requires storage of the personal data. Encrypted backup snapshots are deleted on their natural retention schedule, in any case no later than 90 calendar days after termination. A faster purge is available on the Customer's reasonable request.
14. Liability and indemnification
Each party's liability under this DPA is subject to the limitations set out in the Terms of service; this DPA does not change those limitations or create any additional remedy beyond those granted by mandatory law (in particular Articles 82 GDPR and the equivalent UK provisions). For the avoidance of doubt, nothing in this DPA limits the liability of a controller or processor towards a data subject under Article 82 GDPR.
15. Order of precedence
In the event of a conflict between this DPA and the Terms of service or any executed order form, this DPA prevails for all matters relating to the processing of personal data. In the event of a conflict between this DPA and the EU SCCs incorporated into it, the EU SCCs prevail.
Annex A — Authorised sub-processors
The following sub-processors are engaged by Aletis to deliver the platform. Aletis maintains written data-protection terms with each. Customers will be notified by e-mail to the notice address at least 30 calendar days before any change to this list takes effect.
| Sub-processor | Service | Categories of data | Region | Transfer mechanism |
|---|---|---|---|---|
Fly.io, Inc. United States (Delaware) | Per-Tenant compute (machines) and persistent block storage (volumes). | All Customer Content; session data; audit log; operational telemetry. | Customer-selected region (e.g. Frankfurt, London, Amsterdam, Ord). | EU–U.S. Data Privacy Framework (DPF) where certified, supplemented by the EU Standard Contractual Clauses (Module Two, 2021/914) and the UK Addendum where applicable. |
Neon, Inc. United States (Delaware) | Per-Tenant managed PostgreSQL database. | Identification data; session metadata; automation metadata; chat metadata; audit log. | Customer-selected region matching the compute region above. | EU Standard Contractual Clauses (Module Two, 2021/914) and the UK Addendum where applicable; DPF where certified. |
Cloudflare, Inc. United States (Delaware) | DNS for aletis.co and Tenant subdomains; static asset delivery for the marketing site; object storage (R2) for long-term audit-log archive. | Request metadata; truncated IP addresses; archived audit log (encrypted) for the term agreed. | Global edge for DNS / CDN; archive bucket pinned to the EU jurisdictional region wherever the underlying R2 endpoint permits. | EU–U.S. Data Privacy Framework (Cloudflare is DPF-certified); supplemented by EU Standard Contractual Clauses. |
Anthropic, PBC. United States (Delaware) | Inference of the Claude model family invoked by the Aletis sandbox on the end user’s explicit request. | Prompt content, CLAUDE.md instruction content, and file content shared with Claude during a run. | Anthropic operates inference in the United States. | EU Standard Contractual Clauses; Anthropic’s commercial terms prohibit use of Customer prompts or content for model training. |
Google LLC United States (Delaware) | Google Identity (OAuth 2.0) sign-in. No use of Google Workspace, Google Analytics, Google Ads, or any other Google service in connection with the platform. | E-mail address and display name returned in the OAuth id-token; no Customer Content is ever shared with Google. | Global identity service. | EU–U.S. Data Privacy Framework (Google LLC is DPF-certified); supplemented by EU Standard Contractual Clauses. |
Annex B — Technical and organisational measures
Aletis maintains the following measures, reviewed periodically and updated as the risk profile of the platform evolves:
B.1 Tenant isolation
- One Fly.io machine, one Fly volume, and one Neon Postgres project provisioned per onboarded Customer. No data sharing across Tenants.
- Each end user is assigned a unique Linux UID inside the Tenant and runs inside a bubblewrap sandbox that unshare-namespaces PID, UTS, and IPC and binds only the user's own workspace.
- Subdomain isolation: Tenant cookies are scoped to
<slug>.aletis.cowith the__Host-prefix and cannot be read across subdomains.
B.2 Authentication and authorisation
- OAuth 2.0 with PKCE (S256) for every sign-in.
- HMAC-SHA256-signed state parameter routed through a single auth-proxy worker so Google sees one redirect URI for all Tenants.
- One-shot replay protection: the platform atomically marks the OAuth nonce as used at the moment the session is created.
- Sessions use an HttpOnly, Secure, SameSite=Lax cookie with the
__Host-prefix and a hard 16-hour absolute expiry.
B.3 Encryption
- All public endpoints terminate TLS 1.2 or later with modern cipher suites.
- Customer data at rest is encrypted by the underlying infrastructure provider on Fly volumes, Neon storage, and Cloudflare R2 buckets.
B.4 Logging and monitoring
- Tamper-evident audit log of identity-relevant events kept hot for 90 days in the Tenant database; archived afterwards to encrypted Cloudflare R2 object storage.
- E-mail addresses and other obvious personal identifiers are removed from operational logs outside the audit log.
- Personal-data-breach detection procedure documented in the operator runbook, including the 72-hour notification window.
B.5 Application hardening
- Strict Content-Security-Policy with a per-request nonce for inline scripts; no third-party analytics, tag managers, or advertising scripts in the product.
- Wire-format validation: every HTTP body, WebSocket frame, and server-action input passes a Zod schema before being processed.
- All identifiers are UUIDv7 generated server-side; primary keys are not user-influenced.
- Dependencies are audited against the OSV database in CI; vulnerable releases block the deploy pipeline.
B.6 Personnel
- Persons with access to production environments are bound by written confidentiality obligations.
- Access reviews are performed periodically and on personnel changes.
B.7 Business continuity
- Neon point-in-time recovery and Fly volume snapshots provide rollback within the provider's documented retention windows.
- Tenant-down, rotate-secrets, and account-deletion runbooks are maintained alongside the code in the repository.