This Data Processing Agreement ("DPA") forms part of the Terms of Service or other agreement between Loyee Technologies, Inc. ("Alfa") and the Customer using Alfa's Services ("Agreement"). It applies wherever Alfa processes Personal Data on behalf of Customer. In the event of conflict between this DPA and the Agreement, this DPA controls for Personal Data processing matters.
By accepting the Agreement, including by clicking to accept, creating an account, or using the Services, Customer agrees to this DPA. For enterprise customers, this DPA may be separately countersigned.
For data protection inquiries, contact: privacy@getalfa.ai
1. Definitions
"Data Protection Laws" means all applicable privacy and data security laws, including the GDPR, UK GDPR, Swiss FDPA, CCPA/CPRA, and other applicable U.S. state privacy laws.
"Customer Personal Data" means Personal Data that Alfa processes on behalf of Customer in connection with the Services.
"Subprocessor" means a third party engaged by Alfa to process Customer Personal Data.
"SCCs" means the European Commission's Standard Contractual Clauses (Decision 2021/914), including applicable UK and Swiss supplements.
Other capitalized terms ("Personal Data," "Controller," "Processor," "Processing," "Data Subject," "Personal Data Breach," "Supervisory Authority") have the meanings given under applicable Data Protection Laws.
2. Roles
Alfa acts as a processor (or service provider under CCPA/CPRA) on behalf of Customer. Customer acts as a controller, or as a processor on behalf of its own customers, as applicable. The nature, purpose, duration, and categories of processing are described in the Annex to this DPA.
3. Instructions
Alfa processes Customer Personal Data only on Customer's documented instructions, as set out in the Agreement, this DPA, product settings, integration settings, API usage, and any written instructions acknowledged by Alfa. Alfa will inform Customer if it believes an instruction violates applicable Data Protection Laws, unless prohibited by law.
4. Customer Responsibilities
Customer is responsible for the lawfulness of its instructions and for ensuring it has all rights, consents, notices, and legal bases required for Alfa to process Customer Personal Data as described in this DPA. Customer is also responsible for reviewing AI-generated outputs, enrichment results, and outreach drafts before use, and for complying with applicable sales, marketing, and communications laws.
5. Alfa Obligations
Alfa will:
- process Customer Personal Data only on Customer's documented instructions;
- ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations;
- implement and maintain appropriate technical and organizational security measures (see Section 6);
- assist Customer with Data Subject requests, security obligations, and breach notifications as described in Section 8; and
- delete or return Customer Personal Data as described in Section 9.
6. Security
Alfa will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized access, loss, alteration, or disclosure. Measures may include access controls, encryption in transit, encryption at rest where supported, logging and monitoring, vulnerability management, incident response, and subprocessor controls. Alfa may update these measures provided it does not materially decrease the overall security of the Services during an active subscription period.
7. Subprocessors
Customer gives Alfa general authorization to engage Subprocessors. Alfa's current Subprocessor list is set out in the Sub-processor List section below. Alfa will impose data protection obligations on Subprocessors substantially equivalent to those in this DPA and remains responsible for each Subprocessor's compliance.
Alfa will provide reasonable notice of new Subprocessors by updating its Subprocessor list. Customer may object to a new Subprocessor on reasonable data protection grounds within 15 days of notice. If the parties cannot resolve the objection, Customer may terminate the affected Services and will be entitled to a pro-rated refund of prepaid fees for the unused portion.
8. Personal Data Breaches, Data Subject Requests, and Assistance
Breach Notification. Alfa will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notice will include available details of the breach, affected data, likely consequences, and mitigation steps. Alfa may provide information in phases. Customer is responsible for determining whether and how to notify affected individuals, regulators, or other parties.
Data Subject Requests. If Alfa receives a Data Subject request relating to Customer Personal Data, Alfa will, unless prohibited by law, direct the Data Subject to Customer or notify Customer promptly. Alfa will provide reasonable assistance to Customer in responding to such requests, taking into account the nature of the Services and available information.
