1. Purpose and Scope
This Data Processing Addendum applies when Align processes Customer Personal Data on behalf of Customer as part of the Services.
This DPA is incorporated into the Agreement. If there is a conflict between this DPA and the Agreement regarding processing of Customer Personal Data, this DPA controls only for that conflict.
2. Roles of the Parties
Customer is the controller, business, or equivalent party that determines the purposes and means of processing Customer Personal Data. Align is the processor, service provider, contractor, or equivalent party that processes Customer Personal Data on behalf of Customer.
Where Customer acts as a processor for another controller, Customer appoints Align as a subprocessor.
3. Processing Instructions
Align will process Customer Personal Data only to provide the Services, comply with documented Customer instructions, comply with law, protect the Services, and as otherwise permitted by the Agreement.
Customer instructions include the Agreement, Documentation, Customer account settings, API calls, workflow configuration, support requests, and other written instructions accepted by Align.
4. Details of Processing
| Item | Description |
|---|---|
| Subject matter | Hosted project and entry tracking, client portal, cost and invoicing, GitHub and release management, approvals, AI workflows, API, dashboard, webhook, audit, email, storage, billing, and support services. |
| Duration | The subscription term plus any retention, deletion, backup, legal hold, or transition period required by the Agreement or law. |
| Nature and purpose | Hosting, storing, transmitting, rendering, routing, approving, notifying, logging, supporting, and securing Customer Content and related workflows. |
| Data subjects | Customer administrators, Authorized Users, clients, contacts, developers, support contacts, and individuals named in Customer Content. |
| Data categories | Name, email, account identifiers, authentication records, IP address, user agent, project and entry data, client and contact records, invoice and payment metadata, field values, audit events, webhook configuration, support data, and other data submitted by Customer. |
| Sensitive data | Only if Customer submits sensitive data and such submission is permitted by the Agreement. Customer is responsible for ensuring a lawful basis and required safeguards. |
5. Confidentiality
Align will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations or professional duties of confidentiality.
6. Security Measures
Align will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.
Security measures are described in the Data Protection and Security Addendum and may be updated from time to time, provided that updates do not materially reduce overall protection during the subscription term.
7. Subprocessors
Customer authorizes Align to engage subprocessors to provide the Services. Align will maintain a Subprocessor List and will impose written data protection obligations on subprocessors that are no less protective in substance than those in this DPA.
Align remains responsible for subprocessor performance to the extent required by applicable data protection law.
Customer may object to a new subprocessor on reasonable data protection grounds within thirty days after notice. If Align cannot reasonably resolve the objection, Customer may terminate the affected Services as its sole remedy for the objection.
8. Data Subject Requests
Align will provide reasonable assistance to Customer for data subject requests to the extent Customer cannot fulfill the request through the Services and the request relates to Customer Personal Data processed by Align.
If Align receives a request directly from a data subject regarding Customer Personal Data, Align may refer the request to Customer unless legally prohibited.
9. Security Incidents
Align will notify Customer without undue delay after confirming a Security Incident involving Customer Personal Data. The notice will include information reasonably available to Align, which may include the nature of the incident, affected data, affected data subjects, likely consequences, mitigation measures, and contact information.
Align's notification of a Security Incident is not an admission of fault or liability.
10. Assistance and Compliance
Taking into account the nature of processing and information available to Align, Align will provide reasonable assistance with Customer data protection impact assessments, prior consultations, records of processing, and security obligations where required by applicable law.
11. Audit Rights
Align will make available information reasonably necessary to demonstrate compliance with this DPA. Align may satisfy this obligation through security documentation, certifications, audit reports, policies, questionnaires, or written responses.
On-site audits may occur only where required by applicable law, after reasonable notice, during normal business hours, no more than once annually unless required by a regulator or confirmed Security Incident, and subject to confidentiality and security restrictions.
12. Return and Deletion
Upon termination or expiration of the Services, Align will return or delete Customer Personal Data according to the Agreement, Retention and Deletion Policy, account settings, backup cycles, and legal requirements.
Align may retain Customer Personal Data where required by law, necessary for legal claims, subject to legal hold, or stored in backups until overwritten under standard backup retention cycles.
13. International Transfers
If Customer Personal Data is transferred internationally in a way that requires a transfer mechanism, the parties will use an appropriate lawful transfer mechanism. Where the EU Standard Contractual Clauses are required, the applicable module will be incorporated by reference and completed by the annexes in this DPA.
14. United States State Privacy Laws
To the extent Customer Personal Data is subject to United States state privacy laws, Align will process Customer Personal Data as a service provider, processor, or contractor and will not sell Customer Personal Data, share Customer Personal Data for cross-context behavioral advertising, retain, use, or disclose Customer Personal Data outside the business purpose of providing the Services, or combine Customer Personal Data with other personal information except as permitted by law.
15. Liability
All liability arising under or related to this DPA is subject to the exclusions and limitations of liability in the Agreement. This DPA does not create a separate, additional, or uncapped liability pool.
To the maximum extent permitted by law, Align's total aggregate liability for DPA, privacy, security, data breach, and Customer Personal Data claims will not exceed the total SaaS fees paid and payable by Customer for the affected Services during the twelve months immediately preceding the first event giving rise to liability.
Annex 1. Processing Description
The processing description in Section 4 of this DPA is incorporated as Annex 1.
Annex 2. Technical and Organizational Measures
The Data Protection and Security Addendum is incorporated as Annex 2.
Annex 3. Subprocessors
The then-current Subprocessor List is incorporated as Annex 3.
Last reviewed: June 5, 2026 · Version 1.0 · Published.