Invent
Albert OSAlbert Vs Legacy
AI
Transform
OverviewCustomer Stories
Learn
CompanyCase StudiesBlogEvents & WebinarsPressVideoCareers
Get Started
Select language
EnglishJapanese
Invent
Albert OSAlbert Vs Legacy
AI
Transform
OverviewCustomer Stories
Learn
CompanyCase StudiesBlogEvent & WebinarsPressVideoCareers
Login
EN
EnglishJapanese
LoginGet Started
EnglishJapanese

Data Processing Addendum

Last Updated:

March 2nd, 2026

Data Processing Addendum

This Data Processing Addendum (including its Exhibits) (“Addendum”) forms part of and is subject to the terms and conditions of the Albert Software Subscription Agreement (the “Agreement”) by and between Customer and Albert.

1.    Subject Matter and Duration.

1.1.  Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Albert’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.

1.2.   Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement. Albert will Process Customer Personal Data until the relationship terminates as specified in the Agreement.

2.    Definitions. For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

2.1    Customer Personal Data” means Customer Materials that are Personal Data Processed by Albert on behalf of Customer under the Agreement.

2.2    Data Protection Laws” means the applicable data privacy, data protection, and cybersecurity laws, rules, and regulations to which the Customer Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).

2.3    Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.

2.4    Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

2.5    Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, or alteration of, or the unauthorized disclosure of or access to, Customer Personal Data attributable to Albert.

2.6    Services” means the services that Albert performs under the Agreement.

2.7    Subprocessor(s)” means Albert’s authorized vendors and third party service providers that Process Customer Personal Data.

3.    Processing Terms for Customer Personal Data.

3.1    Documented Instructions. Albert shall Process Customer Personal Data to provide the Services in accordance with the Agreement, this Addendum, any applicable Order Form, and any instructions agreed upon by the parties. Albert will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.

3.2    Authorization to Use Subprocessors. To the extent necessary to fulfill Albert’s contractual obligations under the Agreement, Customer hereby authorizes Albert to engage Subprocessors. Albert’s current list of Subprocessors is attached hereto as Exhibit A.

3.3    Albert and Subprocessor Compliance. Albert shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this Addendum; and (ii) remain responsible to Customer for the Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.

3.4    Right to Object to Subprocessors. Customer may subscribe to receive notifications about new Subprocessors by emailing Albert at: legal@albertinvent.com. If Customer subscribes to such notifications, Albert will email Customer prior to engaging any new Subprocessors at the email address provided and allow Customer ten (10) days to object after notice has been sent. If Customer has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.

3.5    Confidentiality. Any person authorized to Process Customer Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.

3.6    Personal Data Inquiries and Requests. Where required by applicable Data Protection Laws, Albert agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under applicable Data Protection Laws.

3.7    California-Specific Terms.  To the extent that Albert’s Processing of Customer Personal Data is subject to the CCPA, this Section 3.7 also applies. Customer discloses or otherwise makes available Customer Personal Data to Albert for the limited and specific purpose of enabling Albert to provide the Services to Customer in accordance with the Agreement and this DPA. Albert shall (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of privacy protection as required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Customer Personal Data; (v) not retain, use, or disclose Customer Personal Data for any purpose other than to provide the Services under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Albert; and (vii) unless otherwise permitted by the CCPA, not combine Customer Personal Data with Personal Data that Albert (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Albert will permit Customer, upon reasonable request, to take reasonable and appropriate steps to ensure that Albert Processes Customer Personal Data that is subject to this Section 3.7 in a manner consistent with the obligations of a “business” under the CCPA by requesting that Albert attest to its compliance with this Section 3.7. Following any such request, Albert will promptly provide that attestation or an explanation of why it cannot provide it. If Customer reasonably believes that Albert is engaged in unauthorized Processing of Customer Personal Data that is subject to this Section 3.7, Customer will notify Albert of such belief, and the parties will work together in good faith to remediate the allegedly violative Processing activities, if necessary.

3.8    Data Protection Impact Assessment, and Prior Consultation. Where required by Data Protection Laws, Albert agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgement, the type of Processing performed by Albert requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.

3.9    Demonstrable Compliance. Albert agrees to provide information reasonably necessary to demonstrate compliance with this Addendum, as required by applicable Data Protection Laws and upon Customer’s reasonable request.

