This Agreement governs the processing of personal data by Altrina Corporation ("Processor") on behalf of the user ("Controller") in connection with the services provided under the main service agreement ("Principal Agreement").
Processor shall process personal data solely on Controller's documented instructions and only for the purposes described in Annex I.
Controller determines the purposes and means of processing.
Processor acts only under Controller's instructions and ensures confidentiality, security, and compliance with applicable law, including the EU GDPR (2016/679), UK GDPR, and, where applicable, the U.S. HIPAA BAA framework.
Processor shall not engage another subprocessor without prior written authorization (general authorization granted in Annex III).
Processor shall:
Processor implements administrative, physical, and technical safeguards to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256); access is restricted by least-privilege controls and audited logs.
Processor may engage subprocessors listed in Annex III.
Controller grants a general authorization for subprocessors, provided Processor ensures:
Where personal data is transferred outside the EEA/UK, the parties rely on Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR.
Supplementary safeguards include encryption, pseudonymization, and access-limitation protocols.
Transfers to the United States occur to Processor's infrastructure located in San Francisco (US-SFO) for service provision and support.
Processor shall assist Controller in responding to data-subject requests under Articles 15–22 GDPR, including access, rectification, erasure, restriction, portability, and objection.
Processor shall promptly notify Controller of any such request and act only on Controller's documented instructions.
In the event of a personal-data breach, Processor shall notify Controller without undue delay (and no later than 72 hours after becoming aware).
The notification shall include the nature of the breach, likely consequences, and measures taken or proposed to mitigate possible adverse effects.
Upon termination of the Principal Agreement, Processor shall, at Controller's choice, delete or return all personal data (and delete all existing copies) unless applicable law requires retention.
Log data is retained for 90 days post-termination unless otherwise required by contract or regulation.
Processor shall make available all information necessary to demonstrate compliance with this Agreement and shall allow for audits by Controller or an appointed independent auditor (subject to confidentiality).
Audits shall be limited to once annually unless triggered by a security incident.
Each party's liability under this Agreement is subject to the limitations in the Principal Agreement, except that neither party excludes or limits liability for breaches of confidentiality or data-protection obligations that result in regulatory penalties or data-subject harm.
This Agreement shall be governed by and construed in accordance with the laws of the State of California, United States, excluding conflict-of-law principles.
Any disputes shall be brought before the state or federal courts located in San Francisco County, California.
This Agreement remains in effect for as long as Processor processes personal data on behalf of Controller.
Subject Matter: Operation of the Altrina AI automation platform and related support services.
Nature of Processing: Storage, retrieval, execution of workflow automation, communication, and analytics.
Purpose: Provision of contracted services, technical maintenance, compliance reporting, and product improvement.
Types of Personal Data:
Data Subjects: Customers, government employees, constituents, patients (where applicable).
Retention: During service term; logs 90 days post-account closure.
A list of subprocessors may be found at: trust.altrina.com