Data Processing Agreement
Last updated · May 2026This DPA forms part of the Terms of Service and describes how Atlas processes personal data on your behalf as a processor under the GDPR and equivalent laws. Where this DPA conflicts with the Terms on data protection, this DPA prevails.
01Roles and scope
You are the controller of the personal data in your workspace; Atlas is the processor. Atlas processes that data only on your documented instructions, including those given through your use of the product, unless required to act otherwise by law (in which case we will inform you where permitted).
02Details of processing
Subject matter: provision of the Atlas service. Duration: for the term of your subscription, plus the deletion window. Nature and purpose: storing, organising, analysing, and acting on workspace data to operate divisions and agents. Data types: business contacts, customer and order data you connect, content, and usage metadata. Data subjects: your team members, your customers, and your contacts.
03Processor obligations
We will: process only on your instructions; ensure personnel are bound by confidentiality; implement the security measures below; assist you with data-subject requests and with your obligations under Articles 32–36; and make available the information needed to demonstrate compliance.
04Security measures
EU hosting; encryption in transit and at rest; per-tenant Postgres row-level isolation; least-privilege, role-based access; audit logging of agent and admin actions; secure SDLC and dependency scanning; and regular review. SOC 2 Type II is in progress.
05Sub-processors
You authorise Atlas to engage the sub-processors on its current list (available on request) for hosting, model inference, email, payments, and analytics. We impose data-protection terms equivalent to this DPA on each, and we will give at least 30 days’ notice before adding or replacing a sub-processor, giving you the opportunity to object on reasonable grounds.
06International transfers
Where personal data is transferred outside the EEA, we rely on an adequacy decision or the European Commission’s Standard Contractual Clauses, with supplementary measures as needed.
07Data-subject requests and breach notification
We will promptly forward and, taking into account the nature of processing, assist you in responding to data-subject requests. We will notify you without undue delay after becoming aware of a personal-data breach affecting your data, with the information you need to meet your own notification duties.
08Audits
On reasonable request and no more than once a year (unless required by a supervisory authority), we will make available our compliance documentation and respond to a reasonable security questionnaire, subject to confidentiality.
09Return and deletion
On termination, and at your choice, we will return or delete the personal data we process for you, and delete existing copies within 30 days, unless retention is required by law.
10How to request the signed DPA
To countersign this DPA, receive the current sub-processor list, or raise a data-protection matter, email legal@arthea.io.