Legal · Enterprise

Data Processing Agreement

Controller: Customer · Processor: AtomEons, LLC · Effective: April 30, 2026 · Last updated: April 30, 2026 · Forms part of the MSA · Governs GDPR Art. 28 processing

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the MSA. The following definitions also apply:

• "Controller" means the entity that determines the purposes and means of the Processing of Personal Data. For Personal Data Processed under this DPA, Customer is the Controller.
• "Processor" means the entity that Processes Personal Data on behalf of the Controller. AtomEons acts as Processor under this DPA.
• "Sub-processor" means any third party engaged by AtomEons to Process Personal Data on behalf of Customer in connection with the Services.
• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that Customer or its Authorized Users submit to, or that is generated by, the Services.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, transmission, deletion, or destruction.
• "Data Protection Laws" means the GDPR, the UK GDPR (as defined in the UK Data Protection Act 2018), the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws.
• "Standard Contractual Clauses" or "SCCs" means the Module Two (Controller-to-Processor) standard contractual clauses adopted by the European Commission on June 4, 2021 (Decision 2021/914), as may be amended.
• "UK IDTA" means the International Data Transfer Agreement issued by the UK Information Commissioner's Office (or the UK Addendum to the SCCs), as applicable.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed under this DPA.

2. Scope and Roles

2.1 Subject Matter and Duration

This DPA governs AtomEons' Processing of Personal Data on Customer's behalf for the purpose of delivering the Services described in the MSA and any Order Form. The duration of Processing equals the term of the MSA plus any post-termination period required for return or deletion under Section 11.

2.2 Nature and Purpose of Processing

AtomEons Processes Personal Data solely to: (a) provide the Platform, the MCP delivery service, and any Skilski licenses specified in an Order Form; (b) maintain accounts, sessions, vault state, and audit logs; (c) provide support; (d) detect and respond to security incidents; and (e) comply with documented Customer instructions and applicable law.

2.3 Categories of Data Subjects

• Customer's Authorized Users (employees, contractors)
• Customer's end users where their Personal Data is submitted to a Skilski
• Other natural persons referenced in prompts or outputs

2.4 Categories of Personal Data

• Account identifiers (email, name, organization)
• Authentication and session data (hashed credentials, MCP token hashes)
• Billing data (handled by Stripe as Sub-processor)
• Usage and audit metadata (timestamps, Skilski slugs, response status)
• Prompt and output content submitted by Customer to the Services
• IP address and request logs for security and abuse prevention

2.5 Special Category and Sensitive Data

The Services are not designed to Process special categories of Personal Data under GDPR Art. 9 or sensitive Personal Information under CCPA/CPRA. Customer must not submit protected health information ("PHI") subject to HIPAA without a separate executed Business Associate Agreement, and must not submit children's data subject to COPPA or GDPR Art. 8 without additional written agreement.

3. Customer Obligations as Controller

Customer warrants and undertakes that, in respect of all Personal Data Processed under this DPA, Customer:

• has established a valid lawful basis under Article 6 GDPR (and Article 9 where applicable) for the Processing it instructs AtomEons to perform;
• has provided all required notices to, and obtained any required consents or authorizations from, Data Subjects in accordance with applicable Data Protection Laws;
• will issue only documented, lawful Processing instructions consistent with the MSA, the Services documentation, and this DPA;
• is responsible for the accuracy, quality, and legality of the Personal Data submitted to the Services, and for the means by which Customer acquired the Personal Data;
• will respond to Data Subject requests directed to Customer and will use the controls AtomEons makes available (vault dashboard, data export, deletion requests via privacy@skill.ski) to fulfill those requests; and
• will not instruct AtomEons to Process Personal Data in a manner that would violate Data Protection Laws or any third-party rights.

4. Processor Obligations

4.1 Documented Instructions

AtomEons will Process Personal Data only on documented instructions from Customer, including the instructions set out in this DPA, the MSA, the Order Form, and the Services documentation, except where required to do so by Union or Member State law to which AtomEons is subject; in such a case, AtomEons will inform Customer of that legal requirement before Processing, unless that law prohibits such notice on important grounds of public interest.

AtomEons will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

4.2 Confidentiality

AtomEons ensures that personnel authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is granted on a need-to-know basis.

4.3 Security Measures

AtomEons implements the technical and organizational measures described in Section 7 of this DPA and will not materially diminish the overall protection afforded by those measures during the term.

4.4 Sub-processors

AtomEons engages Sub-processors only in accordance with Section 5 of this DPA and ensures that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

4.5 Assistance to Controller

Taking into account the nature of Processing and the information available to it, AtomEons provides reasonable assistance to Customer to enable Customer to comply with its obligations under Articles 32-36 GDPR (security, breach notification, data protection impact assessments, prior consultation) and with Data Subject requests under Section 6 of this DPA.

