Data Processing Addendum

Effective date: July 15, 2026. This DPA is a standard-form document that Alphana, Inc. offers to its business and enterprise customers and forms part of the Agreement between Alphana and the Customer.

Owner: Alphana, Inc. · Contacts: privacy@visuals.fm · security@visuals.fm


Preamble

This Data Processing Addendum, including its Annexes ("DPA"), forms part of the agreement between the customer identified in the applicable order form or agreement ("Customer") and Alphana, Inc. ("Alphana," "we," or the "Processor") for the provision of the Visuals services ("Services") (the "Agreement").

Alphana, Inc. is a Delaware corporation with a principal office and notice address at 382 NE 191st St, PMB 31968, Miami, FL 33179, United States. Notices under this DPA may be sent to privacy@visuals.fm (privacy matters) or security@visuals.fm (security matters).

This DPA applies where Alphana Processes Customer Personal Data on Customer's behalf in connection with the Services. Customer is the Controller (or, where Customer is itself a processor, a processor acting for a third-party controller) and Alphana is the Processor (or sub-processor). If there is a conflict between this DPA and the rest of the Agreement on the subject of the Processing of Personal Data, this DPA controls. Where a customer's negotiated agreement sets a stricter or more specific standard, that agreement controls for that customer.

Acceptance and execution. This DPA becomes binding, and is incorporated into the Agreement, when Customer executes an order form that references this DPA, executes this DPA as a standalone document, or accepts this DPA in the account or as part of subscribing to or using the Services. No signature block is required for the DPA to take effect; where the parties choose to sign it, the signatures on the Agreement or order form are deemed to apply to this DPA. The individual accepting this DPA represents that they are authorized to bind Customer.


1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement or in Data Protection Laws.

1.1 "Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: the EU General Data Protection Regulation 2016/679 ("GDPR"); the GDPR as incorporated into the law of the United Kingdom ("UK GDPR") and the UK Data Protection Act 2018; the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); and other U.S. state privacy laws and comparable data protection or privacy laws.

1.2 "Controller," "Processor," "Data Subject," "Personal Data," "Processing" (and "Process"), "Personal Data Breach," and "Supervisory Authority" have the meanings given in the GDPR. Where CCPA/CPRA applies, "Business," "Service Provider," "Consumer," "Personal Information," "Sell," and "Share" have the meanings given in that law, and "Controller" reads as "Business," "Processor" reads as "Service Provider," and "Personal Data" reads as "Personal Information" as the context requires.

1.3 "Customer Personal Data" means Personal Data contained within Customer Content or otherwise provided by or on behalf of Customer, or generated for Customer, that Alphana Processes on Customer's behalf in performing the Services.

1.4 "Customer Content" means the content, files, prompts, and materials Customer or its authorized users submit to the Services, and the outputs generated for Customer, as defined in the Agreement.

1.5 "Sub-processor" means any third party engaged by Alphana that Processes Customer Personal Data on Alphana's behalf in connection with the Services, including AI and media-generation model and inference providers.

1.6 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission in Decision 2021/914, and, for the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner ("UK Addendum").

1.7 "Technical and Organizational Measures" or "TOMs" means the security measures described in Annex A.

1.8 "Data Subject Request" means a request from a Data Subject to exercise a right under Data Protection Laws (for example, access, correction, deletion, portability, restriction, or objection).


2. Roles and Scope of Processing

2.1 Roles. With respect to Customer Personal Data, Customer is the Controller and Alphana is the Processor. Where Customer acts as a processor for a third-party controller, Alphana acts as a sub-processor, and Customer is responsible for the third-party controller's authorizations and instructions.

2.2 Scope. Alphana Processes Customer Personal Data only to provide, support, secure, and improve the Services as described in the Agreement and this DPA. The subject matter, duration, nature and purpose of Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex C (Details of Processing).

