Data Processing Agreement

Last updated: 16 April 2026

This DPA applies automatically when your organisation uses AllAddin. By using the service, you (the Controller) appoint Meliux Ltd (the Processor) to process personal data on your behalf under the terms below. No separate signature is required unless your procurement team requests one - email hello@alladdin.dev with "DPA request" in the subject line for a countersigned copy.

1. Definitions

"Controller" - your organisation, the entity that determines the purposes and means of processing personal data via AllAddin.
"Processor" - Meliux Ltd, a company registered in England and Wales, which processes personal data on the Controller's behalf to provide the AllAddin service.
"Data Protection Laws" - the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any successor legislation.
"Personal Data", "Processing", "Data Subject", "Sub-processor" - as defined in the UK GDPR.

2. Scope of processing

2.1 Purpose

The Processor processes Personal Data solely to provide the AllAddin service to the Controller: receiving natural-language prompts from the Controller's users, forwarding them to an AI model, and returning generated responses. Processing also includes authentication, rate limiting, usage tracking, and error monitoring necessary to operate and secure the service.

2.2 Categories of Personal Data

Category	Examples
Identifier data	Hashed authentication token, IP address, browser user-agent
Usage data	Request timestamps, token consumption counts, route names, HTTP status codes
Content data	Natural-language prompts, structured model-context abstractions (no raw Revit files)
Snapshot data (opt-in)	When a user explicitly uploads a model snapshot: element identifiers, categories, levels, worksets, and the parameters selected during capture. Never the underlying Revit file or its geometry.
Contact data (waitlist only)	Email address, optional free-text note

2.3 Data subjects

Employees, contractors, and authorised users of the Controller who interact with the AllAddin add-in or the alladdin.dev website.

2.4 Duration and deletion

Processing continues for the duration of the Controller's use of the service. Upon termination, the Processor deletes Personal Data within 30 days, except where retention is required by law. Audit logs and security events are automatically deleted on a 90-day rolling basis regardless of termination.

Export of data in a machine-readable format (for portability purposes) is available on request with up to 30 days' turnaround; email hello@alladdin.dev.

3. Processor obligations

Process Personal Data only on the Controller's documented instructions (which are: provide the AllAddin service as described in the Terms of Service).
Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
Implement appropriate technical and organisational security measures (see section 5).
Assist the Controller in responding to Data Subject rights requests (access, erasure, portability, etc.) within the timelines set out in the UK GDPR.
Assist the Controller with data protection impact assessments and prior consultations with the ICO where required.
Delete all Personal Data at the end of the service, with machine-readable export available on written request within the same 30-day window.
Make available information necessary to demonstrate compliance and allow for remote audits as set out in section 7.
Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach.

4. Sub-processors

The Controller authorises the Processor to engage the following Sub-processors. The current Sub-processor list is published on this page. The Processor will update this list and the "Last updated" date above before adding or replacing a Sub-processor; Controllers are advised to review this page periodically. A Controller who objects to a new Sub-processor may terminate the service within 30 days of the update without further obligation.

Sub-processor	Purpose	Location
Anthropic, PBC	AI model inference (receives prompt text + context abstraction)	United States
Railway Corp	Cloud hosting and managed PostgreSQL database	United States
Functional Software, Inc. (Sentry)	Error monitoring (PII collection disabled)	United States

Each Sub-processor publishes its own Data Processing Agreement which incorporates UK/EU Standard Contractual Clauses (SCCs) or a UK International Data Transfer Agreement (IDTA) as applicable. Transfers are supplemented by technical measures on our side: encryption in transit (TLS 1.2+) and pseudonymisation of authentication credentials (SHA-256 hashing; plaintext tokens never leave the Controller's machine).

5. Security measures

All data in transit encrypted via TLS 1.2+ (provided by the sub-processor cloud platform).
Database hosted on Railway's managed PostgreSQL, which provides encryption at rest in line with its platform security policy.
Authentication tokens hashed (SHA-256, first 12 hex characters stored) - plaintext tokens never persisted server-side.
Per-token and per-IP rate limiting to mitigate abuse.
Security event logging (failed auth, rate-limit hits) for incident detection, retained on a 90-day rolling basis.
Audit logs (request metadata, token usage) retained on a 90-day rolling basis.
Sentry error monitoring with PII collection explicitly disabled (send_default_pii=False).
Content Security Policy headers applied to JSON API responses.
No cookies, tracking pixels, or third-party analytics scripts.
Source code version-controlled on GitHub; commits signed; deployments via Railway auto-deploy from the main branch.

6. Data Subject rights

The Processor will promptly assist the Controller in fulfilling Data Subject requests. Where a Data Subject contacts the Processor directly, the Processor will redirect the request to the Controller unless the Controller instructs otherwise. Contact: hello@alladdin.dev with "Privacy request" in the subject line.

7. Audits

The Controller (or an independent third-party auditor appointed by the Controller, under an NDA acceptable to the Processor) may conduct a remote audit of the Processor's compliance with this DPA once per calendar year, upon 30 days' written notice. "Remote audit" means a documentary review via shared screen and written answers to a reasonable list of questions; on-site audits are by mutual agreement only and are not ordinarily required. The Controller bears the cost of the audit. The Processor may satisfy this obligation by providing equivalent third-party audit reports (if any become available) in lieu of a direct audit.

8. Breach notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. Governing law

This DPA is governed by the laws of England and Wales. Any disputes will be subject to the exclusive jurisdiction of the courts of England and Wales.

10. Relationship to other agreements

This DPA supplements and forms part of the Terms of Service. In the event of a conflict between this DPA and the Terms, this DPA prevails with respect to the processing of Personal Data. The Privacy Policy describes the Processor's data practices in plain language for end users.