Last Updated: December 12, 2025

Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of, and is subject to, the Terms of Service, any Service Agreement, proposal, statement of work, or other written agreement between you and Alison Prime LLC governing the provision of services (the “Principal Agreement”).

This DPA reflects the parties’ agreement regarding the Processing of Personal Data in accordance with applicable data protection laws, including, where applicable, the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and similar laws.

In this DPA, “Client”, “you”, or “your” refers to the entity or individual that has entered into the Principal Agreement with Alison Prime. “Alison Prime”, “we”, “us”, or “our” refers to Alison Prime LLC.

If there is any conflict between this DPA and the Principal Agreement with respect to data protection matters, this DPA shall prevail to the extent of the conflict.

1. Definitions

For the purposes of this DPA:

• “Applicable Data Protection Laws” means all data protection and privacy laws and regulations that apply to the Processing of Personal Data under this DPA, including, where applicable, the GDPR, the UK GDPR, and similar laws in other jurisdictions.
• “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
• “Processor” means the entity that Processes Personal Data on behalf of the Controller.
• “Personal Data” means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.
• “Processing” (and “Process”, “Processed”) means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
• “Subprocessor” means any third party engaged by Alison Prime to Process Personal Data on behalf of the Client.
• “Data Subject” means an identified or identifiable natural person whose Personal Data is Processed.
• “International Transfer” means a transfer of Personal Data to a country outside the jurisdiction where the Personal Data was originally collected, including from the EEA or UK to a third country outside the EEA or UK.

Capitalized terms used but not defined in this DPA shall have the meaning given to them in the Principal Agreement or under Applicable Data Protection Laws.

2. Roles of the Parties

2.1 Controller and Processor.
For the purposes of this DPA, and in relation to the Personal Data described in Annex 1:

• The Client acts as the Controller (or, where the Client itself acts as a processor for its own client, as a “Controller” for the purposes of this DPA, or as an “independent controller” of its relationship with Alison Prime).
• Alison Prime acts as the Processor with respect to the Personal Data that it Processes on behalf of the Client in the course of providing the Services.

2.2 Client Instructions.
Alison Prime shall Process Personal Data only on the documented instructions of the Client as set out in:

• the Principal Agreement,
• this DPA (including Annex 1), and
• any documented instructions reasonably provided by the Client in writing (including by email or through a ticketing system),

unless otherwise required by Applicable Data Protection Laws, in which case Alison Prime shall, to the extent permitted by law, inform the Client of that legal requirement before Processing.

If Alison Prime believes that a Client instruction infringes Applicable Data Protection Laws, Alison Prime shall notify the Client promptly (to the extent legally permitted).

3. Subject Matter, Nature, Purpose, and Duration of Processing

3.1 Subject Matter and Purpose.
The subject matter and purposes of the Processing are described in Annex 1. In summary, Alison Prime Processes Personal Data as necessary to provide website, web application, integration, maintenance, support, and related technical services to the Client.

3.2 Nature of Processing.
Processing may include, as applicable: access, storage, review, modification, testing, troubleshooting, configuration, backup, and other operations necessary to provide the Services.

3.3 Duration.
Alison Prime will Process Personal Data for the duration of the Principal Agreement and this DPA, or until the Client requests deletion or return of the Personal Data in accordance with Section 10, unless longer retention is required or permitted by law.

3.4 Categories of Data and Data Subjects.
The categories of Personal Data and Data Subjects are described in Annex 1.

4. Obligations of Alison Prime (Processor)

Alison Prime shall:

4.1 Process Only on Instructions.
Process Personal Data only on documented instructions from the Client, except where required by law as described in Section 2.2.

4.2 Confidentiality.
Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security of Processing.
Implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as required by Applicable Data Protection Laws. These measures may include, as appropriate:

• Access controls and least-privilege principles
• Secure configuration and patching practices
• Encryption in transit where applicable
• Separation of environments (for example, staging and production) where feasible
• Monitoring and logging in line with the nature of the Services
• Staff awareness and confidentiality obligations

A general description of the technical and organizational measures is provided in Annex 2.

