Data Processing Agreement

Data Processing Agreement

Last updated: November 18, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service ordered by the Customer under an Order Form (the "Agreement") between Alloy and the Customer.

The parties expressly acknowledge and agree that:

• This DPA does not establish a joint controllership arrangement under Article 26 of the GDPR.
• Each party remains solely responsible for its own compliance with Applicable Data Protection Laws in respect of its separate processing activities.
• Alloy processes Customer Personal Data solely on behalf of and under the instructions of the Customer.
• Alloy may process Service Data, Log Data, aggregated data, and de-identified data as an independent controller solely for analytics, security, billing, and product-development purposes.
• Alloy does not engage in automated decision-making with legal or similarly significant effects on Data Subjects.

For any questions regarding data protection, please contact us at:

• Email: support@alloy.app
• Address: Index Technologies Pty Ltd, 265 Riley Street, Surry Hills NSW 2010

1. Definitions

Capitalized terms used in this DPA shall have the meaning assigned to them in the Agreement. In addition to the definitions under the Terms of Service, the below terms shall have the following meaning:

"Applicable Data Protection Laws" means all EU and relevant member state legislation and regulations, including regulations and decisions issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time apply to Alloy and the Customer, including without limitation the GDPR, including any future interpretations thereof in court precedence from the EU Court of Justice or any other authorized court or supervisory authority.

"CCPA": The California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder. When used in the context of the CCPA, the terms "business," "business purpose," "commercial purpose," "contractor," "sell," "service provider," and "share" shall have the respective meanings given thereto in the CCPA.

"Customer": The Customer defined in the Agreement.

"Customer Personal Data": Any Personal Data processed by Alloy or its Sub-processor on behalf of on documented instructions of the Customer in connection with the Services.

"Data Protection Laws": Collectively, (i) EU GDPR, UK GDPR and any implementing or supplementary legislation; (ii) the EU–US Data Privacy Framework and its UK/Swiss extensions; and (iii) all U.S. federal or state privacy statutes in force during the Term together with other national laws governing the Processing of Personal Data under DPA.

"Data Subject": An individual whose Personal Data is processed.

"Data Transfer": (a) A transfer of Customer Personal Data from the Customer to a Contracted Processor; or (b) an onward transfer of Customer Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws.

"DPA" means this data processing agreement and the appendices attached hereto (as amended from time to time in accordance herewith).

"EU Data Protection Laws": EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and any EU or Member-State law that implement or supplement the GDPR.

"EU SCCs": The standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).

"ex-EEA Transfer": The transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the "EEA"), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.

"ex-UK Transfer": The transfer of Personal Data covered by Chapter V of the UK GDPR, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the "UK"), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). If the Customer is a UK entity, any reference to the "GDPR" shall be interpreted to include a reference to the UK GDPR.

"Alloy" means Index Technologies Pty Ltd, registered at 265 Riley Street, Surry Hills NSW 2010.

"Personal Data": Any information relating to an identified or identifiable natural person.

"Personal Data Breach": A confirmed breach of Alloy's security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Alloy's possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems) and is when (i) a breach of security has occurred and (ii) Customer Personal Data has been compromised.

"Processing": Any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.

"Service Data": Any data relating to the use, support and/or operation of the Services, which is collected directly by Alloy from and/or about users of the Alloy Services and/or the Customer's use of the Service for use for Alloy's own purposes.

"Standard Contractual Clauses" or sometimes also referred to the "EU Model Clauses" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council, based on the Commission Decision (EU) 2021/914 of 4th June 2021.

"Sub-processor" means any processor engaged by Alloy to process Personal Data on behalf of the Customer.

"U.S. Privacy Laws": The collective privacy, data protection, and data security laws and regulations issued by a governmental authority of any US state jurisdiction applicable to the Processing of Customer Personal Data under DPA, including the CCPA.

"UK Addendum": The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office.

"UK SCCs": The EU SCCs, as amended by the UK Addendum.

The terms "controller", "processor", "data subject", "processing", "personal data", and "personal data breach", shall have the same meanings as set out in Article 4 of the GDPR.

For EU Personal Data, the Customer acts as a controller and Alloy acts as a processor.

