Policy

dpa-template

Data Processing Addendum (DPA) — Template

This is the AlphaGen master Data Processing Addendum between

AlphaGen Holdings Limited ("Processor", "AlphaGen")

and the Customer named on the corresponding Order Form

("Controller", "Customer"). Together, the parties.

This DPA forms part of the Terms of Service

("Master Agreement") and applies to the extent that AlphaGen

processes Customer Personal Data on behalf of the Customer in the

course of providing the Services. Where this DPA conflicts with

the Master Agreement on data-protection matters, this DPA

prevails.

Effective date: the date of the corresponding Order Form

Version: 1.0.0

Contact: dpo@alpha-gen.ai

---

1. Definitions

Capitalised terms not defined here have the meanings given in the

Master Agreement or in UK GDPR / EU GDPR (as defined in

the Master Agreement). The following terms have the meanings

below in this DPA:

  • "Customer Personal Data" means any Personal Data the

Customer or its Authorised Users submit to, generate using, or

store on the Services, where AlphaGen processes that data as a

Processor on the Customer's behalf.

  • "Data Protection Laws" means UK GDPR, the **Data

Protection Act 2018, EU GDPR (Regulation (EU) 2016/679)**,

and any other privacy or data-protection law applicable to a

party in the performance of this DPA.

  • "International Transfer" means a transfer of Personal Data

to a country outside the United Kingdom or European Economic

Area not benefiting from an adequacy decision.

  • "Personal Data Breach" has the meaning given in Article 4

of UK GDPR / EU GDPR.

  • "Restricted Country" means a country to which an

International Transfer requires a Transfer Mechanism.

  • "Sub-processor" means any third party engaged by AlphaGen

to process Customer Personal Data on the Customer's behalf.

  • "Transfer Mechanism" means the **UK International Data

Transfer Agreement (IDTA), the UK Addendum to the EU

Standard Contractual Clauses, the EU Standard Contractual

Clauses (SCCs) Module 2 / Module 3** (as appropriate), or any

successor mechanism approved by the relevant supervisory

authority.

---

2. Roles of the parties

The Customer is the Controller and AlphaGen is the

Processor of Customer Personal Data, except:

  • AlphaGen is a separate Controller of operational data it

processes for its own purposes (e.g. system audit logs of who

accessed what and when, billing data, service-improvement

metrics in pseudonymised form). AlphaGen's controllership for

these activities is described in the Privacy Policy.

  • Where required by Article 26 UK GDPR / EU GDPR, the parties may

enter a separate Joint Controller arrangement; nothing in this

DPA creates one by default.

---

3. Scope and instructions

3.1 Documented instructions

AlphaGen processes Customer Personal Data only on documented

instructions from the Customer. The Master Agreement, the

applicable Order Form, the Customer's documented configuration

on the Services (including consent scopes, retention settings,

sub-processor selections, region pinning), and Customer support

tickets are documented instructions for the purposes of Article

28(3)(a).

3.2 Lawfulness of instructions

If AlphaGen reasonably believes a Customer instruction infringes

Data Protection Laws, AlphaGen will notify the Customer without

undue delay and may pause execution pending Customer

confirmation. AlphaGen is not obliged to perform an instruction

that would put it in breach of Data Protection Laws or other

applicable law.

3.3 Subject matter

The subject matter, duration, nature and purpose of processing,

type of Personal Data, and categories of data subjects are set

out in Annex 1 of this DPA. The Customer may specify

additional detail in the Order Form.

---

4. AlphaGen's obligations as Processor

4.1 Confidentiality

AlphaGen ensures that personnel authorised to process Customer

Personal Data are bound by appropriate confidentiality

obligations (whether by contract of employment, by professional

duty, or by separate non-disclosure agreement) and have received

appropriate data-protection training before being granted access.

4.2 Security of processing

AlphaGen implements appropriate technical and organisational

measures to ensure a level of security appropriate to the risk,

including the measures set out in Annex 2 (Technical and

Organisational Measures). The Customer agrees that the Annex 2

measures provide such an appropriate level of security at the

date of this DPA.

