Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Atlas DevHQ ("Processor") and you ("Controller") for the processing of personal data through Atlas Cloud.

This DPA applies when Atlas processes personal data on your behalf as part of providing Atlas Cloud services. For a signed copy of this DPA, contact sales@useatlas.dev.

• "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
• "Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.
• "Subprocessor" means a third party engaged by Atlas to process personal data on behalf of the Controller.
• "Data Subject" means the individual to whom personal data relates.

Atlas processes personal data in the following context:

• Subject matter. Providing text-to-SQL agent services via Atlas Cloud.
• Duration. For the term of your subscription plus the data retention period described in our Privacy Policy.
• Nature and purpose. Executing database queries, storing conversation history, managing user accounts, processing payments, and maintaining audit logs.
• Categories of data. Account information (name, email), query text, query results, usage metrics, audit logs.
• Data subjects. Your employees, contractors, and authorized users who access Atlas Cloud, and any individuals whose personal data may appear in your datasource query results.

Atlas (as Processor) shall:

• Process personal data only on documented instructions from the Controller, unless required by law.
• Ensure that persons authorized to process personal data have committed to confidentiality.
• Implement appropriate technical and organizational security measures (see Section 6).
• Engage subprocessors only with prior notice and subject to equivalent data protection obligations.
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability).
• Delete or return all personal data upon termination of the service, at the Controller's choice.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA.

Atlas Cloud supports configurable data residency for Enterprise customers. You may select the region where your data is stored and processed:

• Region selection. Choose your preferred region during workspace setup or from the admin console. Available regions include US and EU.
• Data isolation. Query data is processed in the selected region and does not leave it. Internal routing ensures queries are directed to region-local infrastructure.
• Migration. Region migration is supported for Enterprise customers via our migration tooling, with planned downtime coordinated in advance.

For standard (non-Enterprise) plans, data is processed in the US region by default.

Atlas implements the following technical and organizational measures to protect personal data:

Encryption.

• Data in transit: TLS 1.2+ for all connections.
• Data at rest: AES-256 encryption for stored data and backups.
• Database credentials: encrypted at rest, never exposed in logs or API responses.

Access controls.

• Role-based access control (RBAC) with configurable custom roles.
• SSO and SCIM provisioning for Enterprise customers.
• IP allowlisting for workspace access restriction.
• Multi-factor authentication support.

Application security.

• 4-layer SQL validation pipeline preventing injection and unauthorized data access.
• Read-only database connections enforced at both application and connection level.
• Sandboxed code execution for explore operations.
• PII detection to flag sensitive data in query results.
• Table whitelisting ensuring only approved datasource tables are queryable.

Infrastructure security.

• Automated backups with configurable retention.
• Network isolation between tenant workspaces.
• Comprehensive audit logging of all administrative and data access events.
• Incident monitoring via OpenStatus with public status page.

Atlas uses the following subprocessors. We will notify you at least 30 days before adding or replacing a subprocessor.

You may object to a new subprocessor within 30 days of notification. If we cannot reasonably accommodate your objection, you may terminate the affected services.

In the event of a personal data breach, Atlas will:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
• Provide sufficient detail for the Controller to meet its own notification obligations, including: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
• Cooperate with the Controller in investigating and remediating the breach.
• Document all breaches, including facts, effects, and remedial actions taken, regardless of whether notification is required.

Atlas will assist the Controller in responding to data subject requests exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection).

If Atlas receives a request directly from a data subject, we will promptly notify the Controller and will not respond to the request without the Controller's instructions, unless legally required.

Atlas will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audit requests should be directed to security@useatlas.dev with reasonable advance notice.

Where personal data is transferred outside the EEA, Atlas ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission.
• Data residency controls that keep data within the selected region (Enterprise).
• Transfer impact assessments for each subprocessor.

Upon termination of the service agreement, Atlas will, at the Controller's choice:

• Return all personal data in a structured, machine-readable format (data export via admin console or API).
• Delete all personal data within 30 days, unless retention is required by law.

Atlas will certify deletion upon the Controller's request.

For a signed copy of this DPA or questions about data processing, contact sales@useatlas.dev.

For security inquiries, contact security@useatlas.dev.