Audits. Upon written request (no more than once per year, unless required by a Supervisory Authority or following a confirmed breach), Alfa will provide information reasonably necessary to demonstrate compliance with this DPA. Audits require at least 30 days' prior written notice, must occur during business hours without unreasonably disrupting operations, and are subject to confidentiality obligations. Customer bears its own audit costs and reimburses Alfa's reasonable support costs unless the audit reveals a material breach by Alfa.
9. Deletion and Return
Upon termination or expiration of the Agreement, Alfa will delete or return Customer Personal Data in accordance with the Agreement and applicable law. Alfa may retain Customer Personal Data for a limited period post-termination for export, legal compliance, fraud prevention, security, and backup retention. Backups and logs are deleted in accordance with Alfa's standard retention schedule.
10. International Transfers
Alfa and its Subprocessors may process Customer Personal Data in the United States, the EEA, the United Kingdom, and other locations where Alfa or its Subprocessors operate.
Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequate level of protection, the SCCs are incorporated into this DPA by reference on the following terms: Module Two applies where Customer is a controller and Alfa is a processor; Module Three applies where Customer is a processor and Alfa is a subprocessor. Clause 7 (docking) applies; Clause 9 Option 2 applies with a 15-day notice period; Clause 11 optional language does not apply; Clause 17 governing law is Ireland; Clause 18 courts are the courts of Ireland. For UK transfers, the UK International Data Transfer Addendum supplements the SCCs. For Swiss transfers, the SCCs apply as required under Swiss data protection law.
11. U.S. State Privacy
To the extent CCPA/CPRA or other applicable U.S. state privacy laws apply, Alfa acts as a service provider or processor and will not: (a) sell or share Customer Personal Data; (b) process Customer Personal Data for cross-context behavioral advertising; or (c) retain, use, or disclose Customer Personal Data outside the direct business relationship or for any purpose other than providing the Services, except as permitted by law. Alfa certifies that it understands and will comply with these restrictions.
12. AI and Model Training
Alfa will not use Customer Personal Data to train general-purpose AI models unless otherwise agreed in writing. Alfa may process Customer Personal Data to provide the Services, including retrieval, ranking, enrichment, scoring, workspace-specific personalization, quality assurance, abuse prevention, and security.
13. Aggregated and De-identified Data
Alfa may create and use aggregated or de-identified data that does not identify Customer or any individual for analytics, benchmarking, security, and product improvement. Alfa will not attempt to re-identify such data except to test or validate de-identification measures as permitted by law.
14. Liability
Each party's liability under this DPA is subject to the limitations, exclusions, and caps set out in the Agreement. This DPA does not expand either party's liability beyond those limits.
15. Term and Updates
This DPA remains in effect for as long as Alfa processes Customer Personal Data on behalf of Customer. Alfa may update this DPA to reflect changes in law, the Services, or Alfa's processing activities, with reasonable notice of material changes. Updates will not materially reduce Customer's rights during an active subscription period unless required by law or necessary for security or legal compliance.
Sub-processor List
Loyee Technologies, Inc. ("Alfa," "Provider," "we," "us," or "our") engages the following third-party sub-processors to perform limited activities in connection with the Alfa Services. Where Alfa acts as a data processor of personal data on behalf of its customers, the entities below may process that data as sub-processors. Alfa requires all sub-processors to contractually commit to protecting the security and confidentiality of any personal data they process on Alfa's behalf. Data is stored in the country listed unless otherwise noted.