4.3 Sub-processors

The Customer authorises AlphaGen to engage:

  1. AlphaGen Affiliates as Sub-processors;
  2. The third-party Sub-processors listed in

docs/legal/privacy/subprocessors.md as in force on the date

of the corresponding Order Form;

  1. New Sub-processors with at least 30 days' prior notice (by

email to the account contact and by update of

docs/legal/privacy/subprocessors.md and the Privacy Policy

Changelog), during which the Customer may object on

reasonable data-protection grounds.

If the Customer reasonably objects to a new Sub-processor and

the parties cannot agree a mitigation within 30 days, the

Customer may terminate the affected Order Form for convenience

under Master Agreement §11.5 and AlphaGen will refund pre-paid

fees for the unexpired Subscription Term.

AlphaGen ensures every Sub-processor is bound by terms no less

protective than this DPA and remains liable for the acts and

omissions of its Sub-processors.

4.4 Cooperation with Controller

AlphaGen will, to the extent legally permitted and taking into

account the nature of the processing and the information

available to AlphaGen:

  1. Assist the Customer in responding to requests from data

subjects to exercise rights under Articles 15–22 UK GDPR / EU

GDPR;

  1. Assist the Customer with Data Protection Impact Assessments

(Article 35) and prior-consultation obligations (Article 36);

  1. Make available to the Customer information necessary to

demonstrate compliance with Article 28 of UK GDPR / EU GDPR;

  1. Allow for and contribute to audits (see §8).

AlphaGen may charge the Customer reasonable additional fees for

assistance under this §4.4 if it goes beyond what is required

to provide the Services.

4.5 Personal Data Breach notification

AlphaGen will notify the Customer of a Personal Data Breach

affecting Customer Personal Data without undue delay after

becoming aware, and in any event within 48 hours. The

notification will include:

  • A description of the nature of the breach;
  • The categories and approximate number of data subjects and

records affected;

  • The likely consequences of the breach;
  • The measures AlphaGen has taken or proposes to take.

AlphaGen will provide further information as it becomes

available and will cooperate with the Customer's regulatory

notifications under Articles 33–34 UK GDPR / EU GDPR.

4.6 Records of processing

AlphaGen maintains a written record of processing under Article

30(2) UK GDPR / EU GDPR and will make extracts available to the

Customer or its supervisory authority on reasonable request.

---

5. International transfers

5.1 Default region

AlphaGen processes Customer Personal Data in the United Kingdom

and the European Economic Area by default. The active region(s)

for a given Customer are set on the Order Form.

5.2 Transfer mechanisms

For any International Transfer, the parties agree:

  1. UK to a Restricted Country: the **UK International Data

Transfer Agreement (IDTA) or the UK Addendum** to the EU

Standard Contractual Clauses applies, as appropriate. The

parties enter into the applicable form by reference to this

DPA, with the Customer as data exporter and the Sub-processor

as data importer (and AlphaGen as intermediate

processor where relevant).

  1. EU/EEA to a Restricted Country: the **EU Standard

Contractual Clauses (Module 2 — Controller to Processor — or

Module 3 — Processor to Sub-processor)** apply, as

appropriate. The parties enter into the applicable Module by

reference to this DPA.

  1. AlphaGen has conducted a **Data Transfer Impact Assessment

(DTIA)** for each routine transfer route in

docs/legal/privacy/subprocessors.md and makes redacted

copies available to the Customer on request.

  1. AlphaGen will implement the supplementary measures identified

in the DTIA (e.g. encryption-in-transit, encryption-at-rest

with customer-managed keys, sub-processor access controls).

5.3 New transfer destinations

If AlphaGen plans a routine transfer to a new Restricted Country

not currently listed, AlphaGen will treat the change as a new

Sub-processor under §4.3 and provide notice accordingly.