4.4 Personnel and Subprocessors.
Ensure that any personnel or Subprocessors who Process Personal Data on behalf of Alison Prime do so only in accordance with this DPA and are bound by adequate confidentiality and data protection obligations.

4.5 Assistance with Data Subject Requests.
Taking into account the nature of the Processing, assist the Client, by appropriate technical and organizational measures and to the extent reasonably possible, in fulfilling the Client’s obligations to respond to requests from Data Subjects to exercise their rights (such as access, rectification, erasure, restriction, portability, and objection), in accordance with Applicable Data Protection Laws. Alison Prime will promptly forward to the Client any request received directly from a Data Subject that relates to Personal Data Processed on behalf of the Client.

4.6 Assistance with Compliance.
Taking into account the nature of Processing and the information available to Alison Prime, assist the Client in ensuring compliance with obligations regarding security of Processing, data protection impact assessments, and prior consultations with supervisory authorities, as reasonably requested and to the extent required by Applicable Data Protection Laws.

4.7 Records of Processing.
Maintain any records of Processing activities required by Applicable Data Protection Laws to demonstrate compliance with this DPA and applicable Processor obligations.

5. Subprocessing

5.1 Use of Subprocessors.
The Client authorizes Alison Prime to engage Subprocessors to Process Personal Data on its behalf, provided that:

• Alison Prime imposes data protection obligations on the Subprocessors that are no less protective than those set out in this DPA, and
• Alison Prime remains responsible for the Subprocessors’ compliance with this DPA.

5.2 List of Subprocessors.
Alison Prime may maintain a list of current Subprocessors (for example, on a dedicated “Subprocessors” page on https://alisonprime.co or as shared with the Client in writing). Such a list will typically include infrastructure providers (for example, hosting, cloud platforms), analytics tools, email and communication tools, and other technical providers involved in delivering the Services.

5.3 Changes to Subprocessors.
Where required by Applicable Data Protection Laws, Alison Prime will provide the Client with notice of any intended changes concerning the addition or replacement of Subprocessors that will Process Personal Data, giving the Client an opportunity to object on reasonable grounds related to data protection.

If the Client reasonably objects to a new Subprocessor and the parties cannot agree on a solution, the Client may, as a sole and exclusive remedy, terminate the part of the Services that cannot be reasonably provided without the use of the objected Subprocessor, subject to payment for services already rendered.

6. International Transfers

6.1 Transfers by Alison Prime.
Personal Data may be Processed in the United States and other countries where Alison Prime or its Subprocessors operate. Where the Processing of Personal Data involves an International Transfer subject to restrictions under Applicable Data Protection Laws (for example, transferring Personal Data from the EEA or UK to a third country), Alison Prime and the Client shall ensure that such transfers are made in compliance with applicable requirements.

6.2 Transfer Mechanisms.
Where required, the parties may rely on appropriate safeguards for International Transfers, which may include:

• Standard contractual clauses (SCCs) or their successors as approved by the European Commission or UK authorities,
• An adequacy decision, or
• Other valid transfer mechanisms under Applicable Data Protection Laws.

If a specific transfer mechanism relied upon for International Transfers is invalidated or no longer available, the parties will cooperate in good faith to implement an alternative lawful mechanism or, if necessary, adjust the Processing to avoid non-compliant transfers.

7. Data Breach Notification

7.1 Personal Data Breach.
In the event of a Personal Data Breach (as defined under Applicable Data Protection Laws) affecting Personal Data Processed by Alison Prime on behalf of the Client, Alison Prime shall:

• Notify the Client without undue delay after becoming aware of the Personal Data Breach, and
• Provide information reasonably required to enable the Client to comply with its obligations to notify or inform supervisory authorities and affected Data Subjects, to the extent such information is known to Alison Prime and not otherwise restricted (for example, by law enforcement).

