Alviss AI Data Processing Agreement
Effective Date: [Insert Date]
Between:
Scope and Purpose
This DPA applies to the processing of personal data by Alviss AI on behalf of the Customer in the course of providing the Alviss AI Marketing Science Platform (the "Services"). Both parties agree to comply with the EU General Data Protection Regulation (GDPR).
Processing Instructions
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law.
Data Sovereignty & EU Residency
Alviss AI guarantees that all personal data processed under this agreement is stored and processed exclusively on servers located within the European Union (EU).
Technical and Organizational Measures (TOMs)
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as outlined in our Security Page (alviss.io/security). These include:
Sub-processors
The Controller grants general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance.
Authorized Sub-processors:
Data Subject Rights
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights (e.g., access, deletion, rectification).
Personal Data Breach
In the event of a personal data breach, Alviss AI shall notify the Customer without undue delay and, where feasible, not later than 72 hours after having become aware of it.
Deletion or Return of Data
Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies unless Union or Member State law requires storage of the personal data.
Annex I: Details of Processing
Between:
- [Customer Name], located at [Customer Address] (the "Controller")
- Alviss AI (https://alviss.io), located at Strandboulevarden 122, 3. th., 2100 Copenhagen, Denmark (the "Processor")
Scope and Purpose
This DPA applies to the processing of personal data by Alviss AI on behalf of the Customer in the course of providing the Alviss AI Marketing Science Platform (the "Services"). Both parties agree to comply with the EU General Data Protection Regulation (GDPR).
Processing Instructions
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law.
Data Sovereignty & EU Residency
Alviss AI guarantees that all personal data processed under this agreement is stored and processed exclusively on servers located within the European Union (EU).
- No personal data shall be transferred to, or accessed from, any country outside the European Economic Area (EEA) without the express written consent of the Controller.
- The primary processing locations are Germany (via Hetzner and Contabo).
Technical and Organizational Measures (TOMs)
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as outlined in our Security Page (alviss.io/security). These include:
- Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
- Confidentiality: All personnel authorized to process data have committed themselves to confidentiality.
- Resilience: Regular backups and disaster recovery protocols are in place.
Sub-processors
The Controller grants general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance.
Authorized Sub-processors:
Sub-processor | Purpose | Location |
Hetzner Online GmbH | Cloud Hosting & Infrastructure | Germany (EU) |
Contabo GmbH | Cloud Hosting & Dedicated Servers | Germany (EU) |
Auth0 (Okta, Inc.) | Identity & Authentication Services | Germany & Ireland (EU) |
Data Subject Rights
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights (e.g., access, deletion, rectification).
Personal Data Breach
In the event of a personal data breach, Alviss AI shall notify the Customer without undue delay and, where feasible, not later than 72 hours after having become aware of it.
Deletion or Return of Data
Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies unless Union or Member State law requires storage of the personal data.
Annex I: Details of Processing
- Subject Matter: Provision of predictive marketing analytics and Bayesian model insights via the Alviss AI SaaS platform.
- Duration: For the term of the Agreement plus a standard deletion period of 30 days.
- Nature/Purpose: Processing for the purpose of generating marketing science insights, model training (on behalf of the customer), and platform performance monitoring.
- Categories of Data Subjects: Customer’s employees, end-users.