Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Alma

VERIFIED
Payments · France
Founded 2019 · almapay.com ↗

Paris-area French BNPL for merchants: 2/3/4/10/12 installments + Pay Later; 21,800+ merchants across 8 EU countries; Alma SAS, EU-owned.

In short

Alma, in the Payments category, offers EU hosting with France as its hosting location, but a US parent or sub-processor leaves material CLOUD Act exposure.

Assessment notes

Alma SAS (Neuilly-sur-Seine, France; RCS Nanterre 839 100 575) is an EU-incorporated French BNPL specialist serving 21,800+ merchants across 8 European countries (ownership_signal: eu_owned), but the legal notice confirms hosting on Google Cloud Platform (US-owned, Paris region): cloud_act_exposure: material; no public DPA or sub-processors list accessible at audit.

CLOUD ACT
OWNERSHIP
SUB-PROCS
not disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About Alma

Alma is a French BNPL (buy-now-pay-later) payment solution operated by Alma SAS (176 Avenue Charles de Gaulle, 92200 Neuilly-sur-Seine, France; RCS Nanterre 839 100 575), founded in 2019 by Louis Chatriot. The product enables merchants to offer customers payment in 2, 3, or 4 interest-free installments, medium-term financing in 10 or 12 installments, and deferred "Pay Later" options at 15 or 30 days, covering online, in-store (via payment terminal integrations including Adyen and Ingenico), and call-centre sales channels. As of 2026 Alma serves 21,800+ merchants across France, Germany, Belgium, Spain, Italy, Luxembourg, the Netherlands, and Portugal, with a notable customer list including Maisons du Monde, Nature & Découvertes, Maje, Promod, Etam, Lancel, and Alain Afflelou.

For an EU-sovereignty audit Alma is the cleanest French corporate in the BNPL category, incorporated as a French SAS with a French registered address and no disclosed US parent or US-PE majority stake. The ownership-risk element is the investor base: the company raised €210M in 2022 (round led by Eurazeo Growth and Cathay Innovation, both French/Franco-Asian with EU-anchored management, alongside earlier backers including Idinvest Partners). The cap table is predominantly French/European VC, which keeps ownership_signal: eu_owned under the directory's taxonomy. The material CLOUD Act risk comes from infrastructure: the legal notice explicitly names Google Cloud Platform as the hosting provider (8 rue de Londres, 75009 Paris, the Paris GCP region address), and GCP is a US-owned service regardless of the EU region. No public DPA or sub-processors list was found on accessible pages at audit.

Pricing is commission-based per transaction with no monthly fee; rates vary by installment type and market. PCI DSS Level 1 certification is confirmed for the payment-processing partner. Best fit: French and broader EU merchants wanting a BNPL-first checkout experience with a European legal entity: particularly retail, furniture, fashion, and opticians already represented in the customer base.

SUB-PROCESSORS

Sub-processor map · not disclosed

Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
CERTIFICATIONS

Frameworks & certifications · none listed

We checked the vendor's website and standard certification body registries. No active certifications found at the time of last audit (2026-05-21).
FEATURES

Capability matrix

Card payments No
SEPA Direct Debit No
Buy now, pay later Yes
Open banking (A2A) No
Recurring / subscriptions No
Payment links Yes
In-person / POS Yes
Marketplace / split No
INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) No
COMPLIANCE & GOVERNANCE
Audit log No
Self-host / on-prem option No
PRICING

Pricing & tiers

PAID
Custom pricing

Contact vendor for tier or volume pricing.

View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a public DPA. Without a publicly accessible Data Processing Addendum, small EU customers cannot self-serve the processor agreement. This is recorded as no public DPA (see How we assess).
Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
  • Data Processing Addendum (DPA)
    — missing
    missing
  • Sub-processors list
    — missing
    missing
  • Terms of Service
    almapay.com/en…
    Open ↗
ALTERNATIVES

Alternatives in this category

Adyen
Netherlands · Founded 2006
EU-BASED

Dutch publicly-listed payments giant (Euronext Amsterdam), DNB-licensed credit institution + EU/UK/US banking licences; €1.4T processed/yr.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MINOR
Dintero
Norway · Founded 2017
EU-BASED

Oslo fintech (Dintero AS): Finanstilsynet-authorised PI and, since 2025, the only Norwegian-owned direct Visa/Mastercard acquirer; checkout for e-com, marketplaces and physical retail.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MINOR
GoCardless
United Kingdom · Founded 2011
EU-HOSTED

London-based UK direct-debit and recurring-payments specialist (FCA-authorised); Mollie acquisition announced Dec 2025.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MATERIAL