Alsvior Global
Features01Pricing02Security03Alsvior Global04Sign in05
Start free

EMS Legal · 03 of 09

Data Processing Agreement

This Data Processing Agreement (“DPA”) governs the way the Alsvior Global group of companies (acting as processor) processes personal data on behalf of the Customer (acting as controller) inside Alsvior EMS. It satisfies Article 28 UK / EU GDPR and incorporates the European Commission’s 2021 Standard Contractual Clauses (Module 2 — controller-to-processor) and the UK Addendum for transfers outside the EEA / UK.

Effective: 12 May 2026

1. Definitions

Capitalised terms used and not defined here have the meanings given in the Terms of Service. “Data Protection Laws” means the UK GDPR, the EU GDPR (Regulation 2016/679), the UK Data Protection Act 2018, the Spanish Ley Orgánica 3/2018, the Portuguese Lei 58/2019, and any other applicable data-protection laws. “SCCs” means the European Commission’s Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914. “UK Addendum” means the International Data Transfer Addendum to the SCCs issued by the ICO. “Customer Personal Data” means personal data that Customer or its Users submit to the Service.

2. Roles & instructions

For Customer Personal Data, the Customer is the controller and we are the processor. We will process Customer Personal Data only on the Customer’s documented instructions, which are: (a) the Terms of Service, (b) this DPA, (c) the configuration options the Customer chooses in the Service, and (d) any further written instructions the Customer issues from time to time. If we believe an instruction breaches Data Protection Laws, we will inform the Customer without delay.

3. Particulars of processing (Annex I)

Subject matter and duration

Hosting and operation of the Alsvior EMS Service for the duration of the Customer’s subscription and any wind-down period under clause 14 of the Terms.

Nature and purpose of processing

Storage, retrieval, organisation, structuring, modification and deletion of records that Customer enters into the Service for professional-services automation purposes (CRM, delivery, time, invoicing). Transmission to authorised Users of the Customer. Optional processing by AI sub-processors when an authorised User invokes an AI feature (see AI Notice).

Categories of data subjects

  • The Customer’s employees, contractors and other authorised Users.
  • Customer’s clients and their personnel (contacts, accounts).
  • Customer’s suppliers and their personnel (for PO matching).
  • Prospects in the Customer’s sales pipeline.

Categories of personal data

  • Identification (name, employer, job title, level).
  • Contact (email, phone).
  • Professional (engagement assignments, timesheet entries, leave).
  • Financial (invoice line, billing rate, expense claim) where Customer chooses to enter it.
  • Technical (IP, session metadata) for security and audit logging.

Special-category and sensitive data

We do not request special-category data (Article 9 GDPR) or criminal-conviction data. Customer must not submit such data unless the parties have agreed a written addendum that documents the additional safeguards required.

4. Personnel & confidentiality

We will ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and have received training on their data-protection responsibilities. Access is restricted to those personnel who need access to provide the Service.

5. Security measures (Annex II)

We implement the technical and organisational measures described on our Security overview, including but not limited to:

  • Tenant isolation at the database query layer, enforced by an EF Core global query filter and a SaveChanges interceptor that stamps TenantId.
  • Encryption in transit (TLS 1.2+, TLS 1.3 by default) and at rest (AES-256).
  • Role-based access control, with defence-in-depth at the service layer.
  • Multi-factor authentication on all administrative access.
  • Logging and monitoring tagged with TenantId, with alerting on cross-tenant access attempts.
  • Vulnerability management (Dependabot, OWASP ZAP, responsible-disclosure inbox).
  • Backups with point-in-time restore for 35 days; longer retention on Pro / Premium.
  • Documented incident-response process with 72-hour breach-notification SLA.

We will not materially decrease the overall security of the Service during a subscription term.

6. Sub-processors (Annex III)

The Customer authorises us to engage the sub-processors listed at /ems/legal/sub-processors/, which is Annex III to this DPA. We will:

  • Provide at least 30 days’ notice before adding or replacing a sub-processor with access to Customer Personal Data.
  • Bind each sub-processor to data-protection terms no less protective than this DPA.
  • Remain liable to Customer for each sub-processor’s compliance.

