Data Processing Agreement

1. Definitions

Controller means the ATOM customer who determines the purposes and means of processing personal data. Processor means Atom Labs, Inc., which processes personal data on behalf of the Controller under the service agreement. Personal Data has the meaning given in the applicable data protection law (including GDPR Article 4(1)). Sub-Processor means any third party engaged by Atom Labs to process personal data.

2. Subject Matter and Duration

This DPA governs the processing of personal data by Atom Labs in connection with the ATOM Cognitive Control Plane described in the Terms of Service. It remains in effect for the duration of the service agreement and for so long as Atom Labs retains personal data on behalf of the Controller.

3. Nature and Purpose of Processing

Atom Labs processes the following categories of personal data on behalf of the Controller:

• Account data (names, email addresses) — for authentication and transactional communication
• Governance event metadata — risk scores, decisions, policy hits, token counts; used for AI governance audit logging
• Security logs — IP addresses retained for 90 days for security monitoring
• Agent workflow traces — step inputs and outputs cached in Redis for 14 days if agentic governance is enabled; automatically deleted after 14 days

Atom Labs does not process the content of AI prompts or model outputs as retained personal data. Prompt text is processed transiently in memory during governance evaluation and is not persisted to any database.

4. Instructions for Processing

Atom Labs processes personal data only on documented instructions from the Controller, as set out in the Terms of Service and this DPA. If Atom Labs is required by applicable law to process personal data in a manner that conflicts with the Controller’s instructions, Atom Labs will notify the Controller before such processing unless prohibited by law.

5. Processor Obligations

Atom Labs commits to:

• Ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations
• Implement and maintain the technical and organizational security measures described in Section 7
• Assist the Controller in responding to data subject rights requests (access, correction, deletion, portability) within legally required timeframes
• Assist the Controller in meeting its obligations regarding security, breach notification, impact assessments, and prior consultation
• Delete or return all personal data to the Controller upon termination of the service
• Make available all information necessary to demonstrate compliance with this DPA and permit audits by the Controller or a mandated auditor
• Notify the Controller of any personal data breach without undue delay and in any event within 72 hours of becoming aware of the breach

6. Sub-Processors

The Controller authorizes Atom Labs to engage the following sub-processors. Atom Labs will notify the Controller at least 30 days before adding or replacing a sub-processor:

• DigitalOcean — cloud infrastructure and database hosting (United States)
• Cloudflare — network routing and CDN (United States)
• Stripe — payment processing (United States)
• SendGrid (Twilio) — transactional email delivery (United States)
• AI inference providers (Groq, Anthropic, Google, Mistral, OpenAI, and others as configured by the Controller) — LLM inference only; subject to their own terms

Sub-processors are contractually bound to protect personal data to the same standard as Atom Labs.

7. Technical and Organizational Security Measures

Atom Labs maintains the following measures:

• AES-128-CBC (Fernet) encryption for sensitive credentials at rest
• bcrypt hashing for passwords
• TLS 1.2+ encryption for all data in transit
• Role-based access control with five privilege levels; least-privilege principle applied
• Immutable audit logging for all administrative actions
• Automated security monitoring and alerting
• Zero-trust network architecture via Cloudflare Tunnel (no public ports)
• Regular security reviews and vulnerability management

8. International Data Transfers

All data is stored in the United States by default. For transfers from the European Economic Area, Atom Labs relies on Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c) where required. Enterprise customers may request data residency configuration to restrict storage to specific geographic regions. Contact [email protected] to configure.

9. Data Subject Rights

Atom Labs will assist the Controller in fulfilling data subject rights requests within the timelines required by applicable law. All requests should be submitted to [email protected]. Atom Labs will acknowledge within 5 business days and respond within 30 days.

10. Return and Deletion of Data

Upon termination of the service agreement, Atom Labs will, at the Controller’s choice, delete or return all personal data processed on the Controller’s behalf, and delete any existing copies within 30 days, unless retention is required by applicable law.