Legal

Data Processing Addendum

For EU and UK customers who process personal data through Aloha. Signable from Settings → Legal in one click.

Last updated · April 10, 2026Something unclear? Write us

Parties

This Data Processing Addendum ("DPA") supplements the Terms of Service between you (the "Controller") and Aloha, Inc. ("Aloha", the "Processor"). It forms an agreement under Article 28 of the GDPR and, for UK customers, the UK GDPR.

Definitions

Terms capitalised in this DPA but not defined have the meaning given them in the GDPR. "Customer Data" means any personal data you upload to or process through Aloha.

Roles

  • Controller. You determine the purpose and means of the processing.
  • Processor. Aloha processes Customer Data only on your documented instructions — which, for most of our product, means "the actions you take inside Aloha's UI and API."
  • Sub-processor. Third parties Aloha engages to help (listed below).

Scope and duration

Aloha processes Customer Data for the duration of your use of the service plus any retention period required by law. Processing covers: hosting, storing, transmitting, and displaying Customer Data so that you can use the product's features (scheduling, analytics, inbox, automation).

Your instructions

These documented instructions are:

  1. The Terms of Service.
  2. This DPA.
  3. The features you invoke in the Aloha UI and API.
  4. Any lawful written instruction you give us, scoped to the service.

If we believe an instruction violates applicable data protection law, we'll tell you and stop until resolved.

Confidentiality

Every Aloha employee with access to Customer Data has signed a written confidentiality agreement that survives termination of employment.

Security

We implement the technical and organisational measures described in Security & compliance: encryption in transit and at rest, access controls, regular audits, incident response.

Sub-processors

Aloha uses the following sub-processors (full list maintained at /legal/security#subprocessors):

  • Amazon Web Services — hosting.
  • Vercel — application hosting, edge runtime.
  • Cloudflare — CDN and DDoS protection.
  • Stripe / Polar — payment processing.
  • Postmark — transactional email.
  • Upstash (QStash) — scheduled job delivery.
  • AI inference providers — third-party foundation-model endpoints powering Muse and voice features, governed by API terms that prohibit training on your prompts. The current list of providers is published on our trust page and updated with 30 days' notice when it changes.

We give you 30 days' advance notice before adding a new sub-processor. If you object on reasonable data-protection grounds, you can terminate the affected service and receive a pro-rated refund.

Data subject requests

If a data subject (one of your users) contacts Aloha directly with a request, we'll redirect them to you. We'll also help you respond to access, correction, and deletion requests by:

  • Providing self-service export in Settings → Account.
  • Supporting targeted deletion via the API or a written request to privacy@usealoha.app within 5 business days.

Incident notification

If we become aware of a personal data breach involving your Customer Data, we'll notify you without undue delay and no later than 72 hours after becoming aware. The notice will include what we know about:

  • The nature of the breach.
  • Categories of data subjects and records affected.
  • Likely consequences.
  • Measures taken or proposed.

International transfers

Customer Data is stored in AWS us-east-1. For transfers out of the EEA or the UK, we rely on the Standard Contractual Clauses (2021 EU SCCs, Module 2 or 3 as applicable) and the UK International Data Transfer Addendum for UK customers.

Audits

On 30 days' written notice, once per year, you can audit Aloha's compliance with this DPA. Aloha is an indie project with no third- party attestations today (no SOC 2, ISO 27001, etc.); the founder will answer your questionnaire directly and walk you through the controls described here.

Return and deletion

On termination of the service, Aloha will delete Customer Data within 30 days. If you need an export, request it from Settings → Account before termination.

Liability

Liability for obligations under this DPA is subject to the limitations in the Terms of Service, except where local law disallows those limitations for data protection claims.

Signatures

This DPA becomes effective when:

  • You countersign via Settings → Legal → Sign DPA, or
  • You send a signed copy to legal@usealoha.app.

Aloha's signature is on file. No negotiations required on non- Enterprise plans — the DPA above is the one we sign.