For U.S. Personal Data the Customer is "business," Alloy is "service provider/contractor," and Alloy shall not "sell" or "share" such data nor combine it for cross-contextual advertising, consistent with the CPRA.

For UK Personal Data, the Customer acts as a Controller and Alloy acts as a Processor as defined under the UK GDPR.

2. Subject Matter, Activities and Duration

• Alloy shall Process Customer Personal Data only on the Customer's documented instructions as in Annex 1.
• Alloy may refuse, suspend, or propose commercially reasonable alternatives to any instruction it reasonably believes would breach DPA, Applicable Data Protection Laws or materially compromise the security, confidentiality, availability, or performance of the Services.
• Alloy shall retain Customer Personal Data transmitted through the Service as in Annex 1. Data retention periods for other services shall be as specified in the applicable Agreement or Order Form.
• This DPA shall remain in effect for the duration of the Agreement.

3. Customer Obligations

• Except as may be otherwise required under the Applicable Data Protection Law, the Customer shall, on behalf of any Affiliate, serve as a single point of contact for Alloy in all matters under this DPA and shall be responsible for the internal coordination, review and submission of instructions or requests to Alloy as well as the onward distribution of any information, notifications and reports provided by Alloy hereunder.
• In its capacity as a controller, the Customer confirms (for its own part and/or on behalf of its Affiliates, as the case may be) that it is entitled to provide access to and shall maintain throughout the term all necessary rights, consents and authorizations to Customer Personal Data provided to Alloy. The Customer it has a lawful basis and any necessary approvals from any relevant data subjects for Alloy's performance of the Alloy Services.
• The Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which the Customer acquired personal data.
• The Customer shall comply with all applicable Data Protection Laws. Without prejudice to Alloy's obligations in this DPA, the Customer acknowledges and agrees that it is responsible for certain configurations and design decisions for the services and is responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Laws.
• The Customer shall reasonably cooperate with Alloy to assist Alloy in performing any of its obligations with regard to any requests from the Customer's data subjects and will reimburse Alloy for any reasonable, documented costs Alloy incurs.
• The Customer agrees that, without limiting Alloy's obligations under Section 4, the Customer is solely responsible for its use of the Services, including:
  • Making appropriate use of the Alloy Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data
  • Securing the account authentication credentials, systems and devices the Customer uses to access the Services
  • Securing the Customer's systems and devices that Alloy uses to provide the Services
  • Backing up Customer Personal Data
• The Customer agrees that the Service, the Security Measures provided by Alloy, and Alloy's commitments under DPA are adequate to meet the Customer's needs, including with respect to any security obligations of the Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
• The Customer shall not provide any data to Alloy which is classified as sensitive. For the avoidance of doubt, the Customer agrees not to upload, input, or otherwise provide any protected health information under HIPAA, or any other sensitive categories of data (such as financial account numbers, government identifiers, or biometric data).

4. Alloy's Obligations

Alloy shall process personal data hereunder solely in accordance with the documented instructions of the Customer, for the following limited purposes:

• performance of the Alloy Services under the terms of the Agreement;
• where applicable depending on the Alloy Services provided to the Customer under the Agreement, setting up, operating, and monitoring the underlying infrastructure (hardware, software, servers, environments, connectivity, etc) required to provide the Alloy Services to the Customer and to meet the technical, security and organizational requirements for the processing of the personal data in connection therewith;
• processing initiated by authorized users of the Customer in their use of the Alloy Services;
• executing documented instructions of the Customer provided such instructions relate to and are consistent with the Alloy Services;
• addressing service issues or technical problems; and/or
• meeting any express requirement under the Applicable Data Protection Laws, in which case Alloy shall, unless it is prohibited by Applicable Law from doing so, inform the Customer of that legal requirement before processing.

Alloy will report to the Customer without undue delay any request, demand or order received by Alloy from a competent supervisory authority or a data subject relating to the processing of personal data on the Customer's behalf. If a data subject makes a request to Alloy, Alloy will promptly forward such request to Customer once Alloy has identified that the request is from a data subject for whom Customer is responsible. The Customer acknowledges that Alloy has no responsibility to interact directly with any data subject or supervisory authority in respect of any request, demand or order (except as expressly provided under the Applicable Data Protection Law or as otherwise agreed by the Parties in writing).

