atombit

LEGAL

Data Processing Agreement

Last updated: 1 July 2026

This Data Processing Agreement ("DPA") governs the processing of personal data by atombit on behalf of clients under Article 28 of the EU GDPR and equivalent UK legislation. It supplements our Terms of Service and Privacy Policy.

For enterprise clients requiring a signed DPA

EU, UK, and Singapore-regulated clients may require a countersigned DPA as part of their vendor onboarding. atombit issues a project-specific DPA on request. Contact partnerships@atombit.in with subject line "DPA Request — [Company Name]" and we will issue a draft within 48 hours of engagement confirmation.

Request a DPA →

1. Definitions

"Controller" means the client entity that determines the purpose and means of processing personal data. "Processor" means atombit, which processes personal data on the Controller's behalf. "Data Subject" means any natural person whose personal data is processed under this DPA. "Personal Data" has the meaning given in Article 4 of the EU GDPR.

2. Subject matter and nature of processing

atombit processes personal data solely to provide the technology engineering services described in the Statement of Work (SoW). Processing may include: storing, structuring, adapting, retrieving, and transmitting personal data within systems built or operated for the Controller. atombit does not process personal data for any purpose other than those explicitly instructed by the Controller.

3. Types of personal data and data subjects

The categories of personal data and types of data subjects are defined in the project SoW. Typical categories include: end-user contact details, transaction records, KYC/onboarding data, and user activity logs within the delivered system.

4. Obligations of atombit as Processor

As Processor, atombit will:

  • Process personal data only on documented instructions from the Controller.
  • Ensure that all personnel authorised to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures (including encryption in transit and at rest, access controls, and regular security reviews).
  • Not engage sub-processors without prior written consent of the Controller, and impose equivalent obligations on any approved sub-processor.
  • Assist the Controller in responding to Data Subject requests, security incidents, DPIAs and consultations with supervisory authorities.
  • Delete or return all personal data at the end of the engagement, at the Controller's choice, and delete existing copies unless retention is required by law.
  • Make available all information necessary to demonstrate compliance and allow for audits.

5. Sub-processors

atombit may engage the following categories of sub-processors in delivery of services: cloud infrastructure providers (IaaS/PaaS), monitoring and logging tooling, and email delivery services. A current list of specific sub-processors is available on request. New sub-processors will be notified with 14 days' advance notice, during which the Controller may object.

6. International data transfers

Where personal data is transferred to a country outside the EEA or UK that does not have an adequacy decision, atombit will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) issued by the European Commission or the ICO (UK). Details of transfer mechanisms are set out in the project-specific DPA.

7. Security incidents

In the event of a personal data breach, atombit will notify the Controller without undue delay and within 48 hours of becoming aware, providing all information reasonably available to assist the Controller in meeting its own notification obligations to supervisory authorities and data subjects.

8. Term and termination

This DPA remains in effect for the duration of the engagement and terminates automatically upon expiry or termination of the SoW. Obligations relating to confidentiality and data deletion survive termination.

9. Governing law

This DPA is governed by the same law as the corresponding SoW. For EU-regulated clients, the DPA is interpreted in accordance with EU GDPR. For UK clients, in accordance with the UK GDPR and the Data Protection Act 2018.

10. Contact

To request a countersigned project DPA, or for any data processing query, contact: partnerships@atombit.in.