Data Processing Agreement

v1.0-2026-05-20 · effective 2026-06-05 · GDPR Article 28 + CCPA Service Provider

This Data Processing Agreement (the “DPA”) is incorporated into and forms part of the Master Services Agreement (the “MSA”) between [Customer legal entity] (the “Controller”) and Ataski, Inc. (the “Processor”). It governs the Processing of Personal Data carried out by the Processor on the Controller’s behalf.

1. Definitions

Terms used in this DPA carry the meaning given in the GDPR (Regulation (EU) 2016/679) and the CCPA (Cal. Civ. Code §1798.140) where applicable. The following definitions apply across both regimes:

• Controller. The natural or legal person that determines the purposes and means of Processing Personal Data (GDPR Article 4(7)). For purposes of this DPA, the Customer is the Controller.
• Processor. The natural or legal person that processes Personal Data on behalf of the Controller (GDPR Article 4(8)). Ataski is the Processor. For CCPA purposes, Ataski operates as a Service Provider (Cal. Civ. Code §1798.140(ag)).
• Personal Data. Any information relating to an identified or identifiable natural person (GDPR Article 4(1)) or Personal Information (CCPA §1798.140(v)) that the Controller transmits to or through the Service, or that the Service collects on the Controller’s behalf.
• Processing. Any operation performed on Personal Data, including collection, storage, analysis, use, disclosure, deletion (GDPR Article 4(2)).
• Sub-processor. Any third party engaged by Ataski to Process Personal Data on the Controller’s behalf. The current list is published at /legal/subprocessors.
• Data Subject. An identified or identifiable natural person to whom Personal Data relates.

2. Subject matter and duration

Subject matter. The Processor provides AI workforce services to the Controller (the “Services”). In the course of providing the Services the Processor processes Personal Data on the Controller’s behalf, in accordance with the Controller’s documented instructions.

Duration. This DPA takes effect on 2026-06-05 and remains in force for the duration of the underlying subscription, plus a 30-day data-retention window during which the Controller may export Customer Data via the self-service /api/export endpoint, after which the Processor deletes all Customer Data (GDPR Article 28(3)(g)).

3. Nature and purpose of Processing

The nature and purpose of Processing is determined by the AI workforce roles the Controller activates on its workspace (Outbound Sales Assistant, Licensed Professional Outreach, Financial Analyst, Board Pack Drafter, Support Reply Drafter, Renewal Manager, Customer Account Monitor, Contract Brief, Meeting Recap Coordinator). Each role's capability matrix is published on the corresponding marketing page and the Controller's activation of the role constitutes documented instruction to Process Personal Data within that role's declared scope.

4. Types of Personal Data and categories of Data Subjects

Types of Personal Data. Business contact data (name, work email, work phone, job title); communications metadata (email send / receive timestamps, meeting attendance); Controller-provided content (uploaded CSVs, board materials, contract drafts); model inputs and outputs (prompts and AI-drafted responses).

Categories of Data Subjects. The Controller’s employees, contractors, customers, prospects, vendors, board members, and meeting participants whose data the Controller transmits to or through the Service.

5. Controller's obligations

The Controller is responsible for compliance with applicable data protection laws in respect of the Personal Data it transmits to the Service, including establishing a lawful basis for Processing (GDPR Article 6) and providing required notices to Data Subjects. The Controller warrants that its documented instructions to the Processor comply with the GDPR and other applicable data protection law.

6. Processor's obligations (GDPR Article 28(3))

1. Documented instructions. The Processor processes Personal Data only on documented instructions from the Controller, including with regard to international data transfers, unless required to do so by Union or Member State law to which the Processor is subject; in that case, the Processor informs the Controller of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest.
2. Confidentiality. The Processor ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Security. The Processor implements appropriate Technical and Organisational Measures (Appendix A) to ensure a level of security appropriate to the risk (GDPR Article 32).
4. Sub-processing. The Processor engages Sub-processors only under the conditions in §7 below.
5. Data Subject rights assistance. The Processor assists the Controller, by appropriate technical and organisational measures, in fulfilling the Controller’s obligation to respond to Data Subject requests under GDPR Chapter III (Articles 12–23).
6. Article 32–36 assistance. The Processor assists the Controller in ensuring compliance with GDPR Articles 32 (Security), 33 (Breach notification), 34 (Breach communication), 35 (DPIA), and 36 (Prior consultation), taking into account the nature of Processing and the information available to the Processor.
7. Return or deletion. Upon termination of the Services, the Processor returns or deletes all Personal Data at the Controller’s choice, and deletes existing copies unless Union or Member State law requires storage. The default window is 30 days from termination via the self-service /api/export endpoint and the automated post-30-day deletion job.
8. Audit. The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits may be conducted no more than once per calendar year unless required by supervisory authority order.

