Skip to content

Legal

Data Processing Agreement

Last updated: April 24, 2026

This DPA is a placeholder pending final legal review before our first paid customer. It represents our current intended practices. A signed, downloadable version will be available before first paid onboarding. For questions, contact [email protected].

Introduction

This Data Processing Agreement (DPA) governs the processing of personal data by AlreadyBack (processor) on behalf of the customer (controller). It incorporates:

  • The EU Standard Contractual Clauses (SCCs), Module 2 (controller to processor), for transfers from the EEA to non-EEA processors.
  • The UK International Data Transfer Addendum to the SCCs, for UK controllers.
  • Swiss Federal Data Protection Act supplementary clauses, where applicable.

Scope and parties

  • Customer — data controller.
  • AlreadyBack — data processor.
  • Third parties — sub-processors listed at /sub-processors.

Nature and purpose of processing

AlreadyBack processes personal data contained in customer's Airtable bases solely to perform automated backups, enable restore and rollback operations at the customer's request, provide failover continuity, and deliver reports and notifications to the customer.

Categories of data subjects and data

Data subjects:customer's employees, customer's end-users where applicable, and anyone whose personal data the customer stores in Airtable.

Categories of data: any personal data the customer chooses to store in Airtable. This typically includes contact data (name, email, phone), professional and employment data, customer records, transaction histories, and any other fields the customer has defined.

Sub-processors

AlreadyBack engages sub-processors (infrastructure providers) to deliver the service. Current sub-processors are listed at /sub-processors.

AlreadyBack will:

  • Notify customer at least 30 days before engaging a new sub-processor.
  • Bind each sub-processor to data-protection obligations at least as strict as this DPA.
  • Remain fully liable for sub-processors' acts and omissions.

Customer may object to a new sub-processor on reasonable grounds. If no acceptable alternative can be found, customer may terminate the contract without penalty.

Technical and organizational measures

AlreadyBack implements and maintains the following measures. Full detail is on the Security page.

  • Encryption of personal data at rest and in transit (AES-256-GCM, TLS 1.3+).
  • Certified data center facilities meeting ISO/IEC 27001 standards.
  • Network segmentation with default-deny posture.
  • Principle of least privilege enforced across all systems.
  • Continuous monitoring, logging, and security event detection.
  • Regular backup restoration testing and documented disaster recovery procedures.
  • Vulnerability management program with continuous scanning.
  • Detailed TOMs available on request for enterprise customers under NDA.

Data breach notification

In the event of a personal data breach affecting customer data:

  • Customer will be notified within 24 hours of our detection.
  • Notification will include: nature of breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed.
  • We will assist customer in their own notifications to supervisory authorities (72 hours under GDPR Art. 33) and to data subjects where required.

Data return or deletion at termination

  • Customer has 30 days to export their data via the dashboard or API.
  • After 30 days, all customer data is deleted from production systems.
  • Encrypted backups and access logs may persist for up to 90 additional days as required by our TOMs, after which they are cryptographically wiped.

Audit rights

Customer may, upon 30 days written notice and no more than once per year:

  • Request a copy of our most recent third-party audit (SOC 2 Type II when available; Phase 3 as of April 2026).
  • Request written responses to a reasonable security questionnaire.
  • Conduct an on-site audit, at customer's cost, subject to our confidentiality and safety rules.
Download DPA template

Contact

Data Protection Officer: [email protected].