# Data Processing Addendum (DPA), Sub-processors, and EU Data Transfers **Summary:** Adalo's Terms of Use include a Data Processing Addendum (DPA) that covers GDPR Article 28 obligations, EU-to-US transfer mechanisms via Standard Contractual Clauses (SCCs), and a current list of sub-processors. No separate signature is required. This article explains each component and where to find the full documents. **Who this is for:** Adalo customers who process personal data of users in the EU, EEA, UK, or other regulated jurisdictions and need documentation for their own compliance records. *** #### Does Adalo have a Data Processing Addendum (DPA)? Yes. Adalo's [Terms of Use](https://app.adalo.com/en/signup/terms) include a Data Processing Addendum (DPA) that forms part of the Terms you accepted upon account creation. No separate signature is required, and the DPA applies automatically to every Adalo customer. The DPA may also be referred to as a Data Processing Agreement. Both terms refer to the same document. #### Who is the Data Controller and who is the Data Processor? Under Adalo's DPA and GDPR Article 28: * **You** (the Adalo customer) are the **Data Controller** of personal data processed through your app. You decide what data is collected and why. * **Adalo** is the **Data Processor**, processing that data on your behalf and only on your documented instructions. * End users of your app are the **Data Subjects**. #### What does Adalo's DPA cover? The DPA sets out Adalo's commitments as a Data Processor, including: * Processing data only on your documented instructions * Technical and organizational security measures (detailed in Schedule 3 of the DPA) * Engagement and management of sub-processors, with notification of new sub-processors * Assistance with data subject rights requests, including access, correction, and deletion * Personal data breach notification without undue delay * Assistance with Data Protection Impact Assessments (DPIAs) * Deletion or return of customer personal data within 20 days of service cessation * Audit rights to verify compliance #### How are EU-to-US data transfers handled? Transfers of personal data from the EU, EEA, or UK to the United States are governed by the **Standard Contractual Clauses (SCCs)**, specifically the Controller-to-Processor module. The SCCs are attached as Schedule 4 of Adalo's DPA and apply automatically. You do not need to execute or sign them separately. The SCCs are the European Commission-approved mechanism for lawful transfer of personal data outside the EU/EEA. #### Who are Adalo's sub-processors? A **sub-processor** is a third-party service that processes personal data on Adalo's behalf in order to deliver the Adalo service. The current sub-processors, as listed in Schedule 2 of the DPA, are: * Amazon Web Services * Heroku * Imgix * SendGrid * Stripe * Sentry * OpenAI * Mixpanel * Google Analytics * Userflow * Google Workspace * Slack #### How will I be notified if Adalo adds a new sub-processor? If Adalo engages a new sub-processor, you will be notified by email. The notification window and objection process are set out in the DPA. To ensure you receive these notifications, keep your account email up to date in your account settings. #### Where can I review the full DPA, SCCs, and sub-processor list? The full text of the DPA, the SCCs (Schedule 4), the security measures (Schedule 3), and the current sub-processor list (Schedule 2) are available in [Adalo's Terms of Use](https://app.adalo.com/en/signup/terms). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.adalo.com/adalo-account/terms-legal-and-compliance/data-processing-addendum-dpa-sub-processors-and-eu-data-transfers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.