4.6 Records of Processing

AtomEons maintains records of Processing activities carried out on behalf of Customer, in accordance with Article 30(2) GDPR, and makes them available to Customer or a competent supervisory authority on reasonable request.

5. Sub-processors

5.1 General Authorization

Customer grants AtomEons a general written authorization to engage Sub-processors to Process Personal Data, subject to the requirements of this Section 5. AtomEons remains liable to Customer for the acts and omissions of its Sub-processors to the same extent as if it had performed the Processing itself.

5.2 Current Sub-processors

As of the Effective Date, AtomEons engages the following Sub-processors. The current list is also published in the Trust Center, which is incorporated by reference.

5.3 Notice and Right to Object

AtomEons will notify Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance by updating the Sub-processor list at /legal/security-trust and, where Customer has subscribed to email notifications via privacy@skill.ski, by email. Customer may object to a new Sub-processor on reasonable, documented data protection grounds within fifteen (15) days of notice. If Customer so objects, the parties will work in good faith to resolve the objection; if no resolution is reached, Customer may, as its sole remedy, terminate the affected Order Form for the portion of Services that cannot be provided without the new Sub-processor and receive a pro-rata refund of pre-paid, unused fees.

5.4 Sub-processor Contracts

AtomEons enters into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those in this DPA, including, where the Sub-processor processes Personal Data outside the European Economic Area (the "EEA"), the United Kingdom, or Switzerland, an appropriate transfer mechanism under Section 9.

6. Data Subject Rights

Taking into account the nature of the Processing, AtomEons assists Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligation to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, objection, portability, and not to be subject to automated decision-making).

If AtomEons receives a request directly from a Data Subject relating to Personal Data Processed on behalf of Customer, AtomEons will not respond to the request directly (except to confirm receipt and to direct the Data Subject to Customer where appropriate) and will forward the request to Customer within five (5) business days using the contact details on file.

Customer is responsible for substantively responding to Data Subject requests. Where Customer requires assistance to identify, retrieve, correct, export, or delete Personal Data, AtomEons will provide reasonable assistance using the controls available in the vault dashboard and at privacy@skill.ski.

7. Security Measures

AtomEons implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. The current measures are described in detail in the Trust Center and include, at minimum:

• Encryption in transit. TLS 1.3 with HSTS preload. HTTP requests are permanently redirected to HTTPS.
• Encryption at rest. AES-256 across the Sub-processor infrastructure (Supabase, Vercel).
• Secret management. Production secrets are stored in encrypted environment vaults (Vercel + Supabase) and never committed to source control.
• MCP token handling. Bearer tokens are SHA-256 hashed at rest; the raw value is shown to the user only at issuance and is never recoverable thereafter.
• Access controls. Role-based access with least-privilege defaults, mandatory MFA for AtomEons production access, separation of duties, and quarterly access reviews.
• Tenant isolation. PostgreSQL Row Level Security enforces per-tenant data isolation; query paths are reviewed against bypass risks.
• Logging and monitoring. Each MCP call is logged with timestamp, Skilski slug, and response status. Security-relevant events are monitored and alertable.
• Vulnerability management. Dependency scanning, signed releases (ed25519), and the 7-gate Gauntlet for every Skilski before listing.
• Personnel. Background-screened where lawful, contractual confidentiality, and security training on hire and annually.
• Business continuity. Regular automated backups of the primary database with documented restore procedures.

8. Personal Data Breach Notification

AtomEons will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will, to the extent then known and to the extent reasonably available:

• describe the nature of the breach and the categories and approximate number of Data Subjects and records affected;
• identify the data categories accessed or exfiltrated;
• describe the timing and exposure window;
• describe containment and remediation steps taken or planned;
• describe recommended actions for Customer (e.g., token rotation, audit log review); and
• provide the contact point for further information.

AtomEons will provide a forensic post-mortem within fourteen (14) days for material incidents. AtomEons' notification of a Personal Data Breach is not, and shall not be construed as, an acknowledgment of fault or liability.

9. International Transfers

Customer acknowledges that AtomEons and its Sub-processors are primarily located in the United States and that delivery of the Services may involve transfers of Personal Data outside the EEA, the United Kingdom, or Switzerland.

9.1 EEA Transfers

Where AtomEons Processes Personal Data subject to the GDPR in a country that has not received an adequacy decision from the European Commission, the parties agree that the Standard Contractual Clauses (Module Two: Controller-to-Processor; Module Three: Processor-to-Processor where applicable) are incorporated into this DPA by reference. The following selections apply:

• Clause 7 (Docking Clause): included.
• Clause 9(a) (Sub-processor authorization): Option 2 (general written authorization) with a 30-day notice period as set out in Section 5.3.
• Clause 11(a) (Independent dispute resolution): the optional language is not included.
• Clause 17 (Governing law): the law of Ireland.
• Clause 18 (Choice of forum and jurisdiction): the courts of Ireland.
• Annex I, II, and III: populated by reference to Sections 2, 5, and 7 of this DPA. The competent supervisory authority is the lead supervisory authority of Customer's main establishment in the EEA, or, where there is no main establishment, the Irish Data Protection Commission.