Subject to applicable legal retention obligations, upon termination of the Agreement Alloy will return to the Customer or delete any personal data that has been processed on the Customer's behalf under this DPA, as described in this DPA.

Alloy will only rely on personnel in the processing of personal data who are contractually or by statutory obligation bound to maintain confidentiality, and take reasonable steps to ensure that access to personal data processed is limited to those personnel who require such access to perform the applicable services.

Alloy will promptly inform the Customer if, in its opinion, any instruction or request violates Applicable Data Protection Law, and Alloy disclaims any obligation or liability with regard to any such instructions or requests.

The Customer may request Alloy to provide assistance if the Customer is carrying out a data protection impact assessment. Such assistance will in such a case consist of Alloy providing relevant information to the Customer regarding the personal data processed in the Alloy Services. Alloy shall be entitled to charge the Customer its professional services fees on a time and material basis for such assistance.

The Customer accepts that any requests for information, assistance or activities beyond Alloy's ordinary course of business, routines or practices, or what is otherwise commercially reasonable, shall be specifically agreed in an Order Form and may be subject to additional fees and charges.

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Nothing in this Section 4 obliges Alloy to take actions that (i) would violate Applicable Data Protection Laws or Applicable Law, (ii) require disclosure of trade secrets or confidential information of third parties, or (iii) exceed the limitation-of-liability caps set forth in this DPA.

5. Security

In connection with its processing of personal data hereunder Alloy shall provide for and maintain appropriate administrative, physical, technical and organizational security measures for such processing, which are intended to protect personal data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and to ensure a level of security appropriate to the particular risks involved in the processing, as outlined on Alloy's Security Page: https://alloy.app/security

Alloy is actively pursuing SOC 2 Type II certification. Upon completion, and upon request with acceptance to confidentiality obligations, Alloy may provide access to the SOC 2 Type II report.

6. Data Breach Notification

Alloy will inform the Customer without undue delay after confirming a data breach, that constitutes a Personal Data Breach under this DPA and/or Applicable Data Protection Laws, in connection with the processing of Customer Personal Data under this DPA, observing the following process:

• Alloy shall investigate the personal data breach and take reasonable measures to identify its root cause(s), where such breach is caused by Alloy or a Alloy Sub-processor;
• As information is collected or otherwise becomes available, to the extent legally permitted, Alloy shall provide the Customer with a description of the Personal Data Breach, the type of the data to which the Personal Data Breach relates, and, other information the Customer may reasonably request concerning the affected data subject(s) where such information is available to Alloy; and,
• Alloy will provide the Customer with reports as follow-up to the notice, on a timely basis, and as reasonably requested by the Customer.

Alloy's notification of or response to a Personal Data Breach shall not be construed as Alloy's acknowledgement of any fault or liability with respect to the Personal Data Breach.

If the Customer determines to notify any governmental entity, Data Subject(s), the public or others of a Personal Data Breach, to the extent such notice directly or indirectly refers to or identifies Alloy, where permitted by Applicable Data Protection Laws, the Customer agrees to:

• Notify Alloy in writing in advance; and
• In good faith, consult with Alloy and consider any clarifications or corrections Alloy may reasonably recommend or request to any such notification, which: (i) relate to Alloy's involvement in or relevance to such Personal Data Breach; and (ii) are consistent with Applicable Data Protection Laws.

Alloy may delay notice to the Customer if a competent law-enforcement agency determines that immediate disclosure would impede a criminal investigation, provided Alloy notifies the Customer as soon as the restriction is lifted.

The obligations set out above will not apply, to the extent that the personal data breach is caused by the Customer, the Customer's Affiliate or anyone acting for the Customer, save that Alloy will inform the Customer of the personal data breach and provide information it discovers up to the stage it identifies the breach is caused by the Customer, the Customer's Affiliate or anyone acting for the Customer. Alloy may charge the Customer for any assistance that the Customer may request when a personal data breach is attributable to or caused by the Customer.

