🚀 We're in beta — apply for free access while we onboard founding customers.Apply now →
Aclamos
Sign inStart free

Data Processing Addendum

Last updated: May 2026. Generate a signable PDF cover-sheet at /api/legal/dpa.pdf (URL params: customer, signer, title) or email dpa@aclamos.app for an Aclamos-countersigned copy.

This DPA forms part of the Aclamos Terms of Service when you (the "Customer", a controller) use Aclamos, Inc. ("Aclamos", a processor) to process personal data subject to GDPR, UK GDPR, the EU-US DPF, the Swiss-US DPF, the CCPA/CPRA, or comparable laws.

Scope

Customer is the controller of personal data submitted to its awards shows or polls (e.g., nominator emails, nominee addresses). Aclamos is the processor. Aclamos processes data only on documented Customer instructions, embodied in these Terms and the running configuration of Customer's account.

Categories of data

  • Identifiers: names, emails, optional phone, optional addresses (via Google Places).
  • Submission content: text, photos, video, documents Customer chooses to collect.
  • Operational: judge / voter / member metadata, IP hashes, user-agent strings.
  • Payment metadata via Stripe (card details never reach Aclamos).

Sub-processors

Current list (with regions):

  • Railway, Inc. — application + Postgres + Redis (US-East / EU-West / AU-Sydney; one selected per Customer org).
  • Cloudflare, Inc. — R2 object storage (US / EU); Turnstile bot prevention.
  • Stripe, Inc. — payments (US, with EU sub-processors).
  • Resend, Inc. — transactional email (US).
  • Twilio, Inc. — SMS (US, with global carriers).
  • Anthropic, PBC — AI features. Prompts are processed under Anthropic's zero-retention / no-training policy.
  • Google LLC — Maps Places API only (queries proxied server-side).

We notify Customers of sub-processor changes ≥ 30 days in advance via email and via the changelog. Customer may object, in which case we'll work in good faith to provide an alternative or, failing that, allow Customer to terminate.

Security measures

See /security for the full controls list. Highlights: TLS 1.2+ in transit; AES-256 at rest; argon2id passwords; signed/expiring upload URLs; AES-256-GCM application-layer encryption for OAuth tokens; per-tenant data isolation enforced at the query layer; daily encrypted Postgres backups with 30-day retention; immutable audit log; SOC 2 controls in place.

International transfers

Where applicable, Standard Contractual Clauses (SCCs, 2021 module 2) and the UK Addendum apply. Aclamos relies on the EU-US DPF for transfers from the EU to the US.

Data subject rights

Aclamos will assist Customer in responding to data-subject requests within 30 days. Direct requests by data subjects to Aclamos will be forwarded to the appropriate Customer.

Breach notification

Aclamos will notify Customer within 72 hours of becoming aware of a personal-data breach affecting Customer data, with the information required by Article 33 GDPR.

Term & termination

This DPA runs for as long as Aclamos processes Customer data. On termination, Aclamos will, at Customer's election, return or delete all Customer personal data within 30 days (subject to legal retention requirements).

Data Processing Addendum · Aclamos