Skip to main content
Alauda Container Platform is included as an Honorable Mention in the 2024 Gartner® Magic Quadrant™ for DevOps Platforms
Get in Touch

Data Processing Addendum

 
This Data Processing Addendum ("DPA") forms part of, and is subject to, the Enterprise Agreement between Alauda Singapore Pte. Ltd. ("Alauda") and the customer identified in such agreement ("Customer") (together, the "Agreement").
 
This DPA reflects the parties' agreement on the processing of Personal Data in connection with support, implementation, and related professional services provided by Alauda.
 
---
 
1. Definitions
 
1.1 "Applicable Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data under the Agreement, including, where applicable:
(a) the Personal Data Protection Act 2012 of Singapore ("PDPA");
(b) the EU General Data Protection Regulation (EU) 2016/679 ("GDPR");
(c) the UK GDPR and UK Data Protection Act 2018;
(d) the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA); and
(e) any other applicable data protection laws or regulations, in each case as amended, replaced or superseded from time to time.
 
1.2 "Controller", "Processor", "Data Subject", "Personal Data", "processing", "Data Breach" (or "personal data breach"), and "Supervisory Authority" have the meanings given in Applicable Data Protection Laws. Where the PDPA applies, references to Controller and Processor include organization and data intermediary respectively.
 
1.3 "Support Services" means the support, maintenance, implementation, troubleshooting, consulting, and related professional services provided by Alauda under the Agreement, which may include on‑site services, remote access, and operation of Alauda's support portal/ticketing systems.
 
1.4 "Customer Personal Data" means any Personal Data in relation to which Customer is a Controller and which Alauda processes solely for the purpose of providing the Support Services, including personal data contained in support tickets, logs, configuration files, diagnostic data, screenshots, and any Personal Data accessible via remote or on‑site access to Customer's systems.
 
1.5 "Sub‑processor" means any third party engaged by Alauda to process Customer Personal Data on Alauda's behalf in connection with the Support Services.
 
---
 
2. Scope and roles
 
2.1 Support‑only processing. This DPA applies only to Alauda's processing of Customer Personal Data in the course of providing Support Services. Alauda does not provide general hosting of Customer's production workloads under this DPA.
 
2.2 Roles. For the purposes of processing Customer Personal Data:
 
* Customer is the Controller (or equivalent under Applicable Data Protection Laws); and
* Alauda is a Processor, data intermediary, service provider and/or contractor (as applicable under local law).
 
2.3 No change to data ownership. Nothing in this DPA transfers any ownership of Customer Personal Data. As between the parties, Customer remains the owner/controller of Customer Personal Data.
 
---
 
3. Subject matter, duration, nature and purpose of processing
 
3.1 Subject matter. The subject matter of processing is the Customer Personal Data described in Annex 1.
 
3.2 Duration. Processing will occur for the term of the Agreement and for such additional period as is necessary to:
 
* perform the Support Services; and
* comply with Applicable Data Protection Laws and legal obligations.
 
3.3 Nature and purpose. Alauda will process Customer Personal Data solely for the purposes of:
 
* providing the Support Services (on‑site and remote support, troubleshooting, implementation, configuration assistance, training);
* operating and improving the support portal and ticketing systems;
* maintaining appropriate records of support interactions;
* complying with Applicable Data Protection Laws and responding to lawful requests.
 
3.4 Types of data and data subjects. The types of Customer Personal Data and categories of Data Subjects are described in Annex 1.
 
---
 
4. Customer responsibilities (Controller obligations)
 
Customer shall:
 
4.1 ensure that it has a valid legal basis for processing Customer Personal Data and for allowing Alauda to process it for the Support Services;
 
4.2 provide all required notices to Data Subjects and obtain any required consents;
 
4.3 configure its systems and instructions to Alauda so as to minimise the inclusion of unnecessary personal data in logs, screenshots, or diagnostic files shared with Alauda;
 
4.4 not instruct Alauda to process Customer Personal Data in a manner that would violate Applicable Data Protection Laws.
 
---
 
5. Alauda obligations (Processor / data intermediary)
 
Alauda shall, in respect of Customer Personal Data:
 
5.1 Processing on documented instructions. Process Customer Personal Data only:
 
* on documented instructions from Customer (which include this DPA and the Agreement); and
* for the purposes described in Section 3, unless otherwise required by Applicable Data Protection Laws. In that case, Alauda will inform Customer (unless prohibited by law).
 
