Data Processing Agreement

Last updated: May 13, 2026 · Template — not yet counsel-reviewed.

This DPA forms part of the alifTeams Terms of Service for customers operating under GDPR, UK GDPR, the Swiss FADP, the CCPA/CPRA, or comparable privacy regimes. Final language will be published before the public launch and reviewed by external counsel.

1. Scope and parties

Customer (Controller) and alifTeams (Processor) enter into this DPA covering Personal Data processed by alifTeamson Customer's behalf to deliver the Service.

2. Subject matter and duration

Processing concerns Personal Data of Customer's end users (workspace members, guests, and invitees) for the duration of the Service contract and as required to wind down obligations.

3. Nature and purpose of processing

To operate alifTeams: deliver messages, run AI agents, manage tasks, host huddles, send transactional email, bill the Controller's organization, and protect against abuse.

4. Types of Personal Data

Names, email addresses, hashed passwords, locale, message content (including files and attachments), agent prompts and completions, billing data managed by Stripe, and operational telemetry tied to the user account.

5. Categories of data subjects

Workspace members, guests, invitees, and any third parties whose data the Controller chooses to upload into the Service.

6. Sub-processors

Current sub-processors: PostgreSQL hosting (Linode), object storage (Backblaze B2 or Cloudflare R2), email (Resend), payments (Stripe), AI providers (OpenAI, Anthropic, Google), and real-time audio/video (LiveKit). A current list is maintained at/sub-processors and updated at least 14 days before changes take effect.

7. International transfers

Transfers outside the EU/UK rely on the EU Standard Contractual Clauses (Module 2 and 3 as applicable) and the UK IDTA addendum. Data residency selection on Pro plans constrains primary processing to the chosen region.

8. Security

See /security. We implement TLS, encryption at rest, scoped access control, audit logging, daily backups, and least-privilege engineering access.

9. Breach notification

alifTeamswill notify Customer without undue delay (and within 72 hours where feasible) of a Personal Data Breach affecting Customer's data, describing the nature of the breach, the approximate number of records and data subjects, likely consequences, and remediation.

10. Data subject rights

Customer can export, correct, or delete data via the Workspace Admin panel and Audit Log. For requests we cannot satisfy via product features (e.g. complex erasure), we cooperate within 30 days.

11. Return and deletion

Upon termination, Customer may export workspace data within 30 days. alifTeams then deletes all Personal Data unless retention is legally required.

12. Audits

Customer may audit our compliance once per year with reasonable notice, or rely on the annual SOC 2 / ISO 27001 reports we plan to publish from year two.

13. Liability

See the Terms of Service. The DPA does not change the overall liability framework.