Open demoDemo
UKEN

Data processing

Data Processing Agreement (DPA).

This document describes how Alvo processes personal data on behalf of an enterprise customer (controller). It applies automatically when a customer uses the Service and processes third-party personal data through it.

Last updated 27 May 2026Effective 27 May 2026

1. Definitions

In this DPA the terms "personal data", "processing", "controller", "processor", "sub-processor", "data subject" carry the meanings from the GDPR (Regulation (EU) 2016/679) and the Ukrainian Law on Personal Data Protection.

2. Roles of the parties

The Customer (signatory or user of an enterprise account) is the controller of personal data processed through the Service.

Alvo is the processor — it processes personal data only on the Customer's instructions and to provide the Service under the Terms of Service.

3. Subject matter and scope

  • Types of personal data: user identifiers (email, names), session parameters, audit events, request metadata, data the Customer voluntarily uploads to the workspace.
  • Categories of data subjects: Customer's employees, representatives, persons authorized to access the Customer's account.
  • Duration: for the entire active subscription term plus 30 days of grace period for export.
  • Nature and purpose: providing the SaaS for trading decision support, authentication, billing, audit, technical support.

4. Alvo's obligations as processor

  • process personal data only on documented Customer instructions;
  • ensure confidentiality of personnel with data access;
  • implement technical and organizational security measures (section 6);
  • engage sub-processors only under terms no less strict than this DPA;
  • assist the Customer in responding to data-subject requests, public-authority inquiries, and DPIAs;
  • notify of personal-data breaches within 72 hours of becoming aware;
  • on Service termination, return or delete personal data at the Customer's choice.

5. Sub-processors

Alvo engages the sub-processors listed below to provide the Service. The Customer gives general consent to these engagements; we notify of additions at least 30 days before activation — the Customer may object and terminate the Service if the objection is reasonable.

Sub-processorPurposeRegionStatusData categories
DigitalOcean, LLC (DPA)Application + database hosting (alvo-web, alvo-api, Postgres, Redis)Germany (Frankfurt — fra1)Activeall tenant data, session tokens, audit events
WorkOS, Inc. (DPA)Identity, authentication, SSO, MFA, organization directoryUnited States (EU SCC in place)Activeemail, name, organization, MFA secrets
Resend, Inc. (DPA)Transactional email delivery (welcome, billing, password reset)United States (EU SCC in place)Activeemail address, message content, delivery metadata
Cloudflare, Inc. (DPA)DNS resolution for alvo.energy / alvo.liveGlobal anycastActivedomain query metadata (no application data)
Paddle.com Market Limited (DPA)EU subscription billing + Merchant of Record (EUR plans)European Union (Ireland)Plannedbilling name, address, card last-4, VAT data
LiqPay (PrivatBank) (DPA)Ukrainian subscription billing (UAH plans)UkrainePlannedbilling identifiers, transaction metadata

Updated whenever a new sub-processor is enabled. Active sub-processors handle tenant data today; planned ones are integrated in code but inert until a tenant-initiated event (e.g. a Paddle / LiqPay payment) activates them.

6. Technical and organizational measures (TOMs)

  • TLS 1.2+ for all data in transit (alvo.energy / alvo.live via Caddy + Cloudflare DNS);
  • Server-side payload validation via zod schemas, no-store cache for API responses, rate limit 120 req/min per route/client fingerprint;
  • Strong identity via WorkOS (MFA, SSO, SCIM support);
  • API key secrets stored as SHA-256 hashes, soft-delete via revokedAt, lastUsedAt monitoring;
  • Separate audit_events log scoped per tenant, durable in Postgres;
  • Nightly encrypted Postgres backups with 14-day rotation and health-monitor alerts on miss;
  • Least-privilege on the droplet (alvo_deploy SSH key, restricted root access);
  • RBAC framework defined (owner/trader/analyst/risk/apiClient/auditor roles + 14 permissions); enforcement is activated via the customer-facing ALVO_RBAC_ENFORCED flag at production GA.

An expanded security whitepaper is available to enterprise customers under NDA — request at security@alvo.energy.

7. International data transfers

The primary processing environment is European Union (DigitalOcean — Frankfurt (fra1)). Some sub-processors are located in the United States (WorkOS, Resend) — these transfers are governed by EU Standard Contractual Clauses (controller-processor and processor-sub-processor modules) and supplementary technical measures (encryption at rest + in transit, data minimization).

Customers can request copies of executed SCCs at legal@alvo.energy.

8. Assistance with data-subject rights

Alvo provides technical means for the Customer to respond to data-subject requests: data export via API/UI, account deletion plus related audit events after the grace period, access to structured data in JSON/CSV.

Alvo's response time on a Customer assistance request — up to 10 business days. Direct data-subject requests are routed to the controller (Customer).

9. Personal-data breaches

Alvo notifies the Customer of a confirmed personal-data breach within 72 hours of becoming aware, with a description of the breach nature, affected data-subject categories and counts, response actions, and pre-mortem information to help the Customer fulfill its regulator-notification obligations.

10. Audit and reports

The Customer has the right to audit DPA compliance no more than once a year (excluding confirmed incidents) with 30 days' notice. Audits are at the Customer's expense and must not breach other customers' data confidentiality.

On request we provide the current SOC 2 Type II report (planned for GA), penetration-test summary, or other available security certifications.

11. Duration, termination, and data return

This DPA is in effect from the start of processing until personal data are fully deleted or returned after Service termination.

On Service termination the Customer has 30 days to export data. After 30 days data are irreversibly deleted, except those required for legal compliance (accounting, audit — minimum necessary scope, retention per law).

12. Public data sources (not sub-processors)

The Service reads public market-data APIs. These sources do NOT process Customer personal data — we only query public time series. Listed for full transparency:

  • ENTSO-E Transparency Platform — EU electricity market data (prices, cross-border flows, load, generation)
  • OREE (Ринок електричної енергії) — Ukrainian DAM / IDM hourly prices
  • UEEX (Українська енергетична біржа) — Ukrainian BCM electricity indexes
  • NBU (Національний банк України) — Official UAH/EUR + UAH/USD reference rates
  • Open-Meteo — Weather data for load/generation context

13. DPO and legal contacts

Privacy / DPO: privacy@alvo.energy

Legal: legal@alvo.energy

Address: {{вулиця, будинок, кв.}}, {{місто}} {{XXXXX}}, Україна.

Need a signed DPA?

We send enterprise customers a personalized, signed DPA with EU SCCs and a sub-processor list current as of the signature date.

legal@alvo.energy