Legal

Data Processing Addendum

Last updated: July 9, 2026. GDPR Article 28 compliant DPA, including the EU Standard Contractual Clauses.

This Data Processing Addendum (“DPA”) forms part of the ALGO Terms of Service and applies to the extent that ALGO processes personal data on behalf of a customer in the role of a processor under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) or the UK GDPR. Capitalized terms not defined here have the meaning given in the GDPR.

1. Definitions

  • “Customer” means the ALGO user that is the controller of personal data uploaded to the Service.
  • “Data Subject” means an identified or identifiable natural person.
  • “Personal Data” has the meaning given in GDPR Article 4(1).
  • “Processing” has the meaning given in GDPR Article 4(2).
  • “Sub-processor” means any third party engaged by ALGO to process Personal Data on behalf of the Customer.
  • “SCCs” means the Standard Contractual Clauses adopted by the European Commission (Module 2: Controller-to-Processor).

2. Roles

The Customer is the Controller. ALGO is the Processor. The parties acknowledge that ALGO may also process Personal Data as a Controller for its own purposes (e.g., account administration, security, billing) — those activities are governed by the ALGO Privacy Policy.

3. Subject Matter, Duration, Nature, and Purpose

ALGO processes Customer Personal Data for the following purposes:

  • Subject matter: providing the ALGO platform — signal detection, lead scoring, multi-channel outreach, payment attribution, invoicing, phone/dialer, and agentic commerce feed.
  • Duration: the term of the ALGO Terms of Service plus a reasonable wind-down period not exceeding 90 days following termination.
  • Nature of processing: storage, retrieval, organization, enrichment, transmission, and automated analysis of Customer Personal Data.
  • Purpose: operating the Service on the Controller's documented instructions, including the features the Controller enables in the product.

4. Categories of Data and Data Subjects

Customer Personal Data may include contact information (name, email, phone, employer, job title), engagement data (channel interactions, message content, call recordings/transcripts), and financial data necessary for invoicing. Data Subjects typically include the Customer's prospects, customers, employees, and contractors — as determined by the Customer.

5. Customer Instructions

ALGO processes Personal Data only on documented instructions from the Customer, including with regard to international transfers, unless required to do otherwise by EU or Member State law. ALGO will inform the Customer of any such legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

6. Sub-processors

The Customer authorizes ALGO to engage the sub-processors listed below. ALGO will notify the Customer at least 30 days in advance of any new sub-processor. The Customer may object on reasonable grounds related to data protection; the parties will work in good faith to resolve any objection.

Sub-processorPurposeLocation
Stripe, Inc.Payment processing, fraud prevention, invoicingUnited States
Vercel, Inc.Hosting + edge networkUnited States / EU edge
Amazon Web ServicesDatabase, object storage, computeUnited States (us-east-1, us-west-2)
Postmark / ActiveCampaignTransactional emailUnited States
Twilio, Inc.SMS + voice (phone/dialer)United States
Google LLCEmail (Gmail API) — optional user-connectedUnited States
OpenAI / AnthropicAI inference (signal analysis, message generation)United States

7. Security Measures (Article 32)

ALGO implements appropriate technical and organizational measures, including:

  • TLS 1.2+ encryption for all data in transit.
  • AES-256 encryption at rest for all customer databases and object storage.
  • Key management via AWS KMS with annual key rotation.
  • Role-based access control with least-privilege principles.
  • Multi-factor authentication for all personnel with production access.
  • Continuous security monitoring, vulnerability scanning, and annual third-party penetration tests.
  • Encrypted backups with point-in-time recovery; backups retained for 30 days.
  • Incident response runbook with breach notification within 72 hours of awareness.
  • Annual SOC 2 Type II audit (Type 2 report available under NDA).

8. Data Subject Rights

ALGO will assist the Customer, by appropriate technical and organizational measures, in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection). To the extent the Customer cannot access the relevant Personal Data through the Service, ALGO will provide reasonable assistance.

9. International Data Transfers

For transfers from the EEA, UK, or Switzerland to a country not covered by an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module 2: Controller-to-Processor), which are incorporated by reference. The SCCs are deemed completed as follows:

  • Annex I.A: list of parties — Customer (as data exporter) and ALGO, Inc. (as data importer).
  • Annex I.B: categories of data subjects, categories of data, frequency, retention — see Section 4 above.
  • Annex I.C: competent supervisory authority — the supervisory authority of the Customer's place of establishment, or as otherwise required by Clause 13.
  • Annex II: technical and organizational measures — see Section 7 above.
  • Annex III: sub-processors — see Section 6 above.

For UK transfers, the parties additionally rely on the UK International Data Transfer Addendum issued by the UK ICO.

10. Audit Rights

ALGO will make available to the Customer all information necessary to demonstrate compliance with this DPA, including the SOC 2 Type II report, by allowing the Customer to review it under NDA. Where the Customer requires an on-site audit, the parties will agree in advance on scope, timing, confidentiality, and reasonable costs.

11. Personal Data Breaches

ALGO will notify the Customer without undue delay — and in any event within 72 hours — after becoming aware of a Personal Data breach affecting Customer data. The notification will include the information required by GDPR Article 33(3) to the extent known.

12. Return or Deletion at End of Term

Upon termination of the Service, ALGO will, at the Customer's choice, delete or return all Customer Personal Data within 90 days, and delete any existing copies, unless EU or Member State law requires storage.

13. Liability

Liability under this DPA is subject to the limitation of liability in the ALGO Terms of Service. The parties' total aggregate liability under or in connection with this DPA is capped at the same amount.

14. Order of Precedence

In the event of any conflict between this DPA and the SCCs, the SCCs prevail for matters relating to international transfers. In all other cases, this DPA prevails over the Terms of Service.

15. Term

This DPA takes effect on the date the Customer accepts the ALGO Terms of Service and continues for as long as ALGO processes Personal Data on the Customer's behalf.

16. Contact

For DPA questions, requests to add or change sub-processors, or to exercise any rights under this DPA:

ALGO, Inc.
Attn: Data Protection Officer
Email: scaleaimarkets@gmail.com
Address: 1 Market Street, Suite 3600, San Francisco, CA 94105, USA