7.2 Cooperation.
Alison Prime shall cooperate with the Client and take reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach, in line with the nature of the Services and the information available to Alison Prime.

Nothing in this DPA requires Alison Prime to disclose information that would compromise security, its own internal investigations, or the privacy rights of other clients or individuals.

8. Data Subject Requests and Complaints

8.1 Requests to the Client.
The Client is responsible for responding to Data Subject requests concerning Personal Data for which the Client is the Controller.

8.2 Requests Received by Alison Prime.
If Alison Prime receives a request directly from a Data Subject relating to Personal Data Processed on behalf of the Client, Alison Prime will:

• Promptly notify the Client, and
• Not respond to the request except to confirm that the request has been forwarded to the appropriate Controller, unless otherwise required by law.

Alison Prime will provide reasonable assistance to the Client, at the Client’s request and expense, to respond to such requests in accordance with Applicable Data Protection Laws.

9. Audits and Compliance

9.1 Information and Audits.
Upon reasonable request from the Client, Alison Prime shall make available information necessary to demonstrate compliance with this DPA and Processor obligations under Applicable Data Protection Laws, which may include:

• Relevant policies or high-level descriptions of technical and organizational measures,
• Certifications or third-party attestations (if any), and
• Responses to reasonable written questionnaires.

Where Applicable Data Protection Laws provide the Client with a direct audit right, the Client may, at its own expense and subject to reasonable confidentiality and security restrictions, conduct an audit (or have such audit carried out by an independent third party bound by confidentiality) once per year or following a material security incident, provided that:

• The Client provides reasonable prior written notice,
• The audit is conducted during normal business hours and in a manner that minimizes disruption, and
• The audit scope is limited to systems and processes relevant to the Services and Personal Data Processed for the Client.

9.2 Costs.
The Client shall bear its own costs and expenses in connection with audits. If an audit requires significant time or resources from Alison Prime, the parties may agree on reasonable compensation for Alison Prime’s efforts, except where the audit reveals a material failure by Alison Prime to comply with this DPA.

10. Return and Deletion of Personal Data

10.1 Upon Termination or Request.
Upon termination or expiry of the Principal Agreement, or upon written request from the Client, Alison Prime shall, to the extent technically feasible and permitted by law:

• Return Personal Data Processed on behalf of the Client, or
• Delete such Personal Data,

in accordance with the Client’s documented instructions and any timelines agreed in the Principal Agreement.

10.2 Retention for Legal or Operational Reasons.
Alison Prime may retain copies of Personal Data where required by applicable law, or where such data is embedded in routine backup or archival systems that are subject to periodic overwriting or deletion cycles. In such cases, Alison Prime shall continue to protect the retained data in accordance with this DPA and limit further Processing to what is strictly necessary for the applicable legal or operational purpose.

11. Client Responsibilities

The Client is responsible for:

• Ensuring that it has a valid legal basis for Processing Personal Data and for engaging Alison Prime as a Processor.
• Providing accurate and up-to-date information in Annex 1, where applicable, and informing Alison Prime of any material changes that may affect the Processing.
• Complying with its obligations as a Controller under Applicable Data Protection Laws, including providing appropriate privacy notices to Data Subjects and responding to Data Subject requests.
• Ensuring that any instructions provided to Alison Prime are lawful and compatible with Applicable Data Protection Laws.

12. Limitation of Liability

The limitations of liability set out in the Principal Agreement apply to this DPA.

Nothing in this DPA shall limit or exclude either party’s liability where such limitation or exclusion is not permitted under Applicable Data Protection Laws.

13. Changes to This DPA

We may update this DPA from time to time to reflect:

• Changes in Applicable Data Protection Laws,
• Evolving industry standards,
• Modifications to the Services, or
• Updates to our security or data handling practices.