9.2 UK Transfers

Where AtomEons Processes Personal Data subject to the UK GDPR, the parties agree that the UK International Data Transfer Agreement, or alternatively the UK Addendum to the SCCs, is incorporated by reference, with table information populated from this DPA.

9.3 Swiss Transfers

For Personal Data subject to the FADP, the SCCs apply with the modifications recommended by the Swiss Federal Data Protection and Information Commissioner, including treating references to the GDPR as references to the FADP.

9.4 Conflicts

In case of any conflict between this DPA and the SCCs or UK IDTA, the SCCs or UK IDTA (as applicable) prevail with respect to the Processing they govern.

10. Audits

10.1 Standard Audit Materials

AtomEons makes available to Customer the information necessary to demonstrate compliance with Article 28 GDPR. Once available, AtomEons will provide its annual SOC 2 Type II report (or comparable third-party audit report) on reasonable request, subject to Customer's execution of a confidentiality agreement.

10.2 Additional Audits

Where the standard audit materials are not sufficient to demonstrate compliance, Customer may, no more than once per twelve (12) month period (and additionally following a confirmed Personal Data Breach affecting Customer's Personal Data or where required by a supervisory authority), request to conduct, or have a qualified independent third-party auditor conduct on its behalf, an audit of AtomEons' Processing of Customer's Personal Data, subject to the following conditions:

• Customer provides at least thirty (30) days' prior written notice;
• the audit is conducted during normal business hours and in a manner that does not unreasonably interfere with AtomEons' operations;
• the auditor is not a competitor of AtomEons and is bound by confidentiality;
• the audit is limited to information and systems relevant to the Processing of Customer's Personal Data;
• the audit does not require AtomEons to disclose information about other customers, multi-tenant systems beyond what is necessary, or AtomEons' confidential security architecture beyond what a reasonable auditor requires; and
• Customer bears its own costs and the cost of any auditor it engages, except where the audit reveals a material breach of this DPA, in which case AtomEons bears the reasonable cost of the audit.

10.3 Supervisory Authorities

Audits or inspections by competent supervisory authorities exercising their powers under Data Protection Laws are not subject to the limits in Section 10.2 to the extent prohibited by law.

11. Term, Return and Deletion

11.1 Term

This DPA takes effect on the Effective Date and continues for the term of the MSA, plus any period required for AtomEons to return or delete Personal Data under Section 11.2.

11.2 Return or Deletion

Upon expiration or termination of the MSA, or upon Customer's earlier written request, AtomEons will, at Customer's option:

• delete all Personal Data Processed on Customer's behalf; or
• return such Personal Data to Customer in a structured, commonly used, machine-readable format (typically JSON via the data-export process described in the Privacy Policy) and then delete remaining copies.

Unless Customer requests otherwise, AtomEons will delete Customer's Personal Data within ninety (90) days of termination, except where retention is required by applicable law, retained in routine backups subject to documented retention schedules, or retained in anonymized or aggregated form that no longer constitutes Personal Data. Personal Data retained in routine backups is logically isolated and overwritten on the standard backup rotation and is not used for any other Processing.

12. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set out in the MSA (including the aggregate cap and exclusion of indirect damages), and any reference to a party's liability in this DPA means the aggregate liability of that party under the MSA and this DPA combined. Nothing in this DPA limits or excludes either party's liability to the extent such liability cannot be limited or excluded under applicable law, including for liability arising out of an infringement of GDPR Article 82 to the extent imposed by a competent court or supervisory authority.

13. Order of Precedence

In the event of conflict between this DPA and the MSA, this DPA controls with respect to Processing of Personal Data. In the event of conflict between this DPA and the SCCs or UK IDTA, the SCCs or UK IDTA control with respect to the Processing they govern.

14. Miscellaneous

• Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in effect and the parties will negotiate in good faith a substitute that achieves, to the extent permitted by law, the original commercial intent.
• Updates. AtomEons may update this DPA from time to time to reflect changes in Data Protection Laws or operational practice. Material changes will be communicated via the Trust Center and, where Customer has subscribed, by email at least thirty (30) days before they take effect.
• No third-party beneficiaries. Except for Data Subjects' third-party beneficiary rights under the SCCs (where incorporated), this DPA does not confer any third-party beneficiary rights.
• Notices. Notices under this DPA must be sent in writing to legal@skill.ski for AtomEons and to the contact on the Order Form for Customer, with a copy to: AtomEons, LLC, Marco Island, FL [registered agent on file at sunbiz.org].

See also: MSA · Privacy Policy · Trust Center