Data Processing Addendum

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that Atelier processes on behalf of Tenant under the Terms of Service.
• "Processing" has the meaning given in the GDPR.
• "Data Subject" means the individual to whom Personal Data relates.
• "Subprocessor" means any third party engaged by Atelier to process Personal Data on Tenant's behalf.
• "Applicable Data Protection Law" means the GDPR, the UK GDPR, and any other applicable data protection legislation in force.

2. Scope of Processing

3. Atelier's Obligations

Atelier shall:

• Process Personal Data only on documented instructions from Tenant (including as set out in these Terms), unless required to do otherwise by applicable law;
• Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations;
• Implement and maintain appropriate technical and organizational measures to protect Personal Data (see Section 4);
• Promptly notify Tenant if, in Atelier's opinion, an instruction from Tenant infringes Applicable Data Protection Law;
• Assist Tenant, by appropriate technical and organizational measures, in fulfilling Tenant's obligations to respond to Data Subject requests under Applicable Data Protection Law (see Section 6);
• Assist Tenant in ensuring compliance with its obligations relating to security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and information available to Atelier;
• At Tenant's choice, delete or return all Personal Data after the end of the provision of the Service, except to the extent required by applicable law to retain such data;
• Make available to Tenant all information necessary to demonstrate compliance with the obligations in this DPA.

4. Technical and Organizational Security Measures

Atelier implements the following measures to protect Personal Data:

• Encryption in transit: All connections to the Service use TLS 1.2 or higher;
• Authentication: Passwords are hashed using bcrypt with per-password salts; sessions are server-side and signed;
• Access control: Row-level tenant isolation in the database; Admin Users can only access data within their own tenant;
• CSRF protection: All state-changing requests require a valid CSRF token;
• Infrastructure security: Security headers (HSTS, CSP, X-Frame-Options) applied on all responses;
• Logging and monitoring: Server-side access and error logging with retention of 90 days;
• Dependency management: Regular security patching of application dependencies.

5. Subprocessors

Tenant grants Atelier general authorization to engage the Subprocessors listed in our Privacy Policy. Atelier will provide 30 days' advance notice of any intended changes to the Subprocessor list (additions or replacements). Tenant may object to a new Subprocessor within 14 days of notice; if no resolution is possible, Tenant may terminate the agreement for cause.

Atelier ensures that Subprocessors are bound by data protection obligations at least as protective as those in this DPA.

6. Data Subject Requests

Atelier will promptly notify Tenant if it receives a request from a Data Subject relating to Tenant's Personal Data. Atelier will not respond to such requests on Tenant's behalf without Tenant's prior authorization, unless required by law.

Atelier will provide Tenant with reasonable assistance and the technical tools necessary to fulfil Data Subject requests, including access, rectification, restriction, portability, and erasure. When processing an erasure request for a Data Subject, Atelier will anonymize (rather than delete) audit trail records required for legal compliance purposes, as described in our Privacy Policy.

7. Personal Data Breach Notification

Atelier will notify Tenant without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Tenant's data. The notification will include, to the extent available: the nature of the breach; categories and approximate number of Data Subjects and records affected; likely consequences of the breach; and measures taken or proposed to address it.

This timeline is designed to give Tenant adequate time to meet its own 72-hour reporting obligation to its supervisory authority under GDPR Article 33.

8. International Data Transfers

Where Atelier transfers Personal Data from the EEA, UK, or Switzerland to a country not recognized as providing adequate protection, such transfers are made pursuant to Standard Contractual Clauses (SCCs) adopted by the European Commission. The applicable SCCs (Module 2: Controller-to-Processor) are attached as Annex A to this DPA.

[Note: Annex A must be completed and attached by qualified legal counsel before this DPA is presented to EU/UK Tenants.]

9. Audit Rights

Atelier will make available to Tenant all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits and inspections conducted by Tenant or a mandated auditor, subject to reasonable advance notice (minimum 30 days) and confidentiality obligations. Atelier may satisfy audit requirements by providing current third-party security audit reports (e.g., SOC 2) in lieu of direct audits where available.

10. Data Return and Deletion

Upon termination or expiry of the Terms of Service, Atelier will, at Tenant's election, delete or return all Personal Data within 30 days, and certify in writing that it has done so, except to the extent that Applicable Data Protection Law requires retention of such data. After the 30-day window, data will be permanently deleted.

11. Governing Law

This DPA is governed by the same law as the Terms of Service, except to the extent that Applicable Data Protection Law requires otherwise. To the extent of any conflict between this DPA and the Terms of Service with respect to data protection matters, this DPA shall prevail.