---

6. Return and deletion of Customer Personal Data

6.1 During the Subscription Term

The Customer may export Customer Personal Data at any time

through the Services' export tools, the developer API, or by

request to support@alpha-gen.ai.

6.2 On termination

On termination of the Master Agreement:

  1. AlphaGen will, at the Customer's option (notified to AlphaGen

in writing within 30 days of termination), return Customer

Personal Data in a commonly readable format or delete it.

  1. If no instruction is received within 30 days, AlphaGen will

delete Customer Personal Data from production systems.

  1. Backups containing Customer Personal Data are deleted on the

schedule set out in Annex 2 (typically within 90 days of

termination, depending on backup tier).

  1. Audit logs and records required to demonstrate compliance

are retained for the periods set out in §6.3.

6.3 Retention exceptions

AlphaGen may retain Customer Personal Data only to the extent

required by applicable law or to defend legal claims. The

specific retention periods are:

| Category | Period | Reason |

|---|---|---|

| Audit logs of access to Customer Personal Data | 6 years | Article 30 RoPA + UK SRA / FCA / sector-specific record-keeping requirements applicable to enterprise customers |

| Billing records | 6 years | UK Companies Act 2006 + HMRC requirements |

| Consent records | 6 years after withdrawal | Demonstrable accountability under Article 7(1) UK GDPR |

| Breach notification records | 5 years from notification | Regulator audit window |

Retained data is encrypted, access-restricted to a named DPO /

legal team set, and not used for any other purpose.

---

7. Security incident handling

The parties' specific cooperation procedures are in the

Privacy Policy and the

internal Information Security Policy. AlphaGen runs a 24/7

on-call rota for security incidents involving Customer Personal

Data and operates a documented breach playbook

(docs/legal/privacy/operational/breach-playbook.md).

---

8. Audits and inspections

8.1 Information requests

AlphaGen will respond to reasonable Customer requests for

information needed to demonstrate compliance with this DPA

within 30 days. Standard responses include:

  • A copy of the most recent SOC 2 Type II report (when

available) or equivalent security attestation;

  • A summary of the most recent independent penetration test;
  • A copy of the latest sub-processor list and DTIAs;
  • Statistics on rights-request fulfilment timelines.

8.2 On-site / virtual audits

The Customer may, on at least 30 days' prior written notice and

no more than once per 12 months (unless a Personal Data Breach

has occurred or a regulator requires more frequent audit), audit

AlphaGen's compliance with this DPA. The audit:

  1. Will be conducted by the Customer or by an independent

auditor mutually agreed and bound to confidentiality;

  1. Must not unreasonably interfere with AlphaGen's operations;
  2. Must respect the confidentiality of other AlphaGen

customers' data — in particular, the auditor must not access

any data or systems that contain another customer's Personal

Data unless that other customer has consented in writing.

  1. Findings are confidential and may be shared only with the

Customer's data-protection function and AlphaGen.

The Customer bears the reasonable cost of audits initiated under

this §8.2 except where the audit reveals a material breach of

this DPA, in which case AlphaGen reimburses the Customer's

reasonable costs.

8.3 Regulator audits

AlphaGen will cooperate fully with any audit or investigation

ordered by the Information Commissioner's Office (ICO) or any

other competent supervisory authority and will notify the

Customer where doing so is lawful.

---

9. Liability

The liability provisions in the Master Agreement apply to this

DPA. For the avoidance of doubt, the liability cap and excluded

heads of loss in Master Agreement §10 apply to claims arising

under this DPA.

---

10. Term

This DPA is effective on the date of the corresponding Order

Form and remains in force for as long as AlphaGen processes

Customer Personal Data on the Customer's behalf, and thereafter

until the deletion / return obligation in §6 is complete.

---

11. Variation

AlphaGen may update this DPA from time to time. Material changes

require the Customer's consent (which may be obtained by

clickthrough on the Customer portal or by re-execution of the

Order Form). Non-material changes (e.g. changes to keep pace

with regulator guidance) take effect 30 days after notice unless

the Customer objects, in which case the parties will negotiate

in good faith.