When we make material changes, we will update the “Last Updated” date at the top of this page and may provide additional notice where appropriate (for example, on the Site or by email). In some cases, certain changes may require an updated DPA or additional agreement between the parties.

If you do not agree with the updated DPA, you should stop using the Services and contact us to discuss your options.

14. Contact

If you have questions about this DPA or our data protection practices, you can contact us at:

---

Annex 1 – Details of Processing

A. Subject Matter and Purpose

Alison Prime Processes Personal Data on behalf of the Client for the purpose of providing:

• Website development, configuration, maintenance, and support
• Custom web apps and client portals
• API integrations and workflow automations
• Performance, stability, and security-related improvements
• Associated technical consulting and advisory services

Processing is limited to what is necessary to deliver the Services as described in the Principal Agreement, this DPA, and the Client’s documented instructions.

B. Categories of Data Subjects

Depending on the nature of the Client’s business and systems, Personal Data Processed may relate to:

• The Client’s customers or end users
• The Client’s website visitors or app users
• The Client’s employees, contractors, or other staff
• Other individuals whose data is entered into or collected by the Client’s systems that Alison Prime may access in the course of providing the Services

C. Categories of Personal Data

The categories of Personal Data may include, as determined by the Client:

• Contact details (for example, name, email address, phone number)
• Account or profile information (for example, usernames, access roles)
• Usage and interaction data related to the Client’s website or applications
• Transactional or communication data associated with the Client’s systems
• Any other Personal Data that the Client chooses to store in systems that Alison Prime is asked to configure, maintain, or access as part of the Services

The parties do not anticipate that Alison Prime will intentionally Process “special categories” of data (such as health, biometric, or highly sensitive data) unless explicitly agreed in writing and subject to additional safeguards.

D. Special Categories of Data (If Applicable)

The Client shall not instruct Alison Prime to Process special categories of data or highly sensitive data unless:

• Such Processing is clearly described and justified in writing, and
• Appropriate safeguards are agreed and implemented.

If Alison Prime becomes aware that it is inadvertently Processing special categories of data without appropriate arrangements, it may notify the Client and take steps to limit or cease such Processing while the situation is resolved.

E. Duration

Alison Prime will Process Personal Data for the duration of the Principal Agreement and this DPA, or until the Client requests return or deletion of the Personal Data, whichever occurs first, subject to any longer retention required or permitted by law.

---

Annex 2 – Technical and Organizational Measures

Alison Prime maintains technical and organizational measures appropriate to the risk presented by the Processing of Personal Data. These may include, as appropriate:

• Access Control
  • Limiting access to systems, environments, and tools to authorized personnel with a legitimate need.
  • Use of individual accounts and role-based permissions where supported.
  • Revocation of access when staff or contractors no longer require it.
• Security by Configuration
  • Using secure configuration practices for hosting, CMS, and application environments.
  • Applying updates and patches to relevant components within a reasonable timeframe, where under Alison Prime’s control and within the agreed scope.
  • Encouraging the use of staging environments for testing changes before production deployment, where feasible.
• Encryption and Transmission Security
  • Encouraging the use of HTTPS/TLS for websites and web applications.
  • Using secure channels for administrative access and sharing of credentials, where possible.
• Monitoring and Logging
  • Using logging and basic monitoring tools (where available and in scope) to help detect unusual behavior, performance issues, or errors.
  • Reviewing logs or alerts as part of troubleshooting and support activities.
• Backups and Recovery Awareness
  • Working with hosting and platform tools that provide backup mechanisms.
  • Assisting Clients with backup and recovery strategies within the scope of maintenance and support services.
• Organizational Measures
  • Ensuring that staff and contractors are aware of confidentiality and data protection obligations.
  • Using reasonable internal processes to limit access to Personal Data to those who need it for the Services.
  • Handling Client materials and access credentials with care and in line with agreed processes.

These measures are subject to ongoing review and may evolve over time to reflect security best practices, changes in technology, and the nature of the Services provided.

Back to top