Table of contents
Introduction
This Data Processing Addendum (“DPA”) supplements your agreement with Amelytic (“Processor”) and applies when you (“Controller”) use the Service to process personal data of identifiable individuals in the EEA, UK, India, or California.
1. Roles
You are the Controller of personal data submitted to the Service. Amelytic is the Processor and processes personal data only on documented Controller instructions, except where law requires otherwise.
2. Subject matter and duration
Subject matter: providing the Service. Duration: the term of your subscription, plus any retention period required by law or this DPA.
3. Categories of data
- Identifiers (name, email, employee ID, customer ID).
- Contact information (telephone, address).
- Marketing preferences and engagement signals.
- Content authored by the Controller's brand on connected channels.
- Technical identifiers (IP, device IDs, cookies set by the Controller's domain).
4. Categories of data subjects
- Controller's employees and authorised users.
- Controller's customers, prospects, and contacts.
- Audience members who engage with Controller's brand on connected channels.
5. Subprocessors
You give general authorisation for the subprocessors listed below. We will give 30 days’ notice of any addition or replacement; you may object on reasonable grounds and we will work with you to resolve.
- Render (US/EU) — application hosting + managed Postgres.
- Cloudflare R2 (global) — object storage for assets and exports.
- Cloudflare Pages — static site delivery.
- Frontier AI inference providers (US) — text and image generation. The full, current subprocessor list is available on request from privacy@amelytic.com.
- Resend (US/EU) — transactional and marketing email.
- Stripe — payment processing.
- Sentry — error and performance monitoring.
- OpenTelemetry / Grafana Cloud — operational observability.
6. Security measures
We maintain the technical and organisational measures described on our Security page, including encryption in transit and at rest, envelope encryption of OAuth tokens, RBAC, audit logging, vulnerability management, and incident response. These measures are reviewed at least annually.
7. Personal data breach
We will notify you without undue delay, and in any event within 72 hours of becoming aware, of any personal data breach affecting your data. The notification will describe the nature and scope of the incident, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.
8. Data subject requests
We will assist you in fulfilling data subject requests within the time limits prescribed by applicable law. The Service includes self-service tools for export and deletion in Settings → Privacy.
9. International transfers
Where personal data is transferred outside the EEA or UK, the transfer is governed by the European Commission’s Standard Contractual Clauses or the EU–US Data Privacy Framework, supplemented by additional measures as needed (encryption, pseudonymisation, access controls).
10. Audit rights
You may, at your cost and no more than once a year, audit our compliance with this DPA, with reasonable notice and during business hours. We will provide our latest SOC 2 report (when available) on request, which generally satisfies the audit obligation.
11. Return or deletion
On termination of the Service, we will delete or return all personal data processed on your behalf within 30 days, except where law requires retention. Aggregated, de-identified data may be retained.
12. Liability
Each party’s liability under this DPA is subject to the limitation of liability in the main Terms of Service.
13. Signing
By using the Service in a capacity that processes personal data, you accept this DPA. Enterprise customers requiring a counter-signed copy should email legal@amelytic.com.