5.2 Confidentiality. Ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations (contractual or statutory) and receive appropriate data protection and security training.
 
5.3 Security. Implement appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature of processing and the risks involved. Details of Alauda's security measures may be made available upon request and may be updated over time to maintain an appropriate level of protection.
 
5.4 Sub‑processors.
 
(a) Customer generally authorizes Alauda to engage Sub‑processors to support the Support Services (for example, hosting providers for the support portal, ticketing platforms, communications tools).
(b) Alauda shall enter into a written agreement with each Sub‑processor that imposes data protection obligations no less protective than those set out in this DPA.
(c) Alauda shall remain responsible for the performance of its Sub‑processors.
(d) Alauda will provide Customer, upon request, with a list of current Sub‑processors for Support Services. Where required by Applicable Data Protection Laws, Alauda will provide advance notice of new Sub‑processors and allow Customer to object on reasonable, documented grounds relating to data protection.
 
5.5 Assistance with data subject rights. Taking into account the nature of the processing, Alauda shall provide reasonable assistance to Customer, upon request, to respond to Data Subject requests to exercise rights under Applicable Data Protection Laws (such as access, rectification, deletion, restriction, portability, or objection), insofar as such requests relate to Customer Personal Data and Alauda is able to identify and locate such data.
 
5.6 Assistance with compliance. Alauda shall, upon reasonable request, assist Customer with its obligations relating to:
 
* security of processing;
* personal data breach notifications;
* data protection impact assessments; and
* prior consultations with supervisory authorities,
 
in each case solely in relation to processing of Customer Personal Data by Alauda and to the extent reasonably required by Applicable Data Protection Laws.
 
5.7 Personal data breach notification. Upon becoming aware of a personal data breach affecting Customer Personal Data, Alauda shall:
 
* notify Customer without undue delay; and
* provide information reasonably required for Customer to meet its own legal obligations.
 
Alauda is not responsible for Customer's systems or incidents not caused by Alauda.
 
5.8 Data deletion or return.
 
* At the end of the Support Services relating to a particular ticket or project, Alauda will retain Customer Personal Data only as long as necessary for the purposes in Section 3 or as required by law (for example, to comply with audit, accounting or legal obligations).
* Upon termination or expiry of the Agreement, Customer may request deletion or return of Customer Personal Data processed by Alauda for Support Services, unless retention is required or permitted by law. Alauda may retain aggregated or anonymized information that does not identify any individual.
 
5.9 Audits and information.
 
* Alauda shall make available to Customer, upon reasonable request, information necessary to demonstrate compliance with this DPA.
* Where required by Applicable Data Protection Laws and not sufficiently addressed by documentation or certifications, Customer may conduct (or have a third party conduct) an audit of Alauda's facilities and practices relevant to this DPA, subject to: reasonable prior written notice, non‑disclosure obligations, and limits on frequency (normally no more than once every 12 months) and scope to avoid disruption of Alauda's operations.
 
---
 
6. International transfers
 
6.1 Transfers by Alauda. As a Singapore‑headquartered company, Alauda may process Customer Personal Data in Singapore and in other countries where Alauda or its Sub‑processors operate, subject to this DPA.
 
6.2 PDPA (Singapore). Where the PDPA applies to the transfer of Personal Data out of Singapore, Alauda shall ensure that such transfers comply with the Transfer Limitation Obligation and that Customer Personal Data receives a standard of protection comparable to that under the PDPA, for example by:
 
* using contractual clauses or certifications recognized by the Singapore authorities; and/or
* ensuring that the overseas recipient is bound by legally enforceable obligations to provide comparable protection.
 
6.3 GDPR / UK GDPR. Where Alauda's processing involves the transfer of Customer Personal Data from the EEA, Switzerland or the UK to a country not recognized as providing adequate protection:
 
* the parties shall rely on appropriate transfer mechanisms such as Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful mechanisms; and
* this DPA shall be interpreted, where possible, consistently with such mechanisms.
 
6.4 Customer responsibilities. Customer is responsible for ensuring that its own transfers of Customer Personal Data to Alauda comply with Applicable Data Protection Laws (including any required transfer impact assessments).
 