2.3 CCPA/CPRA. Alphana acts as a Service Provider. Alphana does not Sell or Share Customer Personal Data, does not retain, use, or disclose it for any purpose other than performing the Services (or as otherwise permitted by the CCPA/CPRA), does not retain, use, or disclose it outside the direct business relationship, and does not combine it with Personal Information from other sources except as permitted by the CCPA/CPRA. Alphana certifies it understands and will comply with these restrictions.


3. Processing Instructions

3.1 Documented instructions. Alphana Processes Customer Personal Data only on Customer's documented instructions, including as set out in the Agreement, this DPA, and Customer's configuration and use of the Services, unless required to do otherwise by applicable law. If Alphana is required by law to Process beyond Customer's instructions, it will inform Customer of that legal requirement before Processing, unless the law prohibits it.

3.2 Lawfulness. Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and for having a valid legal basis for the Processing and for its instructions. Customer's instructions must comply with Data Protection Laws.

3.3 Notice of unlawful instruction. Alphana will inform Customer if, in its opinion, an instruction infringes Data Protection Laws. Alphana may pause the affected Processing (without liability) until the instruction is confirmed, amended, or withdrawn.


4. Confidentiality and Personnel

4.1 Confidentiality. Alphana ensures that personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations or an appropriate statutory duty of confidentiality, and are trained on their data-protection and security responsibilities.

4.2 Access limitation. Alphana limits access to Customer Personal Data to personnel who need it to perform the Agreement, under least-privilege and role-based access controls.

4.3 Background screening. Alphana conducts background screening, to the extent permitted by applicable law, on personnel who will have access to Customer Personal Data, consistent with Alphana's background-screening policy.


5. Security Measures

5.1 TOMs. Alphana implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against a Personal Data Breach, as described in Annex A. These measures take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects.

5.2 Evolving measures. Alphana may update the TOMs from time to time, provided the updates do not materially reduce the overall level of protection of Customer Personal Data.

5.3 Customer responsibilities. Customer is responsible for its own use and configuration of the Services, including access management for its users, and for assessing whether the Services meet Customer's security requirements.


6. Sub-processors

6.1 Authorization. Customer authorizes Alphana to engage Sub-processors to Process Customer Personal Data, subject to this Section 6. Alphana's current Sub-processors, and the categories of Sub-processors (including AI and media-generation model and inference providers), are identified in Annex B and on Alphana's published Sub-processor list.

6.2 Notice of changes. Alphana maintains a current, accurate Sub-processor list and publishes it (for example, on a Trust Center). Alphana will give Customer at least 30 days' advance notice before a new or replacement Sub-processor begins Processing Customer Personal Data, via the published list and notice to Customer's subscribed or designated contact. Where Customer has given general authorization for a category of Sub-processor (for example, AI and media-generation model providers), routine changes within that category are handled by updating the published list, and the 30-day advance notice is not required for changes within the authorized category.

6.3 Objection. Customer may object to a new Sub-processor on reasonable, documented data-protection grounds within 30 days of the notice. The parties will work together in good faith to resolve the objection. If it cannot be resolved, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Services that cannot be provided without the objected-to Sub-processor, and receive a pro-rata refund of any prepaid fees for the terminated portion. Alphana may enable the Sub-processor for other customers in the meantime.

6.4 Flow-down. Alphana imposes on each Sub-processor, by written contract, data-protection obligations that are no less protective than those in this DPA, before the Sub-processor Processes Customer Personal Data.

6.5 Liability. Alphana remains responsible for the acts and omissions of its Sub-processors with respect to Customer Personal Data as if they were Alphana's own.

6.6 Negotiated upgrades. The 30-day advance-notice and 30-day objection windows in this Section 6 are Alphana's standard defaults. Alphana may agree to a longer window in a negotiated enterprise agreement; for example, the Universal Music agreement uses a 45-day objection window. Any such longer window applies only where it is set out in that customer's signed agreement.


7. Assistance with Data Subject Requests

7.1 Direct requests. If Alphana receives a Data Subject Request that relates to Customer Personal Data where Alphana is the Processor, Alphana will not respond directly, except to confirm that the request relates to Customer, and will promptly notify Customer.

