Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between Alpyx ("Processor") and the enterprise client identified in the applicable Order Form ("Controller") and forms part of the Master Subscription Agreement or Terms of Service between the parties.

IMPORTANT: Given the on-premise architecture of the Alpyx platform, Alpyx acts as Processor only to the limited extent described in Section 3 below. In practice, because Alpyx does not receive, access, or process Client workflow data, the applicability of this DPA to the Alpyx platform's core operation is architecturally limited.

This DPA is provided to satisfy regulatory requirements and to document the parties' respective obligations under EU GDPR (Regulation 2016/679) and revFADP.

"Personal Data" has the meaning given to it under applicable Data Protection Law.

"Data Protection Law" means EU GDPR, the revFADP, and any applicable national implementing legislation.

"Processing" has the meaning given to it under applicable Data Protection Law.

"Client Data" means all workflow and behavioral data captured by the Alpyx agent within the Controller's infrastructure.

"Alpyx Platform" means the operational intelligence software, agent, management console, and analytical engine provided by Alpyx.

The Alpyx platform is deployed exclusively within the Controller's own IT infrastructure. The Alpyx agent encrypts all captured data on the endpoint device using AES-256 encryption before any write operation. Encrypted data is stored exclusively in the Controller's designated on-premise data store.

Alpyx does not receive, store, process, or access any Client Data or Personal Data captured by the Alpyx platform in its normal operation. No Client Data is transmitted to Alpyx infrastructure at any point.

The Controller is the sole data controller with respect to Personal Data processed by the Alpyx platform within their environment. Alpyx is not a data processor in respect of Client Data in the ordinary operation of the platform.

This DPA governs the limited circumstances in which Alpyx may access Controller systems during on-premise deployment, maintenance, or support activities.

To the extent Alpyx processes any Personal Data in connection with services provided under the Agreement, Alpyx acts as Processor on behalf of the Controller. Such processing may occur only in the following limited circumstances:

(a) Initial platform deployment and configuration: Alpyx engineers may access Controller systems under supervision to install and configure the Alpyx platform, subject to prior written authorisation from Controller.

(b) Technical support: Where Controller requests on-site or remote support, Alpyx engineers may access Controller systems to the minimum extent necessary to resolve the reported issue, under Controller supervision and subject to Controller's security policies.

(c) Software updates: Alpyx may provide software update packages for installation by Controller's IT team. Alpyx does not perform remote updates.

In all cases, Alpyx personnel accessing Controller systems are subject to strict confidentiality obligations and access is logged.

To the extent applicable, the categories of data subjects whose Personal Data may be processed are: employees, contractors, and agents of the Controller who use enterprise devices on which the Alpyx agent is deployed.

Categories of Personal Data: behavioral workflow metadata including application usage patterns, document interaction timestamps, workflow timing signals, and cross-application transition sequences. The Alpyx platform does not capture document content, communication content, passwords, biometric data, or special categories of Personal Data as defined under Article 9 GDPR.

The Controller is responsible for: (a) ensuring it has a valid legal basis for deploying the Alpyx platform and processing behavioral workflow data of its employees; (b) providing appropriate notice to employees and conducting works council consultation where required by applicable law; (c) maintaining a Record of Processing Activities covering the Alpyx deployment; (d) conducting a Data Protection Impact Assessment where required under Article 35 GDPR; (e) ensuring that data subject rights requests relating to Client Data are handled by the Controller.

Alpyx provides a deployment documentation package including model employee notification text, DPIA template, and works council information materials to assist Controllers in meeting these obligations. Such materials are provided for guidance only and do not constitute legal advice.

To the extent Alpyx acts as Processor under Section 3, Alpyx shall: (a) process Personal Data only on documented instructions from the Controller; (b) ensure that persons authorised to process Personal Data are bound by confidentiality obligations; (c) implement appropriate technical and organisational measures as set out in Section 7; (d) assist the Controller in meeting its obligations under Data Protection Law, including responding to data subject rights requests to the extent applicable; (e) delete or return all Personal Data to the Controller upon termination of the Agreement, at the Controller's election; (f) provide all information necessary to demonstrate compliance with this DPA and cooperate with audits.

Alpyx implements the following technical and organisational measures in connection with any Processing activities under this DPA:

Encryption: All Client Data is encrypted using AES-256. Encryption keys are generated during deployment and held exclusively by the Controller. Alpyx does not hold encryption keys.

Access controls: Access to Controller systems by Alpyx personnel requires prior written authorisation from Controller, is limited to the minimum necessary, and is conducted under Controller supervision. All such access is logged.

Personnel training: Alpyx personnel with potential access to Controller systems are trained on data protection requirements and are subject to written confidentiality obligations.

Incident response: Alpyx maintains an incident response procedure and will notify Controller within 24 hours of becoming aware of any breach or suspected breach affecting Controller systems.

Vendor security: Any sub-processors engaged by Alpyx are subject to data processing agreements providing equivalent protections to those set out in this DPA.

Given the on-premise architecture of the Alpyx platform, Alpyx does not engage sub-processors to process Client Data in the normal operation of the platform.

Alpyx may use sub-processors for its own internal business operations (email, CRM, accounting). These processors do not have access to Client Data.

Alpyx will notify Controller of any changes to sub-processors used in connection with services provided under the Agreement with at least 30 days' prior notice, during which time Controller may object on reasonable grounds relating to data protection.

As Controller, the Client organisation is responsible for responding to data subject rights requests from its employees relating to Personal Data processed by the Alpyx platform.

Alpyx will assist Controller in responding to such requests to the extent technically feasible and legally required, within the constraints of the on-premise architecture (i.e. where Controller has provided Alpyx with access to relevant systems for this purpose).

Where Alpyx receives a data subject rights request directly that relates to Client Data, Alpyx will promptly forward such request to Controller.

Given the on-premise architecture of the Alpyx platform, no Client Data is transferred internationally in the normal operation of the platform. Client Data remains within the Controller's designated infrastructure at all times.

Any international transfer of Personal Data by Alpyx in connection with limited support or deployment activities shall be subject to appropriate safeguards, including Standard Contractual Clauses where applicable.

Controller has the right to audit Alpyx's compliance with this DPA, upon reasonable written notice of no less than 30 days, no more than once per calendar year, and subject to reasonable confidentiality protections.

Alpyx may satisfy audit requirements through the provision of relevant certifications, third-party audit reports, or other documentation in lieu of an on-site audit, subject to Controller agreement.

This DPA is governed by the same law as the Master Subscription Agreement, being the laws of Switzerland.

Contact for DPA enquiries: dpa@alpyx-one.com