---
 
7. CCPA/CPRA – service provider / contractor terms
 
To the extent the CCPA/CPRA applies and Customer discloses Personal Information (as defined in CCPA/CPRA) to Alauda:
 
7.1 Alauda shall act as a "service provider" and/or "contractor" (as defined under CCPA/CPRA) and shall:
 
* process Personal Information only for the limited and specific purpose of performing the Support Services and as otherwise permitted by CCPA/CPRA;
* not sell or share Personal Information;
* not retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Agreement or as otherwise permitted by CCPA/CPRA;
* not combine Personal Information received from Customer with Personal Information from other sources, except as permitted by CCPA/CPRA (for example, for internal business operations or to detect security incidents).
 
7.2 Alauda shall notify Customer if it determines it can no longer meet its obligations under CCPA/CPRA in relation to Customer's Personal Information.
 
7.3 Customer may take reasonable and appropriate steps to ensure that Alauda uses Personal Information in a manner consistent with Customer's obligations under CCPA/CPRA, including by exercising audit rights in Section 5.9.
 
---
 
8. Hierarchy and conflict
 
8.1 In the event of any conflict between this DPA and the rest of the Agreement, this DPA shall prevail to the extent the conflict relates to the processing of Personal Data.
 
8.2 Nothing in this DPA limits either party's obligations under Applicable Data Protection Laws.
 
---
 
9. Term and termination
 
9.1 This DPA takes effect on the date the Agreement is executed (or, if later, the date the parties first began processing Customer Personal Data in connection with Support Services) and continues for as long as Alauda processes Customer Personal Data under the Agreement.
 
9.2 Termination of this DPA will automatically occur upon termination or expiry of the Agreement, subject to any surviving obligations set out in this DPA (including data deletion/retention and confidentiality).
 
---
 
10. Miscellaneous
 
10.1 Amendments. To the extent required by changes in Applicable Data Protection Laws or guidance from regulators, the parties will negotiate in good faith any necessary amendments to this DPA.
 
10.2 Governing law. This DPA is governed by the governing law and jurisdiction specified in the Agreement, unless Applicable Data Protection Laws require otherwise.
 
---
 
ANNEX 1 – DESCRIPTION OF PROCESSING
 
A. Categories of Data Subjects
 
Depending on how the Customer uses the Support Services, Customer Personal Data may relate to:
 
1. Customer's employees, contractors, and authorized users of Customer's systems and Alauda's Products (e.g., administrators, DevOps engineers, operators).
2. Other individuals whose Personal Data may appear in logs, configurations or diagnostic files shared by Customer (for example, internal users mentioned in log entries or system messages).
3. Customer contacts who use the support portal or communicate with Alauda (e.g., ticket submitters, technical contacts, escalation contacts).
 
B. Types of Customer Personal Data
 
Typical types of Customer Personal Data processed during Support Services include:
 
1. Identification and contact data:
 
   * names, job titles, roles;
   * business email addresses, usernames, login IDs;
   * business phone numbers;
   * organization, department, team.
 
2. Technical and device data (linked to individuals):
 
   * IP addresses and hostnames associated with users or admin machines;
   * user IDs within Customer's systems;
   * authentication, authorization, and audit trail entries relating to specific users (e.g., actions, timestamps).
 
3. Support and diagnostic data:
 
   * ticket content and communications;
   * logs, stack traces, and configuration files that may include identifiers (usernames, email addresses, project names, cluster names);
   * screenshots or recordings shared for troubleshooting;
   * metadata about clusters, nodes, workloads, and services, to the extent linked or linkable to individuals.
 
4. Other data:
 
   * any additional Personal Data that Customer chooses to include in materials or systems to which Alauda is given access as part of the Support Services.
 
Customer agrees to avoid including special or sensitive categories of Personal Data (such as health, biometric, financial account numbers, or government ID numbers) in support materials wherever reasonably possible.
 
C. Nature and purpose of processing
 
* Accessing, viewing, storing (temporarily), and analyzing Customer Personal Data in support logs, tickets, and systems in order to:
 
  * diagnose and resolve incidents;
  * assist with deployments, upgrades, migrations, configurations, and performance tuning;
  * provide advice and recommendations;
  * maintain records of support interactions.
* Communicating with Customer about support issues by email, portal, chat, or other agreed channels.
* Maintaining and improving Alauda's support processes and tools, including the ticketing system.
 
D. Duration of processing
 
* For each support case or engagement: from the time the relevant Personal Data is first provided or accessed by Alauda until the earlier of:
 
  * resolution/closure of the case plus a reasonable retention period in line with Section 5.8; or
  * termination or expiry of the Agreement, subject to any legal obligations to retain certain records.