7. Sub-processors

The Controller hereby grants the Processor general written authorisation to engage the Sub-processors listed at /legal/subprocessors (incorporated by reference). The Processor will inform the Controller of any intended changes to that list, giving the Controller no fewer than 30 days’ advance notice, during which the Controller may object on reasonable grounds. The Processor remains liable to the Controller for the acts and omissions of every Sub-processor as if they were its own.

The Processor ensures that each Sub-processor is bound by a written agreement that imposes data protection obligations no less protective than those in this DPA. The current list of Sub-processors comprises 18 vendors as of 2026-06-05 (see the public sub-processor page for the canonical list).

8. International transfers

Where Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to a third country that does not benefit from an adequacy decision, the Processor and the Controller agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) apply, Module Two (Controller to Processor) where the Controller is established in the EEA, with Ataski acting as the data importer. The UK International Data Transfer Addendum and the Swiss Federal Data Protection and Information Commissioner’s guidance apply mutatis mutandis for UK and Swiss transfers respectively. Where applicable, Ataski participates in the EU–US Data Privacy Framework and its UK and Swiss extensions; Controller may rely on either the DPF certification or the SCCs at its option.

9. Personal Data breach

The Processor notifies the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach (GDPR Articles 4(12), 33). The notification describes the nature of the breach, including, where possible, the categories and approximate number of Data Subjects concerned, the likely consequences, and the measures taken or proposed to address the breach.

10. Term and termination

This DPA remains in force for as long as the Processor processes Personal Data on the Controller's behalf under the MSA. Either party may terminate this DPA only by terminating the MSA in accordance with its terms; on termination, the Processor completes the return / deletion procedure in §6(7) above.

11. Governing law

This DPA is governed by the law specified in the MSA. Nothing in this DPA derogates from the rights granted to Data Subjects by Union, Member State, or other applicable data protection law.

Appendix A — Technical and Organisational Measures (GDPR Article 32)

The Processor implements the following Technical and Organisational Measures (“TOMs”) to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32:

• Multi-tenancy. Per-tenant data isolation via Postgres Row Level Security; every customer-data table enforces the tenant_id session variable at the database layer (defence-in-depth on top of application-level scoping).
• Encryption at rest. All credential material stored encrypted via Fernet (AES-128 in CBC mode with HMAC-SHA-256 authentication). Database storage layer encryption provided by Neon (AES-256); object storage encryption provided by Cloudflare R2 (AES-256).
• Encryption in transit. TLS 1.3 enforced on every HTTPS endpoint and database connection; mutual-TLS for sub-processor API calls where the vendor supports it.
• Access control. WorkOS-backed SSO + SAML for tenant workspaces; role-gated approval workflows for high-stakes actions (board pack approval, monthly investor update send, outbound email send) per CLAUDE.md principle #9 capability matrix.
• Audit logging. Append-only audit_log table with database-level REVOKE UPDATE/DELETE; every LLM call, external API call, and data modification logged with tenant_id, user_id, correlation_id, cost, and latency.
• PII handling. Service Provider posture per CCPA §1798.140(ag); contact records stay in per-tenant RLS scope and are never aggregated across tenants. Per-tenant deletion within 45 days of request via /privacy/optout.
• Cost guardrails. Four-tier cost ceiling (provider limit, per-task budget, per-customer daily cap, global kill switch) prevents runaway exfiltration via a compromised credential.
• Incident response. Bugsink error tracking with 24-hour customer notification for any incident involving Customer Data; status page operated via Better Stack with uptime monitoring on every tenant-facing endpoint.
• Personnel. All personnel with access to Customer Data bound by confidentiality covenants; principle of least privilege enforced via role-gated routes; access reviewed quarterly.

Appendix B — Sub-processors

The current list of Sub-processors is published at /legal/subprocessors and is incorporated into this DPA by reference. As of 2026-06-05 the list comprises 18 vendors.