---

12. Governing law

This DPA is governed by the laws of England and Wales, with the

exception that the SCCs / IDTA forms incorporated by reference in

§5 are governed by their own choice-of-law clauses.

---

Annex 1 — Subject matter of processing

| Item | Detail |

|---|---|

| Subject matter | Provision of the AlphaGen AutoAnnotation System and related Services as described in the Master Agreement and Order Form |

| Duration | The Subscription Term and any retention period required by §6 |

| Nature and purpose | Hosting, redaction, automated annotation, propagation, geometry inference, world-state synthesis, fine-tuning of customer-specific models, support, troubleshooting, and audit |

| Type of Personal Data | Video and audio content; redacted footage; faces / biometric identifiers (only where Customer-supplied with explicit consent); names and email addresses of consenting subjects; metadata including timestamps and (where consented) location; operator account data (username, hashed email, audit trail); HITL game-performance data |

| Special-category data | Only where Customer-supplied with explicit Article 9 consent. The default Pass 0 redaction strips faces, voice, OCR text, license plates, and screens before the data reaches anyone other than the Customer. |

| Categories of data subjects | Customer's own employees / operators; content contributors (where the Customer's business model includes them); identifiable participants captured in uploaded footage (with consent); unidentified bystanders in public-space footage (Pass 0 redacts before exposure) |

---

Annex 2 — Technical and Organisational Measures

The full TOMs are described in the Trust & Security

page, the Privacy by Design

document, and the internal Information Security Policy. The

following is a summary for incorporation into this DPA.

A2.1 Confidentiality

  • Encryption at rest with AES-256 for all stored Customer

Personal Data. Customer-managed keys (KMS / HSM-backed)

available on Enterprise tier.

  • Encryption in transit with TLS 1.2+ for all external

connections; TLS 1.3 preferred. Internal cluster traffic

encrypted via mTLS.

  • Role-based access control with least-privilege defaults; every

privileged action is logged in the audit trail.

  • Multi-factor authentication required for all AlphaGen staff

with access to production systems.

  • Production access is on call-by-call principle: no AlphaGen

staff has standing read access to Customer Personal Data;

break-glass access is logged, reviewed, and time-bound.

A2.2 Integrity

  • Cryptographic hash chain over the audit log; tampering is

detectable.

  • Application-layer input validation; SAST / DAST on every CI

build.

  • Database integrity constraints enforced at the schema level.
  • Versioned model artefacts; LoRA adapters carry signed

manifests.

A2.3 Availability and resilience

  • Multi-AZ production deployment; primary failover region

pre-warmed.

  • Daily encrypted backups; tested restoration cadence.
  • DDoS protection at the edge (Cloudflare or equivalent).
  • Documented incident response runbooks; on-call rota with 24/7

coverage for security and availability incidents.

A2.4 Process

  • Annual SOC 2 / ISO 27001 readiness review (full attestation

pursued in line with the trust-and-security roadmap).

  • Quarterly penetration test by an external CREST-accredited

firm.

  • Annual privacy-by-design review by the DPO.
  • Documented sub-processor onboarding process including

Article 28 contract, DTIA, and customer notification.

  • Documented joiner / leaver / role-change procedure.

A2.5 Privacy by design

  • Pass 0 redaction pipeline runs before any human or downstream

pipeline sees raw footage.

  • Subject linkage is server-side only; HITL operators see only

pixels.

  • Consent gate enforced on every read of Personal Data.
  • Cryptographic consent chain — every consent event is hashed

into a tamper-evident chain.

  • Deletion cascades through every store, cache, log pipeline,

and backup tombstone.

---

Document control

| Version | Date | Author | Notes |

|---|---|---|---|

| 1.0.0 | 2026-04-27 | AlphaGen Legal | Initial DPA template — Article 28 GDPR-aligned, IDTA / SCC ready. |