If Customer reasonably objects to a new sub-processor on data-protection grounds within the 30-day notice period, Customer may terminate the affected subscription without penalty; we will refund any prepaid fees for the period after termination.

7. Data-subject requests

Customer (as controller) is responsible for responding to data-subject requests. We will assist by:

  • Providing the export, search and deletion functions inside the Service so the Customer can fulfil requests directly.
  • Forwarding any data-subject request we receive about Customer’s data to Customer without undue delay; we will not respond to such requests directly except to acknowledge receipt and redirect the data subject.
  • Providing reasonable additional cooperation, at Customer’s cost where the request is unusually complex.

8. Breach notification

We will notify Customer without undue delay, and in any case within 48 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the contact point for further information, the likely consequences, and the measures taken or proposed to address it. We will reasonably assist Customer with its own notification obligations under Articles 33-34 GDPR.

9. DPIAs and prior consultation

We will provide Customer with reasonable assistance with data-protection impact assessments and any prior consultations with supervisory authorities under Articles 35-36 GDPR.

10. Audits

We will make available all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer:

  • Audits are conducted at Customer’s cost.
  • Audits are conducted on at least 30 days’ written notice, no more than once per 12 months, except after a confirmed breach affecting Customer.
  • Audits will be conducted during normal business hours and will not unreasonably interfere with our operations.
  • The auditor must sign a confidentiality undertaking before access is granted.
  • Reasonable audit costs incurred by us beyond what is necessary will be reimbursed by Customer.

Where we hold a third-party assurance report (for example SOC 2 Type II once available, or an ISO 27001 certificate), we may satisfy our audit obligation by providing that report under NDA, in lieu of a full on-site audit, unless the Customer demonstrates a reasonable need for further inspection.

11. International transfers

Customer Personal Data is stored in the European Union by default (Azure West Europe / Ireland). Where Customer Personal Data is transferred to us or to a sub-processor outside the EEA / UK, the parties agree:

  • The SCCs (Module 2, controller-to-processor) are incorporated into this DPA and apply to transfers from the EEA to a country without an adequacy decision.
  • The UK Addendum to the SCCs is incorporated into this DPA and applies to transfers from the UK to a country without a UK adequacy regulation.
  • Where docking clauses, additional sub-clauses or annex selections are required, the parties’ selections are: governing law of the SCCs — Irish law; supervisory authority — the Irish Data Protection Commission for EU transfers and the ICO for UK transfers; Clause 17 option 1 (option 2 is not selected); Clause 18(b) — Ireland.
  • Anthropic, our AI sub-processor, is bound by the SCCs and the UK Addendum and additionally commits to zero-retention and no-training (see AI Notice).

12. Return or deletion

On termination of the Customer’s subscription:

  • Customer keeps read-only access for 30 days for export.
  • Customer can trigger an immediate deletion at any time via Settings → Workspace → Delete data.
  • After 30 days, we delete Customer Personal Data from production stores; backups roll off the 90-day rolling schedule.
  • We may retain personal data where required by law (typically billing records for the tax-retention period of the contracting entity).

13. Liability and order of precedence

Each party’s liability under this DPA is subject to the limits and exclusions in clause 17 of the Terms of Service, except where Data Protection Laws require otherwise. In case of conflict between this DPA and the Terms of Service, this DPA prevails on data-protection matters. In case of conflict between this DPA and the SCCs / UK Addendum, the SCCs / UK Addendum prevail.

14. Changes to this DPA

We may amend this DPA where reasonably necessary to reflect changes in Data Protection Laws, the SCCs, the UK Addendum, the categories of sub-processor, or our security posture. Material changes will be notified to Workspace Owners by email at least 30 days before they take effect.

15. Contact

Notices and questions about this DPA should be sent to dpo@alsviorglobal.com. Notices about a specific breach should additionally be copied to security@alsviorglobal.com.