7. Sub-processing

• Alloy shall inform the Customer of any intended changes concerning the addition or replacement of other processors through updating the sub-processor list available at https://alloy.app/security/subprocessors (the "Sub-processor List"). This list is updated at least annually.
• Alloy may continue to use those Sub-processors already engaged by Alloy as of the date of this DPA.
• In the event that the Customer does not wish to consent to the use of a new Sub-processor, the Customer may notify Alloy within twenty (20) business days of Alloy notifying the Customer, that the Customer does not consent on reasonable grounds relating to the protection of Personal Data by contacting support@alloy.app.
• In such cases, the Customer and Alloy shall work together in good faith to find a mutually acceptable resolution to address such objections. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, the Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Alloy Services by providing written notice to Alloy and receive a refund of any prepaid fees under the Agreement.
• Where Alloy engages another processor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract.

8. International Data Transfers

Alloy shall not transfer Personal Data to a third country or international organization unless:

• The transfer is to a country or organization that has been deemed to provide an adequate level of protection by the European Commission or applicable regulatory authority;
• The transfer is covered by appropriate safeguards such as binding corporate rules, standard data protection clauses, approved codes of conduct, or certification mechanisms; or
• The Customer has given its explicit consent to the transfer after having been informed of the potential risks.

For ex-EEA Transfers, the parties agree that such transfers are made pursuant to the EU SCCs, which are deemed incorporated into this DPA by reference and completed as follows:

• Module Two (Controller to Processor) of the EU SCCs apply when the Customer is a controller, and Alloy is processing Personal Data for the Customer as a processor.
• Module Three (Processor to Sub-Processor) of the EU SCCs apply when the Customer is a processor, and Alloy is processing Personal Data on behalf of the Customer as a sub-processor.

For ex-UK Transfers, the parties agree that such transfers are made pursuant to the UK SCCs, which are deemed incorporated into this DPA by reference, and amended and completed in accordance with the UK Addendum.

Alloy represents and warrants that:

• As of the date of this DPA, it has not received any formal legal requests from any government intelligence or security service for access to Customer Personal Data ("Government Agency Requests");
• If, after the date of this DPA, Alloy receives any Government Agency Requests, it shall attempt to redirect the law enforcement or government agency to request that data directly from the Customer and shall give the Customer reasonable notice of the demand, unless legally prohibited from doing so.

If any transfer mechanism relied upon becomes invalid or is enjoined, the parties will cooperate in good faith to promptly implement an alternative lawful mechanism. Alloy may suspend the affected transfers (and related processing) until such mechanism is in place, without this constituting a breach of the Agreement.

9. Service Data

The Customer acknowledges and agrees that Alloy may collect, use and disclose Service Data for its own business purposes, such as but not limited to:

• accounting, tax, billing, audit, and compliance purposes;
• to provide, improve, develop, optimize and maintain the Services;
• to investigate fraud, spam, wrongful or unlawful use of the Services;
• training or tuning proprietary machine-learning models used to deliver the Services; and/or
• as otherwise permitted or required by Applicable Data Protection Laws.

For the avoidance of doubt, Service Data is not "Customer Personal Data" and the obligations set out in this DPA do not apply to Alloy's Processing of Service Data. Alloy may retain Service Data for as long as it has a legitimate business need, may disclose Service Data to its Affiliates and Sub-processors for the purposes set out in this Section, and may create, commercialize, and publish anonymized, aggregated, or de-identified data from Service Data, provided that such data does not identify the Customer or any individual Data Subject. Alloy warrants that any de-identification will meet the standard for "de-identified data" under the CPRA and comparable laws.

The Customer acknowledges that no royalty, fee, or other remuneration is due for Alloy's Processing of Service Data under this Section, and the Customer has no right to opt out of such Processing so long as it remains a customer of the Services.

10. Use of Customer Data for Artificial Intelligence and Machine Learning

• Alloy shall not use any Customer Personal Data for the purpose of training, retraining, fine-tuning, or otherwise developing any Artificial Intelligence (AI) or Machine Learning (ML) models.
• Customer Personal Data shall be processed solely for the purposes of providing, maintaining, securing, and supporting the Alloy Services as described in this DPA, in accordance with documented instructions and applicable data protection laws.
• Alloy may process de-identified and aggregated information derived from Customer Personal Data (Service Data) only for statistical reporting, security analysis, or operational insights—provided that such information cannot be used to identify Customer, its end users, or any natural person, and is not used for AI/ML training.

