Data Processing Agreement
Last updated: 26 June 2026
This document is provided in English. The English-language version is the authoritative and legally binding version; any translation is provided for convenience only.
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Atlas Mint Ltd (“Processor”, “we”) and the Customer (“Controller”, “you”) and applies where we process personal data contained in your Customer Content on your behalf, as required by Article 28 of the UK General Data Protection Regulation (“UK GDPR”) and, where applicable, the EU GDPR (together, the “GDPR”).
Roles. For personal data in your Customer Content, you are the controller and we are the processor (this DPA). For account, billing and usage data that we determine the purposes of, we act as an independent controller under our Privacy Policy.
1. Subject matter & duration
We process personal data only to provide the Service under the Terms, for the duration of your use of the Service and until deletion or return of the data as set out below. Details of the processing are in Annex A.
2. Processing on documented instructions
We process personal data only on your documented instructions (including via your use and configuration of the Service), unless required to do otherwise by applicable law, in which case we will inform you unless legally prohibited. We will inform you if, in our opinion, an instruction infringes data protection law.
3. Confidentiality
We ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
4. Security
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex B (Art. 32 GDPR).
5. Sub-processors
You give general authorisation for us to engage sub-processors to process personal data in your Customer Content. On request, we will provide our current list of sub-processors, including their purpose and location. We impose data protection obligations on our sub-processors that are no less protective than those in this DPA, and we remain responsible for their performance. We will inform you of any intended addition or replacement of a sub-processor (by email to your account contact and/or an in-app notice), and you may object on reasonable data-protection grounds within 14 days of that notice; if we cannot reasonably accommodate the objection, you may terminate the affected part of the Service.
6. Data subject rights
Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights under the GDPR. Where a data subject contacts us directly regarding your Customer Content, we will refer them to you.
7. Assistance & breach notification
We will assist you in ensuring compliance with your obligations under Articles 32–36 GDPR, taking into account the nature of processing and the information available to us. We will notify you without undue delay after becoming aware of a personal data breach affecting your Customer Content, and provide information reasonably required for you to meet your notification obligations.
8. International transfers
We are established in the United Kingdom. Where you are established in the EEA, your transfer of personal data to us as your processor relies on the European Commission’s adequacy decision for the United Kingdom (currently in force). Core processing takes place in the European Union (Germany), which the UK in turn recognises as providing adequate protection.
Where personal data is transferred to a country without adequate protection (e.g. by a sub-processor), we rely on appropriate safeguards under Chapter V of the GDPR — primarily the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the Standard Contractual Clauses (and the EU SCCs for EEA data), or, where the importer is certified, the UK Extension to the EU–US Data Privacy Framework — or on an applicable adequacy decision.
9. Deletion or return
On termination of the Service, we will, at your choice, delete or return the personal data in your Customer Content, and delete existing copies, unless retention is required by law. Standard residual copies in backups are deleted on our rolling backup cycle.
10. Audits
We will make available to you the information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality, and frequency limits, and in a manner that does not disrupt our operations or compromise other customers’ data.
11. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
12. How to enter into this DPA
This DPA is incorporated into the Terms and applies automatically where we act as your processor. If you require a countersigned copy for your records, contact [email protected].
Annex A — Details of processing
- Subject matter: provision of the CardFactory Service.
- Duration: the term of the Customer’s use of the Service.
- Nature & purpose: hosting, storage, and AI-assisted generation of product cards (images, copy, SEO) from Customer Content, and related Service operations.
- Types of personal data: any personal data the Customer chooses to include in Customer Content (e.g. names or contact details within product, brand or template materials), and identifiers of the Customer’s authorised users acting within the workspace.
- Categories of data subjects: the Customer’s personnel and authorised users, and any individuals referenced in the Customer Content.
Annex B — Technical & organisational measures
- Encryption: encryption in transit (TLS) for data transmitted to and within the Service.
- Access control: role-based access controls, least-privilege access, hashed credentials, and per-workspace isolation.
- Network security: firewall, WAF/CDN protection, and restricted administrative access.
- Data location: primary hosting and storage in the EU (Germany).
- Resilience: backups with a defined rolling retention and deletion cycle.
- Logging & monitoring: audit logging of key actions and security monitoring.
- Vendor management: data-protection terms imposed on sub-processors.
These measures may evolve as the Service improves; we will not materially reduce the overall level of security during the term.