1. Definitions
Capitalized terms not defined here have the meaning given in our Terms of Service. "Atlas" means Atlas Bridge Logistics, Inc., a U.S. company. "Customer" means you (the entity that accepted the Terms of Service). "Personal Data", "Controller", "Processor", and "Data Subject" have the meanings given in the GDPR (EU 2016/679).
2. Roles & scope
For Personal Data Customer submits to Atlas in the course of using the Service, Atlas acts as a Processor on behalf of Customer (the Controller). This DPA applies only to such Personal Data. Atlas is the Controller of data about Customer's account and usage of the Service (described in our Privacy Policy).
3. Subject matter and duration
Subject matter: processing of Personal Data necessary to provide the freight-booking, tracking, billing, and integration features of the Atlas platform. Duration: for as long as Customer's account is active, plus a 90-day post-termination retention period for backups (after which Personal Data is purged).
4. Categories of data subjects and data
- Categories of Data Subjects: Customer's own employees, customers, consignees, suppliers, and any other natural person whose Personal Data Customer submits to the Service.
- Categories of Personal Data: names, postal addresses, email addresses, phone numbers, company affiliations; shipment metadata that may incidentally include such data.
- Special category data: Atlas does not solicit or require Special Categories of Personal Data. Customer must not submit any.
5. Sub-processors
Customer authorizes Atlas to engage the sub-processors listed below. Atlas will notify Customer at least 30 days before adding or replacing any sub-processor; Customer may object on reasonable grounds.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | United States (us-east-1) |
| Vercel, Inc. | Hosting, CDN, build infrastructure | United States, EU |
| Stripe, Inc. | Payment processing, invoicing | United States, Ireland |
| Shippo, Inc. | Carrier rate-shopping, label generation, tracking | United States |
| Resend, Inc. | Transactional email | United States |
| Twilio, Inc. | SMS notifications (when enabled by Customer) | United States |
| Anthropic PBC | AI features (support agent, content generation — opt-in) | United States |
6. International transfers
When Personal Data of EU/EEA, UK, or Swiss Data Subjects is transferred to the United States or to any country without an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs) of 4 June 2021, Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Processor) as applicable, incorporated into this DPA by reference. For UK Data Subjects, the UK International Data Transfer Addendum applies.
7. Security measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Row-level security on every database table holding Customer data.
- Multi-factor authentication required for all Atlas employee access.
- Least-privilege access control; audit log of every admin action.
- Annual penetration test by a qualified third party.
- Documented incident-response plan; breach notification within 72 hours.
- Sub-processor security reviews on engagement and annually.
8. Data Subject Rights
Atlas will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to Data Subject requests under Articles 12-23 GDPR. Customer can fulfill most rights directly via the Atlas dashboard: access and export from Settings → Export, deletion via Settings → Delete account, correction by editing the relevant record. For requests Atlas must execute on Customer's behalf, email dpa@atlasbridgelogistics.com.
9. Personal Data breaches
Atlas will notify Customer in writing within 72 hours of becoming aware of a Personal Data Breach affecting Customer's data, with the information required by Article 33(3) GDPR.
10. Audits
Customer may, no more than once per calendar year, request an audit by a mutually-agreed third-party auditor under reasonable confidentiality terms. Atlas will provide its SOC 2 Type II report (when available) and relevant policies on request to satisfy the audit obligation; on-site audits will only be granted where the SOC 2 report and policies are insufficient and the regulatory basis is documented.
11. Return or deletion of Personal Data
On termination of the Service, Atlas will, at Customer's choice, delete or return all Personal Data and delete existing copies, unless applicable law requires storage. Backups containing Personal Data are purged within 90 days of termination.
12. Liability
Each party's liability under this DPA is subject to the limitation of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability to a Data Subject for breach of the GDPR.
13. Order of precedence
In the event of any conflict between this DPA and the Terms of Service, this DPA controls with respect to Atlas's processing of Personal Data on Customer's behalf. The SCCs control over any conflicting provision of this DPA.
14. Governing law and jurisdiction
This DPA is governed by the laws of the State of California, United States, except where Customer is established in the EU/EEA/UK, in which case the SCCs' governing-law clause controls for matters within the scope of the SCCs.
15. How to execute this DPA
Customer is deemed to have accepted this DPA by accepting Atlas's Terms of Service. Enterprise customers who require a counter-signed copy may email legal@atlasbridgelogistics.com with their entity name, signatory, and address; a Word version with SCCs Annexes pre-populated will be sent for execution.
Atlas Bridge Logistics, Inc.
Email: legal@atlasbridgelogistics.com
Privacy contact: dpa@atlasbridgelogistics.com