Data Processing Addendum
Last updated: April 8, 2026
Version 1.0
Background
This Data Processing Addendum ("DPA") is incorporated by reference into the Atlas Terms of Service between Atlas Platform LLC ("Atlas") and the Customer. Where Atlas processes "personal data" (as defined under the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the UK GDPR, and the Swiss FADP) on behalf of Customer, this DPA governs that processing. Customer is the "controller" and Atlas is the "processor".
In case of conflict between the Atlas Terms of Service and this DPA on data protection matters, this DPA prevails.
1. Subject Matter & Duration
Subject matter: the processing necessary to provide the Atlas Platform under the Atlas Terms of Service.
Duration: for the term of the Customer's subscription, plus any period during which Atlas retains personal data to comply with applicable legal retention obligations.
2. Nature & Purpose of Processing
Atlas processes Customer personal data solely to (a) provide and operate the Platform, (b) generate analytics and insights for Customer, (c) communicate with Customer, (d) detect and prevent fraud and abuse, (e) comply with legal obligations, and (f) any other purpose explicitly instructed by Customer in writing.
3. Categories of Data Subjects
- Customer's authorized employees and contractors who use the Platform
- Customer's beneficial owners and authorized signatories (where required for KYB)
4. Categories of Personal Data
- Identification data: name, business email, role
- Authentication credentials (hashed)
- Identifiers and tax identifiers required for KYB (e.g. EIN, registration number)
- Beneficial owner information (where applicable)
- Account & transaction data retrieved from financial partners with Customer's authorization
- Technical and usage data (IP, device, browser, session)
- Communications submitted by Customer through support channels
Atlas does not knowingly process special categories of personal data within the meaning of GDPR Art. 9.
5. Atlas's Obligations as Processor
- Process personal data only on documented instructions from Customer, including the Atlas Terms and this DPA.
- Ensure that personnel authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (Section 8 below).
- Engage sub-processors only as permitted by Section 7 below.
- Assist Customer, taking into account the nature of processing, in fulfilling Customer's obligations to respond to data-subject rights requests under GDPR Arts. 12–22.
- Assist Customer in ensuring compliance with GDPR Arts. 32–36 (security, breach notification, DPIAs, prior consultation).
- At Customer's choice, delete or return all personal data after the end of the provision of services, unless retention is required by law.
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 9.
- Notify Customer without undue delay (and within 72 hours where feasible) of any personal data breach affecting Customer personal data.
6. Customer's Obligations as Controller
- Provide all required notices to data subjects and obtain all necessary consents and legal bases for the processing under this DPA.
- Process and provide personal data to Atlas in accordance with applicable data protection law.
- Issue clear and lawful instructions to Atlas regarding processing.
7. Sub-Processors
Customer authorizes Atlas to engage sub-processors to provide the Platform. Atlas remains fully liable to Customer for the performance of any sub-processor's data protection obligations. Atlas imposes contractual obligations on each sub-processor that are no less protective than those set out in this DPA.
7.1 Current Sub-Processors
The following entities are currently engaged as sub-processors. This list is updated when sub-processors change.
| Sub-processor | Function | Location |
|---|---|---|
| Plaid Inc. | Bank account aggregation | USA |
| Alpaca Securities LLC | US brokerage and custody | USA |
| Upvest GmbH | EU brokerage and custody | Germany |
| Ondo Finance | Tokenized treasury yield product | USA |
| Clerk Inc. | Authentication & user management | USA |
| Stripe, Inc. | Subscription billing & partner payouts | USA |
| TaxBandits (SPAN Enterprises LLC) | TIN matching for KYB | USA |
| Vercel Inc. | Hosting & analytics | USA |
| Neon Inc. | Managed PostgreSQL database | USA / EU regions |
| Amazon Web Services, Inc. | Transactional email (AWS SES) | USA |
| Anthropic PBC | AI-assisted insights (where opted in) | USA |
7.2 Notification of New Sub-Processors
Atlas will notify Customer at least 30 days before adding a new sub-processor by updating this list and notifying customers who have opted in to sub-processor change notifications. Customer may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection in good faith, Customer may terminate the affected services without penalty.
8. Security Measures
Atlas implements appropriate technical and organizational measures, including:
- Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
- Pseudonymization of personal data where appropriate
- Strict access controls and least-privilege permissioning, with multi-factor authentication for administrative access
- Audit logging and security monitoring
- Regular vulnerability scanning and dependency review
- Backup and disaster recovery procedures
- Personnel confidentiality obligations and security training
- Documented incident response plan with 72-hour breach notification window
- Regular security review of sub-processors
9. Audits
Atlas will make available to Customer information necessary to demonstrate compliance with this DPA, including relevant third-party audit reports (e.g. SOC 2) where available. Customer may, at its own expense and no more than once per twelve-month period, request an audit of Atlas's compliance with this DPA, subject to reasonable confidentiality and scheduling requirements.
10. International Transfers & Standard Contractual Clauses
Where Atlas transfers personal data of EU/UK/EEA/Swiss data subjects outside the European Economic Area to a country that has not received a European Commission adequacy decision, the parties incorporate the Standard Contractual Clauses approved by the European Commission in Decision (EU) 2021/914 (Module Two: Controller to Processor). For UK transfers, the parties incorporate the UK International Data Transfer Addendum. For Swiss transfers, the parties incorporate the Swiss FDPIC-approved SCCs. The SCCs are available at commission.europa.eu.
11. Return or Deletion of Data
Within 30 days following termination of the Customer's subscription, Atlas will, at Customer's choice, delete or return all personal data processed on Customer's behalf, except to the extent retention is required by applicable law.
12. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Atlas Terms of Service, except where such limitation would conflict with applicable law.
13. Contact
For questions about this DPA or to request an executed copy:
dataEU@atlasyield.co