Data Processing Addendum.

This Data Processing Addendum ("DPA") supplements the Atlas Terms of Service or any signed master agreement (the "Agreement") between Atlas DevHQ ("Processor") and the Customer ("Controller").

Where Customer is itself a processor for its end users, Atlas acts as a sub-processor; the terms of this DPA apply with equivalent force.

In case of conflict between the Agreement and this DPA, this DPA controls for the processing of Personal Data.

Subject matter: provision of the Atlas Cloud text-to-SQL service.

Duration: for the term of the Agreement plus the retention periods set out in the Privacy Policy.

Nature & purpose: storing semantic-layer configuration; routing queries between Customer’s authorized users, model providers, and Customer’s data warehouse; producing audit logs.

Categories of data subjects: Customer’s employees, contractors, and any individuals whose data resides in Customer’s data warehouse and is returned in query results.

Categories of personal data: identifiers (name, email, SSO subject), business contact info, query text and results when audit logging is enabled, IP addresses, device metadata.

Atlas does not process special categories of personal data (Art. 9 GDPR) on Customer’s behalf in the ordinary course. Customer is responsible for not submitting such data without notifying Atlas in writing.

Atlas processes Personal Data only on documented instructions from Customer (the Agreement, this DPA, and Customer’s reasonable written instructions thereafter), unless required to do otherwise by EU/EEA/UK law (in which case Atlas notifies Customer unless prohibited).

Atlas ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.

Atlas implements the technical and organizational measures listed in Annex II.

Atlas assists Customer in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) by providing tools and reasonable cooperation.

Atlas assists Customer with DPIAs and prior consultations (Art. 35–36 GDPR) by providing relevant information about the Service.

Customer authorizes Atlas to engage the sub-processors listed in Annex I (rendered as a table at the bottom of this page), provided that Atlas: (a) imposes data-protection obligations on each sub-processor that are equivalent to those in this DPA; (b) remains liable for the acts and omissions of its sub-processors as for its own.

Atlas notifies Customer at least 30 days before adding or replacing a sub-processor. Customer may object on reasonable, documented data-protection grounds within that period; if the parties cannot agree, Customer may terminate the affected portion of the Service for cause and receive a pro-rata refund.

Where Personal Data originating in the EEA, the United Kingdom, or Switzerland is transferred to a country not subject to an adequacy decision, the EU Standard Contractual Clauses (Module Two: controller-to-processor; Module Three: processor-to-processor where Customer is itself a processor) are incorporated by reference, with the docking clause and option clauses completed in Annex III.

For UK transfers, the UK International Data Transfer Addendum issued by the ICO is incorporated. For Swiss transfers, equivalent supplementary measures apply.

Atlas notifies Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Data, providing the information required by Art. 33(3) GDPR to the extent then known.

Atlas updates Customer as facts develop and cooperates with Customer in remediating the breach and notifying affected data subjects or supervisory authorities where required.

Atlas makes available to Customer all information reasonably necessary to demonstrate compliance with Art. 28 GDPR. Atlas operates a security program aligned with SOC 2 Type II and ISO 27001 controls; formal certification is on the roadmap. Atlas does not currently hold a SOC 2 Type II report or ISO 27001 certificate, and will share certification status updates on request under appropriate confidentiality terms.

Once per twelve-month period, on at least 30 days’ notice and during normal business hours, Customer may conduct, or have a third party conduct under appropriate confidentiality, an audit of Atlas’s processing activities, limited to information reasonably necessary to verify compliance and conducted in a manner that does not unreasonably interfere with Atlas’s operations.

On termination of the Agreement, Atlas will, at Customer’s election, return or delete all Personal Data within 90 days, except to the extent applicable law requires retention. Encrypted backups are deleted within an additional 90 days as part of the standard backup-rotation cycle.

Atlas will provide written confirmation of deletion on request.

Annex I — List of Sub-processors. The current list is rendered as a table at the bottom of this page and is the source of truth.

Annex II — Technical and Organizational Measures: encryption (TLS 1.2+ in transit, AES-256-GCM at rest with versioned key rotation; integration credentials and connection strings encrypted in the internal database), customer-managed KMS keys negotiable on enterprise contracts, least-privilege IAM, TOTP two-factor authentication required for every administrator account on managed-mode sessions, audit logging of administrative operations, automated vulnerability scanning of container images and dependencies, ISO 27001-aligned ISMS, security program aligned with SOC 2 Type II controls (formal certification on the roadmap), secure SDLC with mandatory code review, segregated production access, documented incident-response runbook. A third-party penetration-testing program is on the public roadmap.

Annex III — Standard Contractual Clauses, Module Two (controller-to-processor) selected by default. Optional Clause 7 (Docking Clause) is included. Clause 9 sub-processor option (b) — general written authorization with 30-day notice — applies. Clause 11 dispute-resolution option (a) is selected. Clause 17 governing law: Ireland. Clause 18 forum: Ireland.