Data Processing Agreement pursuant to Article 28 GDPR

between

the Customer as controller (“Controller”)

and

Atomity GmbH, Hermann-Löns-Straße 16, 64625 Bensheim, Germany, as processor (“Processor”, “Atomity”).

This Agreement supplements the General Terms and Conditions / Order Form between the parties (the “Main Agreement”) and governs the processing of personal data by the Processor on behalf of the Controller.

1. Subject Matter, Nature, Purpose and Duration#

1.1 The Processor processes Customer Personal Data on behalf of the Controller to provide the Atomity Cloud Service as described in the Main Agreement and specified in Annex 1, including hosting, storage, ingestion, normalization, analysis, reporting, recommendation generation, Customer-authorized orchestration, security monitoring, support and administration.

1.2 The duration of the processing corresponds to the term of the Main Agreement. Processing may continue for the limited export, deletion and backup-retention periods described in Clause 10.

2. Type of Data and Categories of Data Subjects#

The types of Customer Personal Data and the categories of data subjects are specified in Annex 1.

3. Rights and Obligations of the Controller#

3.1 The Controller is responsible for assessing the lawfulness of the processing and for safeguarding the rights of data subjects. The Controller provides all necessary information and privacy notices, establishes an appropriate legal basis, and ensures that its instructions and its transfer of data to the Processor are lawful.

3.2 The Controller determines the purposes and essential means of processing Customer Personal Data and retains all rights in Customer Data as provided in the Main Agreement. It is entitled to issue instructions on the type, scope and procedure of the processing.

3.3 The Processor acts as processor for Customer Personal Data processed to provide the Service on documented instructions. The Processor may act as an independent controller for its own contract administration, invoicing, compliance, fraud prevention and corporate security records, as described in Atomity’s Privacy Policy.

4. Processing on Instructions#

4.1 The Processor processes Customer Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do so by Union or Member State law; in that case the Processor informs the Controller of that legal requirement before processing, unless the law prohibits this.

4.2 The Main Agreement, this Agreement and its Annexes constitute the initial complete instructions. Further instructions must come from an authorized Controller contact through the agreed support, account or email channels and are given in text form.

4.3 Instructions outside the agreed scope of the Service may require technical assessment, additional fees and an amendment to the Order Form before the Processor is obliged to implement them.

4.4 The Processor informs the Controller without undue delay if it considers that an instruction infringes data-protection law. The Processor may suspend execution of such an instruction until confirmed or amended.

5. Confidentiality#

The Processor commits the persons authorised to process the Customer Personal Data to confidentiality (unless they are already under an appropriate statutory obligation) and ensures they process the data only on instruction and on a need-to-know basis. The Processor provides appropriate data-protection/security training, removes access following role changes, and ensures that confidentiality continues after the relevant access or employment ends.

6. Technical and Organisational Measures (Art. 32 GDPR)#

6.1 The Processor implements appropriate technical and organisational measures (“TOMs”) as set out in Annex 2 to ensure a level of security appropriate to the risk.

6.2 The TOMs are subject to technical progress. The Processor may update them provided the agreed level of protection is not reduced, and gives the Controller advance notice of any material change that could adversely affect Customer Personal Data, except for urgent security improvements.

7. Sub-processors#

7.1 The Controller grants general authorisation for the engagement of sub-processors. The sub-processors engaged at the time of conclusion are listed in Annex 3.

7.2 The Processor informs the Controller of any intended change concerning the addition or replacement of sub-processors at least 30 days before the new sub-processor begins processing Customer Personal Data. Notice will be sent to the Controller’s designated administrative email address and/or displayed through the Controller’s account, giving the Controller the opportunity to object on reasonable data-protection grounds.

7.3 If the Controller objects, the parties will first seek a reasonable alternative. If no reasonable alternative exists, the Controller may terminate only the affected part of the Service without penalty; unrelated services are not affected.

7.4 The Processor imposes on each sub-processor, by contract, the same data-protection obligations as set out in this Agreement (Art. 28 (4) GDPR). The Processor remains fully responsible to the Controller for the performance of each sub-processor’s obligations. Upon reasonable request, the Processor will provide relevant contractual information or a suitably redacted copy of the sub-processor agreement.

8. Assistance to the Controller#

8.1 Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests for exercising data-subject rights (Chapter III GDPR). The Processor promptly forwards data-subject requests it receives to the Controller and will not respond directly unless instructed by the Controller or legally required.

8.2 The Processor assists the Controller in ensuring compliance with the obligations under Art. 32 to 36 GDPR (security, breach notification, data protection impact assessment, prior consultation), taking into account the nature of processing and the information available to the Processor.

8.3 Ordinary assistance included in the Service is provided without extra charge. Unusually extensive or Customer-specific work (e.g. large-scale data extraction, extensive audit or DPIA support) may be charged at agreed rates, unless caused by the Processor’s breach.

9. Personal Data Breach#

The Processor notifies the Controller without undue delay after becoming aware of a personal data breach concerning the processed data, using the security-incident contact. The notification includes, as far as known and with continuing updates as information becomes available: the nature of the incident, the affected data and categories/approximate number of persons, the likely consequences, the measures taken or proposed, and a contact point for further information (Art. 33, 34 GDPR).

10. Deletion and Return#

10.1 After the end of the provision of services, the Processor, at the Controller’s choice communicated in text form, deletes or returns all Customer Personal Data and deletes existing copies, unless Union or Member State law requires storage.

