Skip to main content
Back to B2B

Data Processing Agreement

Last updated: April 27, 2026

This Data Processing Agreement (DPA) forms part of the Master Service Agreement between Alpha Draconis (Processor) and the Institutional Client (Controller), pursuant to Article 28 of the EU General Data Protection Regulation (GDPR).

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed through the Alpha Draconis Risk Oracle API or related services. "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, and deletion.

2. Scope of Processing

The Processor shall process Personal Data solely for the purpose of providing the Risk Oracle API services as described in the service agreement. Processing activities include: API request authentication, risk calculation inputs, audit logging, and performance monitoring.

3. Data Security Measures

The Processor implements appropriate technical and organizational measures including: AES-256 encryption at rest, TLS 1.3 in transit, HMAC-SHA256 API key authentication, automated 90-day log retention, role-based access control, and regular security audits.

4. Sub-Processors

The Processor uses the following sub-processors: - Supabase (database hosting, AP-South-1 region) - Vercel (application hosting, global edge network) - Sentry (error monitoring, data scrubbed of PII) - Resend (transactional email delivery) The Controller will be notified 30 days before any sub-processor changes.

5. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability) within 72 hours of notification. The Processor provides API endpoints for data export and deletion.

6. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach. Notification shall include: nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken to address the breach.

7. Standard Contractual Clauses

For international data transfers, this DPA incorporates the European Commission's Standard Contractual Clauses (SCCs) as adopted by Commission Implementing Decision (EU) 2021/914. For inquiries regarding this DPA, contact: legal@alphadraconis.io.