Forum Atlas — Data Processing Addendum
Version 1.0 · Effective July 12, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Forum Atlas, Inc., a Delaware corporation ("Forum Atlas," the "Processor"), and the customer that accepts the Forum Atlas Terms & Conditions or signs an order form referencing this DPA ("Customer," the "Controller"), and applies to the extent Forum Atlas processes Personal Data on Customer's behalf in providing the Forum Atlas platform, website, and APIs (the "Platform").
This DPA is offered as our standard online terms. Enterprise customers requiring a countersigned copy or negotiated modifications should contact support@forumatlas.com.
1. Definitions
"Personal Data," "Controller," "Processor," "Data Subject," "Processing," and "Supervisory Authority" have the meanings given in the GDPR. "GDPR" means Regulation (EU) 2016/679 and, where applicable, the UK GDPR. "SCCs" means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller-to-processor). "Customer Data" means data Customer or its users submit to the Platform, including workspace content, uploaded documents, queries, and account information of Customer's users.
2. Scope and roles
2.1 For Customer Data that constitutes Personal Data, Customer is the Controller and Forum Atlas is the Processor. Forum Atlas is an independent controller for (a) its own account, billing, and support records and (b) the publicly available source material the Platform independently ingests and analyzes, as described in the Privacy Policy.
2.2 Details of Processing. Subject matter: provision of the Platform. Duration: the term of the agreement plus the deletion period in §9. Nature and purpose: hosting, analysis, search, brief and forecast generation, and support. Categories of Data Subjects: Customer's users and personnel; individuals named in content Customer submits. Categories of Personal Data: identification and contact data, professional data, usage data, and any Personal Data contained in Customer-submitted content. No special-category data is required to use the Platform, and Customer agrees not to submit it.
3. Processing instructions
Forum Atlas will process Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required otherwise by law (in which case Forum Atlas will inform Customer before processing, unless the law prohibits it). The agreement, this DPA, and Customer's use of Platform settings and APIs constitute the complete instructions.
4. Confidentiality
Forum Atlas ensures that persons authorized to process Personal Data are bound by contractual or statutory confidentiality obligations.
5. Security
Forum Atlas implements and maintains appropriate technical and organizational measures, taking into account the state of the art, costs, and the nature, scope, context, and purposes of Processing, including at minimum the measures described in Annex II. Forum Atlas will not materially decrease the overall security of the Platform during a subscription term.
6. Subprocessors
6.1 Customer generally authorizes the subprocessors listed at /subprocessors, which Forum Atlas will keep current.
6.2 Forum Atlas will provide at least 15 days' notice of new subprocessors to customers subscribed to notifications (per the process on the subprocessor page). Customer may object on reasonable data-protection grounds within the notice period; if the parties cannot resolve the objection, Customer may terminate the affected subscription with a pro-rata refund of prepaid fees.
6.3 Forum Atlas imposes data-protection obligations on subprocessors that are no less protective than this DPA and remains liable for their performance.
7. Data subject rights and assistance
Taking into account the nature of Processing, Forum Atlas will assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection). If a Data Subject contacts Forum Atlas directly regarding Customer Data, Forum Atlas will refer the request to Customer without undue delay. Forum Atlas will further assist Customer, as reasonably required, with security, breach notification, data-protection impact assessments, and consultations with Supervisory Authorities under Articles 32–36 GDPR.
8. Personal Data breach
Forum Atlas will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer Data, and will provide information reasonably required for Customer to meet its own notification obligations, updated as the investigation progresses.
9. Deletion and return
Upon termination or expiry of the agreement, Forum Atlas will, at Customer's choice, delete or return Customer Data (including Personal Data) within 30 days, and delete remaining copies within 90 days, except where retention is required by law. Deletion is performed across production systems and completed in backups on the backup rotation schedule.
10. Audit
Forum Atlas will make available information reasonably necessary to demonstrate compliance with this DPA, including summaries of third-party security assessments when available. Customer may conduct an audit (at most annually, on 30 days' notice, during business hours, under confidentiality, and without access to other customers' data) to the extent the information made available is insufficient. Customer bears the costs of audits it initiates.
11. International transfers
Where Processing involves a transfer of Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties enter into the SCCs (Module Two), which are incorporated by reference: Clause 7 (docking) included; Clause 9(a) Option 2 (general authorization, 15 days); Clause 11 optional language excluded; Clause 17 governing law: Ireland; Clause 18 forum: Ireland. Annex I is completed by §2.2 and the parties' details in the agreement; Annex II by Annex II below. For UK transfers, the UK IDTA Addendum applies with the mandatory tables completed by the foregoing. The Platform's primary processing region is the United States, as described in our data residency documentation.
12. Order of precedence; liability
In case of conflict, the SCCs prevail over this DPA, which prevails over the agreement. Each party's liability under this DPA is subject to the limitations of liability in the agreement, except where prohibited by law.
Annex II — Technical and organizational measures
- Tenant isolation: workspace-scoped row-level security enforced at the database layer (
FORCE ROW LEVEL SECURITY), with automated isolation tests in continuous integration. - Encryption: TLS 1.2+ in transit; AES-256 encryption at rest via managed infrastructure providers.
- Access control: SSO-backed authentication; least-privilege service credentials; secrets held in managed secret stores, never in source control.
- Change management: all changes ship through version control and automated CI gates (type checks, tests, security-relevant checks) with protected branches.
- Monitoring and incident response: centralized error monitoring, uptime checks, and a documented incident-response process with severity classification and post-incident review.
- Backups: automated daily database backups with periodic restore verification.
- Data minimization for AI features: model providers are bound by API terms under which customer inputs are not used for model training; provider retention is limited-duration for abuse monitoring (see /subprocessors).
- Personnel: access to production limited to authorized personnel under confidentiality obligations.
History
- v1.0 (July 12, 2026) — Initial version.