Data Processing Addendum (“DPA”)
This DPA forms part of the Terms of Service and EULA between Atlas IP Holdings LLC (“Atlas”) and the customer (“Customer”). It governs Atlas’s processing of personal data subject to GDPR, UK GDPR, CCPA/CPRA, and comparable privacy laws.
1. Definitions
- Applicable Law: the EU GDPR (2016/679), UK GDPR, UK Data Protection Act 2018, CCPA/CPRA, and successor legislation.
- Customer Data: personal data processed by Atlas on behalf of Customer through BRidge.
- Subprocessor: any third party engaged by Atlas to process Customer Data on its behalf (see list).
- SCCs: EU Commission Standard Contractual Clauses (2021/914) + UK Addendum (IDTA).
2. Roles of the Parties
Customer acts as Controller; Atlas acts as Processor. Where Atlas jointly determines purposes or means, the parties are joint controllers to the limited extent required by law.
3. Processing Instructions
- Atlas processes Customer Data solely to provide, maintain, and improve BRidge; to act on documented instructions; and as required by law.
- Customer ensures its instructions comply with Applicable Law.
4. Confidentiality & Security
- Authorized personnel are bound by confidentiality obligations.
- Atlas implements the technical and organizational measures described in the Privacy Policy and EULA (encryption, access control, logging, DR, etc.).
Security Incidents: Atlas will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data and will provide information reasonably necessary for Customer to meet its obligations, subject to confidentiality and security constraints.
5. Subprocessing
- Atlas may engage subprocessors listed at /legal/subprocessors.
- Atlas will notify Customer of new subprocessors and allow 30 days to object on reasonable, documented grounds related to data protection.
- All subprocessors are bound by written agreements imposing equivalent data protection obligations.
6. International Transfers
- Transfers outside the EEA/UK rely on SCCs (2021/914) and the UK Addendum (IDTA).
- Atlas implements supplementary measures where required by regulators.
Docking Clause: If the SCCs are updated or replaced, the parties will execute the then-current version and take reasonable steps to maintain a valid transfer mechanism.
7. Assistance to Customer
- Atlas assists with data-subject requests, DPIAs, and consultations with authorities, considering processing nature and available information.
- Atlas provides reasonable documentation of security controls upon written request.
Government Requests: Where legally permitted, Atlas will promptly notify Customer of any authority request for Customer Data and will challenge unlawful or over-broad demands.
8. Data Subject Requests
When Atlas receives a request directly, it will redirect the requester to Customer unless legally prohibited. Customer remains responsible for responses.
9. Audit Rights
Atlas provides audit reports (SOC 2, penetration tests, or similar) upon request and, where necessary, allows on-site audits no more than once per 12 months (unless required by a supervisory authority or following a confirmed incident) during business hours, subject to confidentiality. Audits are at Customer’s expense and must not unreasonably disrupt Atlas operations.
10. Return or Deletion
Upon termination or written request, Atlas will delete or return Customer Data within 30 days unless law requires retention. Residual backup data will be overwritten per retention cycles.
Upon written request, Atlas will provide deletion certification consistent with standard backup schedules.
11. Liability & Indemnity
Liability under this DPA follows the limitations in the master agreement (Terms/EULA). Neither party limits liability where prohibited by law.
12. Miscellaneous
- This DPA prevails over conflicting provisions of the Terms/EULA concerning data protection.
- Governed by the law and jurisdiction specified in the master agreement (Indiana / England & Wales for UK customers).
- Executed electronically; acceptance of the Terms constitutes acceptance of this DPA.