AlignexAlignex

Data Processing Agreement

Last updated: 15 April 2026

This Data Processing Agreement (“DPA”) forms part of the contract between Hayley Charlton Ltd (“Processor”) and the subscribing organisation (“Controller”) and governs the processing of personal data by Alignex in accordance with UK GDPR and the Data Protection Act 2018.

1. Definitions

“Controller” means the organisation that has subscribed to Alignex and determines the purposes of processing. “Processor” means Hayley Charlton Ltd, which processes personal data on behalf of the Controller. “Data Subject” means any individual whose personal data is processed through the service, including diagnostic respondents and dashboard users.

2. Subject matter and nature of processing

The Processor provides organisational alignment diagnostic services. Processing activities include: collection of diagnostic survey responses; storage and analysis of response data; generation of aggregated reports; and provision of dashboard access to authorised users. Processing is carried out solely for the purpose of providing the Alignex service.

3. Categories of data subjects and personal data

Data subjects include employees and contractors of the Controller who complete diagnostic surveys, and individuals with dashboard access. Personal data processed includes: names and email addresses of dashboard users; anonymous diagnostic response data; and metadata such as completion timestamps.

Diagnostic response data is anonymised at the point of collection and cannot be attributed to individual respondents within the platform.

4. Processor obligations

The Processor shall: process personal data only on documented instructions from the Controller; ensure that persons authorised to process data are bound by confidentiality obligations; implement appropriate technical and organisational security measures; assist the Controller in fulfilling data subject rights requests; delete or return all personal data upon termination; and make available all information necessary to demonstrate compliance with this DPA.

5. Security measures

The Processor implements the following security measures: encryption of data in transit (TLS 1.2+) and at rest; access controls and mandatory two-factor authentication; role-based access limiting data visibility to authorised users; regular security reviews; and incident response procedures. Data is stored within the EU (AWS eu-west-1, Ireland).

6. Sub-processors

The Processor uses the following sub-processors, each subject to data processing agreements providing equivalent protections:

  • Supabase Inc — database hosting and authentication (EU hosted, AWS eu-west-1)
  • Vercel Inc — application hosting (EU region)
  • Resend Inc — transactional email delivery
  • Stripe Inc — payment processing (billing data only)
  • Anthropic PBC — AI narrative generation (aggregated data only, not used for model training)

The Processor will notify the Controller of any intended changes to sub-processors, providing the opportunity to object.

7. International transfers

The Processor does not transfer personal data outside the EEA without appropriate safeguards. Where sub-processors are located outside the EEA, Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms are in place.

8. Data subject rights

The Processor will assist the Controller in responding to data subject rights requests within the timescales required by applicable law. Requests should be directed to privacy@alignex.app. Note that because diagnostic responses are anonymous, it may not be possible to identify or retrieve individual response data.

9. Data breaches

The Processor will notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach affecting the Controller’s data. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

10. Retention and deletion

Personal data is retained for the duration of the subscription plus 12 months. Diagnostic response data is retained for 36 months to enable longitudinal analysis. Upon termination, the Controller may request a data export within 30 days. All data will be deleted within 90 days of termination unless retention is required by law.

11. Audit rights

The Controller has the right to request audit information to verify compliance with this DPA. The Processor will provide relevant documentation and, on reasonable notice, participate in audit activities. Costs of any audit beyond standard documentation provision will be borne by the Controller.

12. Contact

For DPA-related queries or to request a signed copy of this agreement, contact privacy@alignex.app.

Privacy PolicyTerms of ServiceDPA