10.2 Unless otherwise required by the DPA or law: ordinary use ends on termination; the Processor makes Customer Data available for export for 30 days; active copies are deleted after that period; and backup copies are deleted or overwritten according to the Processor’s documented backup cycle and remain protected until deletion. This aligns with Section 15 of the Main Agreement.

10.3 Upon reasonable request, the Processor will confirm completion of deletion, subject to backup cycles and legally required retention.

11. Audits#

11.1 The Processor makes available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by it.

11.2 The Processor may initially provide current security documentation, independent reports or self-assessments. Where this is insufficient, or following a material incident or a regulator request, the Controller may conduct a proportionate audit. On-site inspections are subject to: reasonable prior notice; confidentiality; a suitably qualified auditor who is not a competitor of the Processor; normally no more than once annually; conduct during business hours without disproportionate disruption; and payment of costs by the Controller unless serious non-compliance is identified.

12. International Transfers#

12.1 Customer Personal Data will be processed in the EEA unless otherwise identified in Annex 3. The Processor will not permit a third-country transfer or third-country remote access without documented instructions and a valid Chapter V transfer mechanism (e.g. an adequacy decision or the EU Standard Contractual Clauses under Commission Implementing Decision 2021/914, with supplementary measures where required).

12.2 For clarity, the controller-to-processor clauses under Commission Implementing Decision 2021/915 concern the Art. 28 relationship, while the Standard Contractual Clauses under Decision 2021/914 are relevant to qualifying third-country transfers. These are separate instruments serving different purposes.

13. Liability#

Liability between the parties is governed by the Main Agreement and by Art. 82 GDPR. This Agreement does not extend the Processor’s liability beyond what is mandated by law, and no contractual limitation affects rights or liabilities that cannot legally be limited, including data subjects’ statutory rights.

14. Final Provisions#

German law applies. In case of conflict between this Agreement and the Main Agreement on data-protection matters, this Agreement prevails. Amendments require text form.


Annex 1 — Details of Processing#

Categories of data subjects (only those Atomity realistically expects to process):

  • the Controller’s employees, contractors, Authorized Users and administrators;
  • billing contacts and cloud-account users;
  • IAM identities, resource owners and individuals referenced in uploaded support or configuration data, to the extent such data contains personal data.

Types of personal data (where applicable):

  • account and contact data of the Controller’s users (name, business email, role);
  • authentication and log data (e.g. user IDs, account IDs, access/audit logs, login timestamps, IP addresses, device/browser information, permissions);
  • resource identifiers, tags, configuration metadata and billing metadata;
  • support communications;
  • personal data incidentally contained in connected/uploaded Customer Data (e.g. identifiers in cloud cost/billing exports).

Special categories: The Service is not intended for special-category data (Art. 9 GDPR) or criminal-conviction data (Art. 10 GDPR) unless expressly agreed in the Order Form and accompanied by appropriate additional safeguards.

Nature and purpose of processing: Hosting, storage, ingestion, normalization, analysis and presentation of the data to provide cost, utilization, performance, carbon and governance decision-support; security/governance analysis and audit reporting; Customer-authorized orchestration; support and administration.

Duration: The term of the Main Agreement (Clause 1.2), plus the export/deletion/backup periods in Clause 10.

Annex 2 — Technical and Organisational Measures (Art. 32 GDPR)#

Confidentiality

  • Access is restricted through individual user accounts, Keycloak authentication, role-based permissions, least-privilege access and MFA/OTP for privileged accounts.
  • Physical infrastructure is hosted in Hetzner data centres in Germany.
  • Data is protected using TLS during transmission. Production data and backups are encrypted where technically supported, and credentials and secrets are stored separately from source code.

Integrity

  • Authentication events, administrative actions, security-relevant changes and deployments are logged where supported.
  • Source code and infrastructure configurations are managed through GitLab. Production changes are normally made through protected branches, merge requests, code review and controlled CI/CD pipelines.
  • Development, testing and production environments are logically separated.

Availability and Resilience

  • Production databases, files and configurations are backed up regularly to a separate restricted storage environment.
  • Backups are encrypted, retained according to Atomity’s documented retention schedule and periodically tested for restoration.
  • Critical systems, storage capacity, certificates, backup jobs and service availability are monitored, with alerts sent to authorized personnel.

Procedures for regular review

  • Technical and organisational measures are reviewed at least annually and after material security incidents or significant system changes.
  • Access rights, vulnerabilities, subprocessors and security incidents are reviewed through documented procedures.
  • Personnel with access to personal data are subject to confidentiality and appropriate security instructions.

Data minimisation

  • Only data necessary for the agreed service is processed.
  • Customer cloud connections use minimum required permissions; read-only access is used by default, while orchestration permissions require explicit customer authorization.
  • Customer data is logically separated, and synthetic or anonymized data is used for development and testing where possible.
  • Rybbit is self-hosted and configured to minimise analytics data, without unnecessary tracking or storage of raw IP addresses.

Annex 3 — Approved Sub-processors#

A sub-processor is a third party that can process Customer Personal Data on Atomity’s behalf. Keycloak, Mailcow, Dolibarr, Rybbit, Nextcloud and Grafana are open-source software self-hosted and operated by Atomity on the infrastructure below; their maintainers cannot access Atomity’s systems or Customer Personal Data, so they are documented as tools within the TOMs rather than as sub-processors.

Sub-processorService providedLocation of processingTransfer basis
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, GermanyHosting / infrastructureGermany – configured Hetzner data-centre regionNot applicable – processing within the EEA