Contact & Enrichment Data Providers
| Sub-processor | Location | Purpose | Data Categories |
|---|---|---|---|
| Apollo.io | USA | Contact and company data enrichment for prospecting and outreach workflows. | Names, company names, LinkedIn URLs, phone numbers, email addresses |
| Fullenrich | USA | Waterfall enrichment of contact data to supplement and verify prospect information. | Names, company names, LinkedIn URLs, phone numbers, email addresses |
Infrastructure & Hosting
| Sub-processor | Location | Purpose | Data Categories |
|---|---|---|---|
| Amazon Web Services (AWS) | USA | Cloud infrastructure provider for hosting the Alfa platform, storage, and compute services. | All personal data processed by the Services |
| Neon.tech | USA | Cloud-based database management system for storing and managing application data. | Application and user data |
Authentication & Analytics
| Sub-processor | Location | Purpose | Data Categories |
|---|---|---|---|
| Clerk, Inc. | San Francisco, CA, USA | User authentication and identity management for the Alfa web application. | Email addresses, user identifiers, authentication tokens |
| Unipile | France | Authentication and API connectivity for email (Gmail, Outlook) and messaging integrations. | Email addresses, LinkedIn profile identifiers, OAuth tokens, message metadata |
| PostHog, Inc. | San Francisco, CA, USA | Product analytics platform for tracking feature usage, user behaviour, and application performance within the Alfa web application. | User identifiers, session data, feature usage events, page views, IP addresses, browser metadata |
AI & Machine Learning Providers
| Sub-processor | Location | Purpose | Data Categories |
|---|---|---|---|
| Anthropic PBC (Claude) | San Francisco, CA, USA | AI-based text analysis and processing of publicly available data (e.g., publicly listed company information) within the Alfa application. | Publicly available company and contact data submitted via the Services |
| Google (Gemini) | Mountain View, CA, USA | AI-based text analysis and processing of publicly available data within the Alfa application. | Publicly available company and contact data submitted via the Services |
| OpenAI | San Francisco, CA, USA | AI-based text analysis and processing of publicly available data within the Alfa application. | Publicly available company and contact data submitted via the Services |
Vector & Semantic Storage
| Sub-processor | Location | Purpose | Data Categories |
|---|---|---|---|
| Weaviate B.V. | Amsterdam, Netherlands | Vector database for semantic search and storage of publicly available data used within the Alfa application. | Publicly available company and contact data |
CRM & Customer Support
| Sub-processor | Location | Purpose | Data Categories |
|---|---|---|---|
| HubSpot, Inc. | Cambridge, MA, USA | Customer relationship management (CRM), marketing automation, and customer support ticketing for managing customer and prospect interactions. | Names, business email addresses, company names, job titles, support interactions, email correspondence, and customer communication records. |
| Fin (Intercom) | San Francisco, CA, USA | AI-powered customer support agent for handling inbound support queries from customers across chat and email channels. | Names, email addresses, account details, support conversation content, and message metadata. |
Note: "Publicly available data" means information sourced from publicly accessible sources such as company websites, professional directories, and public business registries. It does not include private Customer Data unless separately indicated.
Annex — Description of Processing Activities
This Annex forms part of the DPA and sets out the details of Alfa's processing of Customer Personal Data as required by Article 28(3) GDPR.
| Field | Details |
|---|---|
| Nature of processing | Account and lead research; business contact enrichment; champion and persona recommendations; account scoring; outreach draft generation; CRM and email integrations; API access; analytics; security; and customer support. |
| Purpose | To provide, secure, support, maintain, and improve the Services on behalf of Customer. |
| Duration | For the term of the Agreement, plus any post-termination retention period described in Section 10. |
| Categories of Data Subjects | Customer's users, employees, contractors, prospects, leads, business contacts, CRM contacts, and email recipients. |
| Categories of Personal Data | Names, business email addresses, business phone numbers, job titles, company names, professional profile URLs, CRM fields, message metadata, usage data, log data, IP addresses, integration metadata, and authentication tokens. |
| Sensitive data | Not intended for sensitive personal data, special category data, health data, children's data, payment card data, or government identifiers unless expressly agreed in writing. |
This DPA is incorporated into and governed by the Agreement. Capitalized terms not defined herein have the meanings given in the Agreement.