7.2 Assistance. Taking into account the nature of the Processing, Alphana will provide reasonable assistance (including appropriate technical and organizational measures, insofar as possible) to enable Customer to respond to Data Subject Requests and to fulfill Customer's obligations to Data Subjects under Data Protection Laws.

7.3 No independent action. Alphana will not access, correct, delete, restrict, or otherwise action Customer Personal Data in response to a Data Subject Request except on Customer's documented instruction, unless required by applicable law.


8. Assistance with DPIAs, Consultations, and Compliance

8.1 Taking into account the nature of the Processing and the information available to Alphana, Alphana will provide reasonable assistance to Customer with: (a) data protection impact assessments ("DPIAs"); (b) prior consultations with Supervisory Authorities; and (c) Customer's obligations to keep Customer Personal Data secure, notify Personal Data Breaches, and demonstrate compliance, in each case in relation to the Services.


9. Personal Data Breach Notification

9.1 Notice. Alphana will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and, in any event, no later than 72 hours after Alphana confirms the Personal Data Breach. Notice will be sent to Customer's designated security or privacy contact. A Personal Data Breach includes actual or reasonably suspected unauthorized access, acquisition, loss, alteration, destruction, or disclosure of Customer Personal Data, including such incidents at a Sub-processor that affect Customer Personal Data.

9.2 Content and updates. The notice will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed. Where Alphana cannot provide all information at once, it may provide it in phases without undue further delay.

9.3 Report and remediation. On Customer's request, Alphana will provide a written incident report covering detection, investigation, containment, mitigation, and remediation, together with a corrective action plan to prevent recurrence.

9.4 No notification on Customer's behalf. Alphana will not notify any Supervisory Authority, regulator, or Data Subject of a Personal Data Breach on Customer's behalf without Customer's prior written instruction, unless required to do so by applicable law. Determining whether and how to notify Supervisory Authorities and affected individuals of a breach affecting Customer Personal Data is Customer's responsibility as Controller.

9.5 No admission. Alphana's notification of, or response to, a Personal Data Breach is not an acknowledgment of fault or liability.

9.6 Negotiated upgrades. The 72-hour notification window is Alphana's standard default. Alphana may agree to a shorter window in a negotiated enterprise agreement; for example, the Universal Music agreement uses a 24-hour window. Any such shorter window applies only where it is set out in that customer's signed agreement.


10. Government and Law-Enforcement Requests

10.1 Notice. If Alphana receives a legally binding request from a government authority, law-enforcement agency, court, or other third party to disclose Customer Personal Data, Alphana will notify Customer of the request unless legally prohibited from doing so.

10.2 Minimize and delay. Alphana will disclose only the minimum Customer Personal Data legally required, and will seek to delay disclosure as far as the law allows so that Customer has the opportunity to seek a protective order or otherwise challenge the request.

10.3 Challenge overbroad requests. Alphana will challenge, and seek to narrow, redirect, or reject, any request that is overbroad, unlawful, or lacks a valid legal basis, unless legally prohibited from doing so. Alphana does not provide any government authority with direct, unfettered access to Customer Personal Data, encryption keys, or systems, and does not voluntarily assist government surveillance.


11. International Data Transfers

11.1 Primary location. Alphana Processes Customer Personal Data primarily in the United States (US East). Sub-processor locations are identified on the published Sub-processor list.

11.2 Transfer mechanism. Where Alphana Processes Personal Data that is subject to GDPR, UK GDPR, or Swiss data protection law and transfers it to a country that does not provide an adequate level of protection, the parties agree that the applicable transfer mechanism will apply as follows: (a) the EU SCCs are incorporated by reference and completed using the information in the Annexes. Module Two (Controller-to-Processor) applies where Customer is a Controller, and Module Three (Processor-to-Processor) applies where Customer is itself a processor acting for a third-party controller. The optional docking clause is included; the option for onward transfers is included; the parties select the option under Clause 17 that the SCCs are governed by the law of Ireland; and, under Clause 18, disputes are resolved before the courts of Ireland; and (b) for UK transfers, the UK Addendum applies to and amends the EU SCCs.