11. Return and Deletion

• Upon termination of the Agreement, Alloy shall immediately discontinue all processing of Customer Personal Data, other than secure storage or any processing expressly permitted under DPA.
• Within thirty (30) calendar days after the termination of the Agreement the Customer may instruct Alloy, in writing, to return or delete all Customer Personal Data then in Alloy's possession or control, unless Applicable Data Protection Laws require storage of the Customer Personal Data.
• If no such instruction is received within thirty (30) calendar days, Alloy may, at its discretion, permanently delete or irreversibly anonymize the Customer Personal Data in accordance with its documented retention schedule.
• Where manual data-export or bespoke deletion work exceeds two (2) person-hours, Alloy may charge the Customer its reasonable, documented costs at the then-current professional-services rates, except to the extent such charges are prohibited by Applicable Data Protection Laws.
• The provisions of this Section, together with Sections 12 (Governing Law and Jurisdiction) and 14 (Limitation of Liability), shall survive termination of DPA for so long as Alloy retains any Customer Personal Data.

12. Governing Law and Jurisdiction

This DPA, and any non-contractual obligations arising out of or in connection with it, shall be governed by and construed in accordance with the laws of the Terms of Service.

13. Indemnity

The Customer shall defend, indemnify and hold harmless Alloy and its affiliates from any third-party claim, investigation, fine, loss, or reasonable legal cost that arises from (i) the Customer's instructions or configurations, (ii) failure to secure a lawful basis or required consents, (iii) provision of data to Alloy as described in Section 3.8, or (iv) any breach of this DPA or applicable data-protection laws. Alloy will give prompt written notice and reasonable cooperation; the Customer may control the defense but may not settle any matter that admits fault or imposes non-monetary obligations on Alloy without Alloy's prior written consent.

Further, to the fullest extent permitted by law, the Customer releases and will defend, indemnify, and hold harmless Alloy from any claim, fine, or loss arising out of the Customer's failure to implement or maintain the security controls described in this DPA.

14. Liability

The Parties' liability under this DPA shall be limited in accordance with the provisions of the General Terms and Conditions.

The Parties acknowledge and agree that neither Party shall have an obligation to indemnify the other Party for any administrative fines imposed by a supervisory authority or a court under Applicable Data Protection Legislation.

In no event shall either Party be liable to the other for any loss of profits, revenue, goodwill, business interruption, loss or corruption of data, or for any indirect, special, incidental, punitive, exemplary, or consequential damages of any kind, even if advised of the possibility of such loss or damage and regardless of the theory of liability. The foregoing limitations and exclusions apply (i) in the aggregate across this DPA and the Agreement, (ii) irrespective of the number or nature of claims, and (iii) notwithstanding any failure of essential purpose of any limited remedy.

15. US Privacy Laws

To the extent Alloy's Processing of Customer Personal Data under the Agreement is subject to U.S. Privacy Laws:

The Parties acknowledge that Alloy's retention, use and disclosure of Customer Personal Data authorized by the Customer's instructions stated in this Agreement are integral to the Alloy Services and the business relationship between the Parties.

Alloy shall:

• Use, retain, and disclose Customer Personal Data only as necessary to perform the business purposes specified in this Agreement or as otherwise permitted by U.S. Privacy Laws;
• Comply with applicable obligations under U.S. Privacy Laws and shall provide the same level of privacy protection as is required of a "service provider" or "contractor" under each applicable U.S. Privacy Law;
• Implement reasonable and appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing, access, use, or disclosure;
• Notify the Customer without undue delay if Alloy determines it cannot meet its obligations under U.S. Privacy Laws;
• Cooperate with the Customer to stop and remediate any unauthorized use of Customer Personal Data.

