We process your data on your instructions.

This Data Processing Addendum (“DPA”) forms part of the agreement between Atlantic AI Inc. (“Atlantic”, the Processor) and you (“Customer”, the Controller) for use of the Atlantic platform.

This page is a human-readable summary. Enterprise customers may request the full legally-executed DPA (incorporating Standard Contractual Clauses) by emailing info@getatlantic.ai.

Effective date: 2026-06-02.
Company: Atlantic AI Inc., 8 The Green STE D, Dover, Delaware 19901, USA.

You (Customer) are the Controller. You determine what personal data is processed and for what purposes. You are responsible for having a lawful basis for the processing you instruct Atlantic to perform.

Atlantic is the Processor. We process personal data only on your documented instructions. We do not make independent decisions about the purposes or means of processing your personal data.

For product analytics on your end-users’ usage of the Atlantic platform, Atlantic acts as an independent Controller for those analytics events (subject to its own Privacy Policy).

Atlantic processes personal data on your behalf in the following categories:

• Employee & team member data — names, emails, org positions you configure in Atlantic
• Integration-sourced data — content from connected tools (Slack messages, Drive documents, Jira tickets, etc.) to the extent they contain personal data
• Conversation data — content of messages exchanged with Atlantic agents
• Knowledge base data — documents and embeddings you upload

Processing activities include storage, retrieval, embedding, AI inference, and access logging. Duration: for the term of your subscription plus 90 days post-termination, unless earlier deletion is requested.

Atlantic processes your data only as instructed by you (via your use of the platform and API) and as required by applicable law. If we believe an instruction violates applicable law, we will promptly inform you.

Atlantic will never use your data to train, fine-tune, or evaluate AI models — this is a contractual commitment backed by our sub-processor agreements with AWS Bedrock.

Atlantic uses a limited set of sub-processors to deliver the service. The current list is published at getatlantic.ai/sub-processors.

We will notify you at least 30 days before engaging a new sub-processor that handles personal data covered by this DPA. If you object on legitimate data protection grounds, you may terminate the affected service with a pro-rata refund.

Atlantic ensures each sub-processor is bound by data protection obligations no less protective than those in this DPA.

Atlantic implements the following technical and organizational measures (TOMs):

When you receive a data subject request (access, deletion, portability, etc.) from an individual whose data Atlantic processes on your behalf, you are responsible for responding.

Atlantic will provide reasonable assistance to help you fulfil such requests within 30 days of your written request, including data exports and deletion confirmations. Requests should be sent to info@getatlantic.ai.

Atlantic is based in the United States. When we transfer personal data from the EU/EEA or UK to the US (or other third countries), we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission under GDPR Article 46(2)(c).

Enterprise customers may request the signed DPA incorporating the Module 2 (Controller-to-Processor) SCCs by emailing info@getatlantic.ai.

For Turkish customer data, Atlantic maintains data residency in-region where technically feasible and complies with KVKK Article 9 requirements for cross-border transfers.

If Atlantic becomes aware of a personal data breach affecting data we process on your behalf, we will notify you within 72 hours of becoming aware. The notification will include, to the extent known:

• The nature of the breach and categories of data affected
• Approximate number of individuals and records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

Atlantic will cooperate fully with your breach notification obligations to supervisory authorities and affected individuals.

Atlantic makes its SOC 2 report available to customers on request (under NDA). Enterprise customers may, with 30 days’ written notice and at their own expense, conduct an audit of Atlantic’s data processing activities — or appoint an independent auditor — no more than once per year.

Atlantic may require the auditor to sign a confidentiality agreement before disclosing proprietary information.

On termination of your subscription, Atlantic will:

• Retain your data in a read-only state for 30 days to allow self-service export
• Permanently delete all your data (including backups) within 90 days of termination
• Provide a written confirmation of deletion on request

Exceptions: data retained by legal obligation or in anonymized/aggregated form that cannot be re-attributed to you.

Enterprise customers who require a fully executed DPA with incorporated SCCs, custom retention terms, or region-specific addenda (e.g. UK IDTA, Swiss addendum) should contact info@getatlantic.ai. We will respond within 5 business days.