DPA Template v1 (GDPR Article 28)
Data Processing Agreement (DPA)
Version: 1.0 | Date: 2026-05-01 | Compliance: GDPR Article 28, Norwegian Personal Data Act
Overview
This Data Processing Agreement (DPA) governs ALAI Holding AS' role as Data Processor when delivering AI services to clients who are Data Controllers.
GDPR Article 28(3) requires DPAs to specify 8 mandatory items. This template includes all 8.
When is a DPA Required?
Execute DPA if ALAI processes personal data on behalf of client:
- AI system processes customer names, emails, or IDs
- AI training uses client employee data
- System logs contain IP addresses or user activity
- Client explicitly requests GDPR compliance documentation
Skip DPA if:
- Pure technical audit (code review, architecture assessment) with no personal data access
- AI model training on fully anonymized datasets
- Consulting engagement with no data processing
GDPR Article 28(3) Mandatory Items
| # | Requirement | Template Section | Proveo Status |
|---|---|---|---|
| 1 | Subject matter | 2.1 (AI services) | ✓ PASS |
| 2 | Duration | 2.2 (duration of main agreement) | ✓ PASS |
| 3 | Nature & purpose | 2.3 (data types listed) | ✓ PASS |
| 4 | Type of personal data | 2.3 (identification, business, technical, AI training) | ✓ PASS |
| 5 | Categories of data subjects | 2.4 (customers, employees, end-users) | ✓ PASS |
| 6 | Obligations of controller | Section dedicated to controller rights | ✓ PASS |
| 7 | Authorization of sub-processors | 3.4 (table + 30-day notice clause) | ✓ PASS |
| 8 | Processor obligations | Section 3 (comprehensive) | ✓ PASS |
Sub-Processors
ALAI uses the following approved sub-processors:
| Vendor | Service | Location | Safeguards |
|---|---|---|---|
| Anthropic PBC | AI model API (Claude) | USA (AWS us-east-1) | SOC 2 Type II, GDPR DPA, Standard Contractual Clauses (SCCs) |
| Microsoft Azure | Cloud infrastructure, hosting | EU West / Norway East | ISO 27001, SOC 2, GDPR compliant, Microsoft DPA |
| Cloudflare Inc. | CDN, DDoS protection, DNS | Global (EU data residency) | ISO 27001, SOC 2 Type II, GDPR DPA |
| Brevo | Transactional email | EU (Frankfurt) | GDPR compliant, ISO 27001 |
⚠️ NOTE: Actual SCC documents from Anthropic are PENDING (see dpa-vendor-log.md). CEO must collect these before executing DPA with clients.
30-day notice rule: ALAI will notify clients 30 days before adding/changing sub-processors. Clients may object within this period.
Key Timelines
| Event | Deadline | Notes |
|---|---|---|
| Breach notification | 24 hours | ALAI notifies client of personal data breach within 24h of discovery |
| Data deletion/return | 30 days | Upon contract termination, ALAI deletes or returns all personal data within 30 days |
| Audit response | 14 days | ALAI responds to client audit questions within 14 days |
| Sub-processor change notice | 30 days | Clients receive 30-day advance notice before sub-processor changes |
Technical and Organizational Measures (TOMs)
The DPA references Annex B: TOMs which documents ALAI's security measures:
- Encryption: TLS 1.3 (transit), AES-256 (rest)
- Access control: MFA for all production access
- Logging: All personal data access logged
- Backups: Daily backups, 24h recovery time
- Training: Annual GDPR training for staff
- Penetration testing: Annual external security testing
Full TOMs document: TOMs ALAI AI Services v1
Audit Rights
Clients have the right to audit ALAI's compliance with this DPA:
- Frequency: Once per year without cost to client
- Additional audits: By agreement, with reasonable cost coverage
- Access: Client or designated representative may access ALAI premises and systems
- Response time: ALAI responds to audit questions within 14 days
Cross-Border Data Transfers
Non-EEA transfers: Anthropic (USA) processes data outside EEA. This requires Standard Contractual Clauses (SCCs) per GDPR Chapter V.
Status: DPA template references SCCs (section 5.1). CEO must obtain actual SCC documents from Anthropic before executing client DPAs.
Action Required: See dpa-vendor-log.md for draft vendor email. CEO must send and track responses.
Proveo Legal Review Status
Proveo review (2026-05-01): 19/20 PASS
| Critical Item | Status |
|---|---|
| GDPR Art.28 mandatory items (all 8 present) | ✓ PASS |
| Sub-processor list complete | ✓ PASS |
| 24h breach notification + 30d deletion realistic | ✓ PASS |
| Audit rights defined | ✓ PASS |
| SCCs for non-EEA referenced | ✓ PASS (reference) | ⚠️ Documents pending |
| TOMs Annex B referenced | ✓ PASS |
Known Gap: SnowIT relationship undocumented. If SnowIT processes client data, SnowIT must be added to sub-processor list. Separate workstream required.
Usage Workflow
- CEO confirms engagement involves personal data processing
- CEO fills template variables: Client name/org.nr, data types (section 2.3), data subject categories (section 2.4)
- Attach TOMs as Annex B
- Upload DPA + TOMs to Documenso (two-document bundle)
- Client review: May request security changes (e.g., ISO 27001 certification, on-premise deployment)
- CEO escalates material changes to Lexicon
- Both parties sign via Documenso
- Archive signed DPA + TOMs to Paperless-ngx with tags:
legal-contract,dpa,gdpr,ai-services
Full Template
Source File: ~/Public/legal/ai-services/DPA-template-v1.md
Full bilingual template available at source location (23K file). Contact CEO for access or see client onboarding workflow.
For client onboarding process, see Client Onboarding Checklist.
No comments to display
No comments to display