3.10  Service Optimization. Where permitted by Data Protection Laws, Albert may Process Customer Personal Data: (i) for its internal uses to build or improve the quality of the Services; (ii) to prevent, detect, or investigate Security Incidents; or (iii) to protect against malicious, deceptive, fraudulent, or illegal activity.

3.11  Aggregation and De-Identification. Albert may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.

4.    Information Security Program.

4.1    Security Measures. Albert shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data in accordance with Information Security Exhibit attached hereto as Exhibit B.

5.    Security Incidents.

5.1    Notice. Upon becoming aware of a Security Incident, Albert agrees to provide written notice without undue delay and within the time frame required under applicable Data Protection Laws to Customer. Where possible, such notice will include all available details required under applicable Data Protection Laws for Customer to comply with its own notification obligations to government authorities and/or individuals affected by the Security Incident.

6.    Cross-Border Transfers of Customer Personal Data.

6.1    Cross-Border Transfers of Customer Personal Data. Customer authorizes Albert and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.

6.2    EEA, Swiss, and UK Standard Contractual Clauses. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to Albert in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Exhibit C below, the terms of which are incorporated herein by reference. Each party’s execution of the Agreement shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

7.    Audits.

7.1    Customer Audit. Where Data Protection Laws afford Customer an audit right, Customer (or its appointed representative) may carry out an audit of Albert’s policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit must be: (i) conducted during Albert’s regular business hours; (ii) done with reasonable advance notice to Albert; (iii) carried out in a manner that prevents unnecessary disruption to Albert’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction.

8.    Customer Personal Data Deletion.

8.1    Data Deletion. At the expiry or termination of the Agreement, Albert will delete all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Albert’s data retention schedule), except where Albert is required to retain copies under applicable laws, in which case Albert will isolate that Customer Personal Data and restrict any further Processing of it, except to the extent required by applicable laws.


9.    Processing Details.

9.1    Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.

9.2    Duration. The Processing will continue until the expiration or termination of the Agreement.

9.3    Categories of Data Subjects. Data subjects whose Customer Personal Data will be Processed pursuant to the Agreement.

9.4    Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by Albert is the performance of the Services.

9.5    Types of Customer Personal Data. Customer Personal Data that is Processed pursuant to the Agreement.

EXHIBIT A TO THE DATA PROCESSING ADDENDUM

Albert Subprocessor List

EXHIBIT B TO THE DATA PROCESSING ADDENDUM

Albert Information Security Exhibit

These Albert Information Security Standards (the “Information Security Standards”) form part of the Addendum. All capitalized terms that are not expressly defined in the Information Security Standards will have the meanings given to them in the Addendum or the Agreement.

Albert shall implement and maintain an information security program (“Information Security Program”) that includes reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data. At a minimum, the Information Security Program shall include:

  1. Authentication. Albert shall maintain authentication measures including, as appropriate, multi-factor authentication for key systems that Process Customer Personal Data and industry standard passwords.
  2. Encryption. Albert shall encrypt Customer Personal Data in transit and at rest using industry standard encryption technologies.
  3. Account Management and Access Controls. Albert shall maintain account management and access controls.
  4. Inventory and Management of Customer Personal Data and Information Systems. Albert shall maintain an inventory of Customer Personal Data and the information systems used to Process Customer Personal Data. Albert shall maintain approval processes designed to prevent the unauthorized connection of hardware and devices to Albert’s information systems that Process Customer Personal Data.
  5. Secure Configuration of Hardware and Software. Albert shall maintain controls designed to ensure the secure configuration of Albert hardware and software that is used to Process Customer Personal Data.
  6. Vulnerability Scans, Penetration Testing, and Vulnerability Disclosure and Reporting. Albert shall carry out internal and external vulnerability scans, penetration testing, and vulnerability disclosure and reporting for key information systems used to Process Customer Personal Data.
  7. Audit-Log Management. Albert shall maintain controls for audit-log management.
  8. Network Monitoring and Defenses. Albert shall maintain controls for monitoring and defending its network.
  9. Antivirus and Antimalware Protection. Albert shall maintain antivirus and antimalware protections on Albert personnel workstations.
  10. Information System Segmentation. Albert shall maintain controls designed to ensure segmentation of its information systems that Process Customer Personal Data.
  11. Limitation and Control of Ports, Services, and Protocols. Albert shall maintain controls designed to limit and control ports, services, and protocols used to Process Customer Personal Data.
  12. Cybersecurity Awareness. Albert shall maintain a cybersecurity awareness program designed to keep Albert informed of changing cybersecurity threats and countermeasures.
  13. Cybersecurity Education and Training. Albert shall provide cybersecurity education and training to all Albert personnel who have access to Albert’s information systems that Process Customer Personal Data.
  14. Secure Development. Albert shall maintain controls designed to ensure secure development.
  15. Vendor Management. Albert shall maintain oversight of Subprocessors.
  16. Data Retention and Disposal. Albert shall maintain data retention and disposal processes for Customer Personal Data.
  17. Security Incident Management. Albert shall maintain processes for the management of Security Incidents.
  18. Business Continuity and Disaster Recovery. Albert shall maintain industry standard business-continuity and disaster-recovery plans as it relates to the Processing of Customer Personal Data.