11.3 Order of precedence. If there is a conflict between the SCCs and this DPA, the SCCs control with respect to the transfer they govern.

11.4 Alternative mechanisms. If a transfer mechanism is invalidated or changed, the parties will work in good faith to implement a valid alternative. Alphana does not rely on the EU-U.S. Data Privacy Framework and is not self-certified to it.


12. Return and Deletion of Data

12.1 On termination. On expiry or termination of the Agreement, or earlier on Customer's written instruction, Alphana will delete or return Customer Personal Data, at Customer's election, and delete existing copies, unless applicable law requires continued storage. Absent Customer instruction within a reasonable period, Alphana may delete Customer Personal Data in accordance with its retention and secure-disposal policy.

12.2 Standard retention. Except where Customer instructs otherwise, Customer Content is retained while the account is active plus 30 days, then securely deleted, and backups age out on a 7-day rolling basis. Transaction logs, audit logs, and financial records are retained for the periods required by law and Alphana's retention policy.

12.3 Certification. On Customer's request, Alphana will provide written certification of deletion identifying the data deleted, the method, and the date of deletion.

12.4 Legal hold. A legal hold or other legal preservation obligation overrides deletion for the affected data until the hold is lifted.


13. Audits and Assurance

13.1 Reports. Alphana will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, including, on request, its then-current SOC 2 report or an executive summary and, where applicable, summaries of penetration-test results, no more than once per 12-month period (and additionally after a Personal Data Breach affecting Customer Personal Data).

13.2 Audit. Where reports are insufficient to demonstrate compliance, or where required by Data Protection Laws (including Article 28(3)(h) GDPR), Customer may audit Alphana's compliance with this DPA no more than once per 12-month period, on at least 30 days' prior written notice, during business hours, subject to confidentiality obligations, without unreasonably disrupting Alphana's operations, and not extending to other customers' data or to information that would compromise security. Customer bears its own audit costs. The parties will agree on scope and timing in advance; a qualified independent auditor may be used (not a competitor of Alphana).


14. No Training on Customer Personal Data

14.1 Alphana does not use the Customer Content, Customer Personal Data, prompts, uploaded materials, or generated outputs to train, fine-tune, or otherwise develop generative AI models, and does not permit its providers to do so.

14.2 Aggregated, de-identified usage data. Alphana may collect and use aggregated and de-identified data about the operation, performance, reliability, and usage of the Services to operate, secure, benchmark, and improve the Services. This usage data does not identify any Customer, user, or individual, and does not include Customer Content, prompts, or outputs in any form recognizable as a Customer's content. Where a customer agreement further limits this use, that agreement governs.


15. General

15.1 Term. This DPA takes effect on the effective date of the Agreement and continues until Alphana has ceased all Processing of Customer Personal Data.

15.2 Liability. Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement.

15.3 Order of precedence. This DPA supplements the Agreement. On the subject of Processing of Personal Data, this DPA controls over conflicting terms in the Agreement, and the SCCs control over conflicting terms in this DPA.

15.4 Governing law. Except where Data Protection Laws or the SCCs require otherwise, this DPA is governed by the governing law of the Agreement.

15.5 Changes. Alphana may update this DPA to reflect changes in Data Protection Laws or its Services, provided the changes do not materially reduce the protections for Customer Personal Data.


Annex A — Technical and Organizational Measures

Alphana maintains an information security program aligned to the SOC 2 Trust Services Criteria, reviewed at least annually, that includes at least the following measures. Alphana Processes Customer Personal Data primarily in the United States (US East), on infrastructure provided by its Sub-processors.

