Data Processing Agreement

Effective: March 8, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Altivum Inc. ("Processor," "we," "us") and the organization or individual that has entered into a service agreement for the use of Elo ("Controller," "you," "your").

This DPA applies where we process personal data on your behalf in connection with providing the Elo platform (the "Service"), and the General Data Protection Regulation (EU) 2016/679 ("GDPR") or the UK General Data Protection Regulation ("UK GDPR") applies to that processing.

1. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1)
  • Processing — any operation performed on Personal Data, as defined in GDPR Article 4(2)
  • Data Subject — the identified or identifiable natural person to whom Personal Data relates
  • Sub-processor — any third party engaged by the Processor to process Personal Data on behalf of the Controller

2. Scope and Purpose of Processing

We process Personal Data solely for the purpose of providing the Service to you, which includes:

  • User authentication and account management
  • Real-time voice practice sessions (audio processing — not stored)
  • Generation and storage of session transcripts
  • AI-powered session analysis and performance scoring
  • Progress tracking and reporting
  • Organization management and administrator reporting

Categories of Data Subjects

Users of the Service who are employees, contractors, or members of the Controller's organization.

Types of Personal Data

  • Name and email address
  • Session transcripts (text records of voice practice conversations)
  • Performance analysis data (scores, feedback, trends)
  • Session metadata (timestamps, duration, topics)
  • Organization membership information

Data Not Retained

Voice audio is processed in real time and is not stored. Only the text transcript derived from the audio is retained.

3. Obligations of the Processor

We shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law
  • Ensure that persons authorized to process Personal Data are subject to obligations of confidentiality
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see our Security page)
  • Not engage any Sub-processor without prior written authorization from the Controller (see Section 5)
  • Assist the Controller in responding to Data Subject requests (see Section 6)
  • Assist the Controller in ensuring compliance with data protection impact assessments and prior consultations with supervisory authorities, where required
  • Delete or return all Personal Data to the Controller upon termination of the Service, at the Controller's choice, unless retention is required by applicable law
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA

4. Obligations of the Controller

The Controller shall:

  • Ensure that the processing of Personal Data has a valid legal basis under applicable data protection law
  • Provide any necessary notices to and obtain any necessary consents from Data Subjects regarding the processing
  • Ensure that its instructions to the Processor comply with applicable law

5. Sub-processing

We use the Sub-processors listed on our Subprocessors page to provide the Service. By entering into this DPA, you provide general written authorization for us to engage these Sub-processors.

We will notify you of any intended changes to Sub-processors by updating the Subprocessors page at least 30 days before the change takes effect. If you object to a new Sub-processor, you may notify us within 14 days and we will work with you to address your concerns. If we cannot resolve the objection, you may terminate the affected portion of the Service.

We enter into written agreements with each Sub-processor that impose data protection obligations no less protective than those in this DPA.

6. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests to exercise their rights under GDPR (access, rectification, erasure, restriction, portability, objection). If we receive a request directly from a Data Subject, we will promptly notify you and will not respond to the request unless instructed by you or required by law.

7. Security Measures

We implement the following technical and organizational measures to protect Personal Data:

  • Encryption of data at rest and in transit
  • Per-user data isolation at storage, database, and API levels
  • Authentication via Amazon Cognito with JWT-based tokens
  • Server-side authorization on all API operations
  • Infrastructure hosted on AWS with monitoring and alerting
  • Secrets management via AWS Secrets Manager
  • No storage of voice audio — only text transcripts are retained

For full details, see our Security page.

8. Data Breach Notification

We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification will include:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
  • The name and contact details of our data protection contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach

9. International Data Transfers

Personal Data is processed and stored in the United States (AWS US East - Ohio region). Where Personal Data is transferred from the EEA or UK to the United States, we rely on:

  • The EU-U.S. Data Privacy Framework, where applicable
  • Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into this DPA by reference

10. Data Return and Deletion

Upon termination of the Service or upon your request:

  • We will provide you with a copy of all Personal Data processed on your behalf in a structured, commonly used, and machine-readable format
  • We will delete all Personal Data from our active systems within 30 days, unless retention is required by applicable law
  • Personal Data in backups will be deleted according to our standard backup rotation schedule

11. Audit Rights

We will make available to you information necessary to demonstrate compliance with this DPA. Upon reasonable notice and no more than once per year, you may audit our compliance with this DPA, subject to reasonable confidentiality obligations. Audits shall be conducted during normal business hours and shall not unreasonably interfere with our operations.

12. Term

This DPA remains in effect for the duration of our processing of Personal Data on your behalf. Obligations that by their nature should survive termination (including Sections 8, 10, and 11) will survive.

13. Contact

For questions about this DPA or to exercise rights under it, please contact:

Altivum Inc.
Email: privacy@altivum.ai

A product of Altivum Inc.