Alloy shall not:

• Sell or share any Customer Personal Data
• Retain, use or disclose any Customer Personal Data for any purpose other than for the business purposes specified in the Agreement, including retaining, using, or disclosing the Customer Personal Data for a commercial purpose other than the business purposes specified in the Agreement or as otherwise permitted by U.S. Privacy Laws
• Combine the Customer Personal Data received from the Customer with Customer Personal Data received from or on behalf another person, or Customer Personal Data Alloy collects from its own interaction with the consumer, except as otherwise permitted by U.S. Privacy Laws
• De-identify or aggregate Customer Personal Data unless the de-identification meets U.S. Privacy Laws, and the output cannot be re-identified.

16. Miscellaneous

• In the event of inconsistencies between the provisions of DPA and the Agreement, the provisions of DPA shall prevail.
• If any provision of DPA is held invalid or unenforceable, the remaining provisions will remain in full force, and the Parties shall replace the invalid provision with a valid one that most closely reflects the Parties' original intent.
• The Parties agree that DPA constitutes the entire understanding between the Parties with respect to the subject matter hereof and supersedes all prior agreements or understandings, whether written or oral.

Annex 1 - Description of Processing

The following description of processing relates to the Customer using Alloy as defined in the Alloy Customer Terms of Service.

A. LIST OF PARTIES

Data exporter:

• Name: The Customer, as defined in the Alloy Customer Terms of Service (on behalf of itself and Permitted Affiliates)
• Address: The Customer's address, as set out in the Order Form
• Contact person's name, position and contact details: The Customer's contact details, as set out in the Order Form and/or as set out in the Customer's Alloy account
• Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data in connection with Customer's use of the Alloy Services under the Alloy Customer Terms of Service
• Role: Controller

Data importer:

• Name: Index Technologies Pty Ltd
• Address: 265 Riley Street, Surry Hills NSW 2010
• Contact person's name, position and contact details: support@alloy.app
• Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data in connection with Customer's use of the Alloy Services under the Alloy Terms of Service or the agreement entered into between the Controller and Processor.
• Role: Processor

Description of processing

Alloy is an AI-powered prototyping platform that's designed to allow companies to develop prototypes through written instructions (prompts). The application processes data provided by the Customer to convert prompts provided by the Customer into interactive prototypes for web and mobile applications. The Customer determines the Processing which may comprise of the hosting, storage, compilation, scanning, indexing, static and dynamic analysis, AI-assisted generation, and deployment of prototyping artifacts (including source code, configuration files, design assets, comments, and user-profile data) in order to provide, secure, maintain, monitor, and improve the Services.

Personal data processing

Customer Personal Data - data that is disclosed or otherwise made accessible to by the Customer for the provision of services which identifies an individual. Customer Personal Data is processed for the following purposes:

• Provision of Alloy services including account creation and billing;
• Provision of implementation services, consultancy services and support services and only in cases where Alloy needs access to the Customer's environment (which is only provided upon Customer's approval).

Non-personal data processing

Service Data - Any aggregated and/or de-identified data relating to the use, support and/or operation of the Services, which is collected directly by Alloy from and/or about users of the Alloy Services and/or the Customer's use of the Service for use for Alloy's own purposes. Service Data is processed for the following purposes:

• accounting, tax, billing, audit, and compliance purposes;
• to provide, improve, develop, optimize and maintain the Services;
• to investigate fraud, spam, wrongful or unlawful use of the Services;
• training or tuning proprietary machine-learning models used to deliver the Services; and,
• as otherwise permitted or required by Applicable Data Protection Laws

Log Data - operational telemetry including device's IP address and approximate location, browser type and version, pages, APIs, or features you access within the Services, timestamps and time spent on specific screens or functions, unique session or device identifiers and error/debugging codes, and other usage statistics. Log data is processed for security and platform improvement purposes.

Categories of data subjects

• Accounts the Customer supplies Alloy access to, including, but not limited to, developers, engineers, project managers and team leaders, whether they are employees, contractors, agents or third-party contributors.
• End users of published Alloy prototypes

Retention and erasure

Alloy shall retain:

• Customer Personal Data as long as necessary for the term of the Agreement, and will be returned and deleted when requested in writing by the Customer, unless an exception applies:
  • Retention is necessary for account closure or deletion requests, for fraud prevention, legal defense, or to comply with our legal obligations.
  • Deleted data may persist in backups for a limited time before being permanently removed.
• Service Data indefinitely in an anonymized and aggregated form.