A.1 Encryption. Customer Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 (or stronger). Encryption at rest applies to all data stores holding Customer Personal Data, including backups and snapshots, and is not contingent on optional provider settings. Encryption keys are managed in a managed vault or cloud KMS under least-privilege access, and are rotated at least annually or on suspected compromise.

A.2 Access control and tenant isolation. Access to Customer Personal Data is role-based and least-privilege. Customer data is logically separated between tenants, including through row-level security (RLS) tenant isolation. Access is reviewed periodically, and credentials are revoked promptly on personnel changes.

A.3 Authentication. Multi-factor authentication (MFA) is required for administrative and privileged access to systems that Process Customer Personal Data. Passwords meet defined complexity and length requirements, and sessions time out after a defined idle period. Secrets and API keys are stored in a secrets manager or environment variables, never in source code.

A.4 Logging and monitoring. Security-relevant events are logged and monitored, with alerting to an incident channel. Logs are access-restricted and designed to avoid capturing unnecessary sensitive data.

A.5 Vulnerability and patch management. Alphana performs regular vulnerability scanning and remediates identified vulnerabilities on a risk-based timeline: Critical vulnerabilities within 15 days (or within 72 hours where actively exploited), and lower-severity vulnerabilities on defined timelines thereafter. Alphana conducts periodic manual review and an annual independent penetration test.

A.6 Backups and resilience. Alphana maintains encrypted backups on a 7-day rolling basis (daily backups) with defined recovery objectives, and periodically tests backup expiry and restoration.

A.7 Incident response. Alphana maintains a documented incident-response program with defined roles, runbooks, detection and reporting, containment and eradication, breach-notification procedures (see Section 9), and post-incident review.

A.8 Personnel security. Personnel are subject to confidentiality obligations, security and privacy training, and background screening (to the extent permitted by law) where they have access to Customer Personal Data.

A.9 Vendor and Sub-processor management. Alphana conducts security due diligence on Sub-processors, requires written data-protection flow-down, and monitors Sub-processors on a risk-based schedule.


Annex B — Sub-processors

Alphana maintains a current, accurate Sub-processor list, which is available on request and will be published on Alphana's Trust page on its website (coming soon), where Customers may subscribe to change notifications. The published list is the authoritative and most current source; the table below is illustrative as of the effective date and does not limit Alphana's published list.

Sub-processorPurposePrimary location
VercelApplication hosting and deliveryUnited States
SupabaseDatabase, storage, and backupsUnited States
Amazon Web Services (AWS)Cloud infrastructure and storageUnited States (US East)
StripePayment processingUnited States
AI and media-generation providers (category)AI model inference and media generation used to deliver the Services (for example, text, image, video, and audio generation and processing)United States / provider locations per published list

Category authorization. Customer's authorization of the "AI and media-generation providers" category permits Alphana to add, remove, or swap providers within that category by updating the published Sub-processor list, subject to the flow-down and liability terms in Section 6. Customers who have not granted category authorization receive the 30-day advance notice in Section 6.2 before a new provider in this category Processes their Customer Personal Data.


Annex C — Details of Processing

Subject matter. Alphana's provision of the Services (the Visuals AI visual engine for music teams) to Customer under the Agreement.

Duration. For the term of the Agreement, plus the retention and deletion periods described in Section 12.

Nature and purpose. Hosting, processing, and generation of visual and related media content, and the operation, support, security, and improvement of the Services.

Types of Personal Data. Personal Data contained in Customer Content and in account and administration data. This typically includes account and user identifiers such as names, email addresses, and user account IDs, together with any Personal Data that Customer or its users choose to include in uploaded content, prompts, or generated outputs (which may include images or audio depicting individuals). Customer controls what it submits and is responsible for not submitting special-category data unless agreed in writing.

Categories of Data Subjects. Customer's authorized users and administrators, and individuals appearing in or identified by Customer Content (for example, artists, performers, and other individuals depicted in or referenced by the media Customer processes through the Services).

Frequency of transfer. Continuous, for the duration of the Agreement.

Questions about this policy? Contact us at privacy@visuals.fm