Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Atronus Technologies, Inc. End User License Agreement between Atronus Technologies, Inc. ("Data Processor" or "Atronus") and the Subscriber ("Data Controller"). It governs the processing of personal data by Atronus on behalf of the Subscriber in connection with the OmniBotX Service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Service, including End User conversation data, lead information, and session metadata.

"Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.

"Controller" means the Subscriber who determines the purposes and means of processing.

"Processor" means Atronus Technologies, Inc. which processes Personal Data on behalf of the Controller.

"Sub-processor" means any third party engaged by Atronus to process Personal Data.

2. Scope and Purposes of Processing

Atronus processes Personal Data solely for the following purposes:

• Operating the OmniBotX Service and delivering AI-powered chat responses
• Storing and displaying Conversation Data in the Subscriber's dashboard
• Delivering conversation summary emails to Subscribers
• Storing lead information captured during End User interactions
• Performing content moderation and security monitoring
• Language detection and cross-language translation services
• Improving Service quality through aggregated, anonymized analytics

3. Subscriber Obligations as Data Controller

The Subscriber, as Data Controller, agrees to:

• Ensure a lawful basis exists for processing End User Personal Data (e.g., consent, legitimate interests)
• Provide End Users with appropriate privacy notices disclosing AI chatbot use
• Obtain any required consents from End Users before deploying the bot
• Comply with all applicable data protection laws in the Subscriber's jurisdiction
• Respond to End User data subject requests (access, deletion, portability) within required timeframes

4. Atronus Obligations as Data Processor

Atronus agrees to:

• Process Personal Data only on documented instructions from the Subscriber and as required by applicable law
• Ensure all personnel with access to Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (encryption, access controls, monitoring)
• Notify the Subscriber without undue delay (and within 72 hours where feasible) of any Personal Data breach affecting Subscriber data
• Assist the Subscriber in fulfilling data subject rights requests within the capabilities of the Service
• Delete or return all Personal Data upon termination of the Agreement within 90 days
• Make available all information necessary to demonstrate compliance with this DPA

5. Sub-processors

Atronus engages the following sub-processors to deliver the Service. Subscriber provides general authorization for these sub-processors:

• Anthropic, Inc. (USA) — AI inference. Privacy Policy
• Supabase, Inc. (USA) — Database and authentication. Privacy Policy
• Cloudflare, Inc. (USA/Global) — Infrastructure and CDN. Privacy Policy
• Stripe, Inc. (USA) — Payment processing. Privacy Policy
• Resend, Inc. (USA) — Email delivery. Privacy Policy
• Google LLC (USA) — Language detection and translation. Privacy Policy

Atronus will notify Subscribers of any intended changes to sub-processors, providing an opportunity to object before the change takes effect.

6. International Data Transfers

Personal Data may be transferred to and processed in the United States by Atronus and its sub-processors. For transfers of EEA/UK Personal Data, Atronus relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated by reference into this DPA.

7. Data Retention and Deletion

Personal Data is retained for the duration of the active Subscription Term plus 90 days. Upon Subscriber request or termination, Atronus will delete all Personal Data within 90 days and provide written confirmation. Backup data may be retained for up to 180 days in encrypted form.

8. Audit Rights

Upon reasonable written notice (minimum 30 days), Atronus will make available information necessary to demonstrate compliance with this DPA. Audits may be conducted by the Subscriber or a mutually agreed third-party auditor no more than once per calendar year.

9. Security Standards and Certifications

Atronus implements security controls aligned with the SOC 2 Trust Service Criteria (Security, Availability, and Confidentiality). OmniBotX has not completed a formal SOC 2 Type II audit as of the effective date of this DPA. Security controls currently in place include:

• Encrypted data transmission (TLS 1.3) between all system components
• Encrypted data storage via Supabase (AES-256)
• Role-based access controls and authentication for Subscriber dashboards
• Cloudflare DDoS protection, WAF, and bot management
• API key management via Cloudflare Workers Secrets
• Content moderation pre-filtering before AI processing

Enterprise Subscribers may request security documentation and architecture details by contacting info@atronus.com. Atronus commits to completing a formal SOC 2 Type II audit as part of its enterprise readiness roadmap.

10. Governing Law

This DPA is governed by the laws of the State of Texas, USA. It is also intended to satisfy the requirements of Article 28 of the GDPR and equivalent provisions of the UK GDPR.