 


 

EXHIBIT C TO THE DATA PROCESSING ADDENDUM

This Exhibit C forms part of the Addendum and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit C have the meaning set forth in the Addendum.

The parties agree that the following terms shall supplement the Standard Contractual Clauses:

1.    Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added to the Standard Contractual Clauses, which shall read as follows: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses, which shall read as follows: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 3.4 of the Addendum; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).

 

2.    Annex I. Annex I to the Standard Contractual Clauses shall read as follows:

 

A.   List of Parties

 

Data Exporter: Customer.

Address: As set forth in the Notices section of the Agreement.

Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement.

Activities relevant to the data transferred under these Clauses: The Services.

Role: Controller.

 

Data Importer: Albert.

Address: As set forth in the Notices section of the Agreement.

Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement.

Activities relevant to the data transferred under these Clauses: The Services.

Role: Processor.

 

B.   Description of the Transfer:

 

Categories of data subjects whose personal data is transferred: The categories of data subjects whose personal data is transferred under the Clauses including, but not limited to, data exporter’s authorized users and data subjects whose research data is analyzed via the Services.

 

Categories of personal data transferred: The categories of personal data transferred under the Clauses including, but not limited to, name and email address of data exporter’s authorized users and research data.

 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Sensitive data that is transferred under the Clauses including, but not limited to, any research data relating to a data subject’s health.

 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.

 

Nature of the processing: The Services.

 

Purpose(s) of the data transfer and further processing: The Services.

 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the Addendum.

 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter, nature and duration identified in the Addendum.

 

C.   Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the supervisory authority is the Irish Data Protection Commission (DPC), and if this is not possible, then the supervisory authority is as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.

D.   Clarifying Terms: The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses shall be carried out in accordance with Section 7 of the Addendum; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (v) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; (vi) the information required under Clause 15.1(c) of the Clauses will be provided upon data exporter’s written request; and (vii) notwithstanding anything to the contrary, data exporter will reimburse data importer for all costs and expenses incurred by data importer in connection with the performance of data importer’s obligations under Clause 15.1(b) and Clause 15.2 of the Clauses without regard for any limitation of liability set forth in the Agreement.

3.    Annex II. Annex II of the Standard Contractual Clauses shall read as follows:

Data importer shall implement and maintain technical and organisational measures designed to protect personal data in accordance with Exhibit B of the Addendum.

Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the Addendum.

4.    Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:

The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.

Table 1: The start date in Table 1 is the effective date of the Addendum. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.

Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Addendum.

Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.

Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.

Ready to get started?

Schedule a demo
Invent
Albert OS
AI
Overview
Transform
Overview
Learn
CompanyCase StudiesBlogPressCareers
Visit Us
492 9th St, Suite 310
Oakland, CA 94607
United States
Follow Us
LinkedInInstagramFacebook

© 2026 Albert Invent. All rights reserved

Data Processing
The information and statements set forth herein are based on data collected from actual users and reflect the real-life experiences and opinions of such users, but are not intended to represent or guarantee that any user of our products and/or services will achieve the same or similar results. The experiences are personal to those particular users and a number of factors, which have not been taken into account, may affect your personal experience and results. We do not claim, and you should not assume, that all users will have the same experiences. The statements set forth herein do not form part of or constitute an offer or contract.