Current version: DPA v3 — April 12, 2026

Data Processing Agreement

Altacee's Data Processing Agreement (DPA) governs how we process personal data on behalf of customers as a data processor. It applies automatically to all paying customers and is designed to satisfy GDPR Art. 28, UK GDPR, India's DPDP Act 2023, and CCPA service-provider requirements.

Download DPA v3 (PDF)Request a countersigned DPA

The PDF will be available once finalised with legal counsel. Enterprise customers can request a countersigned copy via the link above.

DPA summary

The table below summarises key provisions of the DPA. It is not a substitute for the full agreement; always refer to the signed DPA for binding terms.

Provision	Detail
Processor role	Altacee acts as a data processor. The customer is the data controller and determines the purposes and means of processing. Altacee processes only on documented customer instructions.
Sub-processors	A current list of approved sub-processors is maintained on our Sub-processors page. Customers receive 30 days' advance notice of any new sub-processor, with the right to object.
Security measures	Technical and organisational measures are described in Annex II of the DPA, including TLS 1.3 in transit, AES-256 at rest, SOC 2 Type II certification, and mandatory MFA for staff. See Security page.
Data residency	Customers on EU, UK, or India plans have their primary data stored in the relevant region. Cross-region replication for disaster recovery is governed by Standard Contractual Clauses (SCCs) appended to the DPA.
Audit rights	Customers may request audit reports (SOC 2 Type II, ISO 27001 certificate) annually. On-site audits require 30 days' notice and are subject to reasonable scope limitations and mutual NDA. Audit costs are borne by the customer unless a material deficiency is found.
Sub-processor change notification	Altacee provides 30 days' written notice (email to the account's DPA contact) before onboarding any new sub-processor. Customers may object in writing within 15 days; if the objection cannot be resolved, the customer may terminate the affected services with a pro-rata refund.
Data deletion	Customer data is deleted or returned within 30 days of contract termination. Backup media is overwritten within 90 days. Certificates of deletion are available on request.

Applicability

The DPA is incorporated by reference into the Terms of Service and applies automatically to all paying customers whose use of the Service involves processing personal data. No separate signature is required unless your legal or procurement team requires a countersigned copy, in which case please use the link above.

Need a countersigned DPA or have compliance questions? Contact [email protected] or visit our Trust Center.

Data Processing Agreement

The PDF will be available once finalised with legal counsel. Enterprise customers can request a countersigned copy via the link above.

DPA summary

The table below summarises key provisions of the DPA. It is not a substitute for the full agreement; always refer to the signed DPA for binding terms.

Provision	Detail
Processor role	Altacee acts as a data processor. The customer is the data controller and determines the purposes and means of processing. Altacee processes only on documented customer instructions.
Sub-processors	A current list of approved sub-processors is maintained on our Sub-processors page. Customers receive 30 days' advance notice of any new sub-processor, with the right to object.
Security measures	Technical and organisational measures are described in Annex II of the DPA, including TLS 1.3 in transit, AES-256 at rest, SOC 2 Type II certification, and mandatory MFA for staff. See Security page.
Data residency	Customers on EU, UK, or India plans have their primary data stored in the relevant region. Cross-region replication for disaster recovery is governed by Standard Contractual Clauses (SCCs) appended to the DPA.
Audit rights	Customers may request audit reports (SOC 2 Type II, ISO 27001 certificate) annually. On-site audits require 30 days' notice and are subject to reasonable scope limitations and mutual NDA. Audit costs are borne by the customer unless a material deficiency is found.
Sub-processor change notification	Altacee provides 30 days' written notice (email to the account's DPA contact) before onboarding any new sub-processor. Customers may object in writing within 15 days; if the objection cannot be resolved, the customer may terminate the affected services with a pro-rata refund.
Data deletion	Customer data is deleted or returned within 30 days of contract termination. Backup media is overwritten within 90 days. Certificates of deletion are available on request.

Applicability

Need a countersigned DPA or have compliance questions? Contact [email protected] or visit our Trust Center.