🚀 Founding customers get 50% off their first 6 months — limited to the next 25 producers.Claim founder pricing →
Aclamos
Sign inStart free

Data Processing Addendum

Last updated: May 2026. Generate a signable PDF cover-sheet at /api/legal/dpa.pdf (URL params: customer, signer, title) or email dpa@aclamos.app for an Aclamos-countersigned copy.

This DPA forms part of the Aclamos Terms of Service when you (the "Customer", a controller) use Toronado Entertainment, LLC, doing business as Aclamos ("Aclamos", a processor) to process personal data subject to GDPR, UK GDPR, the EU-US DPF, the Swiss-US DPF, the CCPA/CPRA, or comparable laws.

Scope

Customer is the controller of personal data submitted to its awards shows or polls (e.g., nominator emails, nominee addresses). Aclamos is the processor. Aclamos processes data only on documented Customer instructions, embodied in these Terms and the running configuration of Customer's account.

Categories of data

  • Identifiers: names, emails, optional phone, optional addresses (via Google Places).
  • Submission content: text, photos, video, documents Customer chooses to collect.
  • Operational: judge / voter / member metadata, IP hashes, user-agent strings.
  • Payment metadata via Stripe (card details never reach Aclamos).

Sub-processors

Current list (with regions):

  • Railway, Inc. — application + Postgres + Redis (US-East / EU-West / AU-Sydney; one selected per Customer org).
  • Cloudflare, Inc. — R2 object storage (US / EU); Turnstile bot prevention.
  • Stripe, Inc. — payments (US, with EU sub-processors).
  • Resend, Inc. — transactional email (US).
  • Twilio, Inc. — SMS (US, with global carriers).
  • Anthropic, PBC — AI features. Prompts are processed under Anthropic's zero-retention / no-training policy.
  • Google LLC — Maps Places API only (queries proxied server-side).

We notify Customers of sub-processor changes ≥ 30 days in advance via email and via the changelog. Customer may object, in which case we'll work in good faith to provide an alternative or, failing that, allow Customer to terminate.

Security measures

See /security for the full controls list. Highlights: TLS 1.2+ in transit; AES-256 at rest; argon2id passwords; signed/expiring upload URLs; AES-256-GCM application-layer encryption for OAuth tokens; per-tenant data isolation enforced at the query layer; daily encrypted Postgres backups with 30-day retention; immutable audit log; SOC 2 controls in place.

International transfers

Where applicable, Standard Contractual Clauses (SCCs, 2021 module 2) and the UK Addendum apply. Aclamos relies on the EU-US DPF for transfers from the EU to the US.

Data subject rights

Aclamos will assist Customer in responding to data-subject requests within 30 days. Direct requests by data subjects to Aclamos will be forwarded to the appropriate Customer.

Breach notification

Aclamos will notify Customer within 72 hours of becoming aware of a personal-data breach affecting Customer data, with the information required by Article 33 GDPR.

Term & termination

This DPA runs for as long as Aclamos processes Customer data. On termination, Aclamos will, at Customer's election, return or delete all Customer personal data within 30 days (subject to legal retention requirements).

Customer obligations

Customer represents and warrants that (a) Customer has the lawful basis and any required consents to make the Customer Data available to Aclamos, (b) the instructions Customer gives to Aclamos through its configuration of the Service comply with applicable data-protection law, (c) Customer is responsible for responding to data-subject requests directed to it as controller, with Aclamos's assistance as described above, (d) Customer will not direct Aclamos to process data in a way that exceeds the scope of this DPA, and (e) Customer is responsible for the accuracy of the data it brings into the Service.

Liability

Liability under this DPA is subject to the limitations of liability set out in the Aclamos Terms of Service. Neither party limits its liability where such limitation would not be permitted under applicable data-protection law (e.g., Article 82 GDPR for direct claims by data subjects).

Governing law

This DPA is governed by the laws of the State of Florida, USA, without regard to its conflict-of-laws rules. The exclusive venue for any dispute under this DPA is Sumter County, Florida — except that EU and UK consumers retain mandatory consumer-protection rights under their local law. See the Terms § 14 for the full arbitration + venue clause, which applies to this DPA equally.

Order of precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA controls with respect to data-processing matters. Both documents control over any prior communications or representations on the same subject matter.

Data Processing Addendum · Aclamos