Data Processing Agreement
Atelyr B.V.
Version: 1
Effective date: 1 May 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between the Controller (the Partner or End Customer that has entered into the Main Agreement with Atelyr) and Atelyr B.V. as Processor.
For privacy-related questions, the Controller may contact Atelyr's Data Protection Officer at [email protected].
2. Whereas
In the performance of the Main Agreement, Atelyr processes personal data on behalf of the Controller, within the meaning of Article 28 GDPR. This DPA forms part of the Main Agreement.
3. Definitions
- AI Provider: a third-party provider of generative AI services used within the Software.
- Data Breach: a breach of security as referred to in Article 4(12) GDPR.
- End User: the natural person interacting with an AI agent deployed by the Controller through the Software.
- Software: the platform and applications of Atelyr.
- Sub-processor: a third party engaged by Atelyr to process personal data on behalf of the Controller.
4. Scope and Duration
Atelyr processes personal data solely for the performance of the Main Agreement and in accordance with the documented instructions of the Controller. The processing activities are described in Annex A.
5. Obligations of Atelyr
Atelyr processes personal data solely on documented instructions, ensures confidentiality of authorised personnel, applies appropriate security measures (encryption, access control, monitoring, backups, audits, incident management, training), assists the Controller with GDPR obligations, and does not use conversation content or End User data for commercial purposes or profiling.
6. Automated Decision-Making
Atelyr does not apply fully automated decision-making with legal effects under Article 22 GDPR.
7. Obligations of the Controller
The Controller warrants the lawfulness of the processing, ensures a valid legal basis, and informs End Users. The Controller is responsible for consent regarding sensitive data and minors, and indemnifies Atelyr against third-party claims.
8. Sub-processors
The Controller grants Atelyr general authorisation to engage sub-processors. Atelyr will inform the Controller of intended changes. An up-to-date list is available at docs.atelyr.ai. For AI Providers selected by the Controller, Atelyr concludes a data processing agreement on behalf of the Controller.
9. Transfers Outside the EEA
Transfers outside the EEA take place only on the basis of adequacy decisions, Standard Contractual Clauses, or other appropriate safeguards under the GDPR.
10. Audits and Inspections
The Controller has the right to audit Atelyr's compliance, with at least 30 days written notice. Atelyr may fulfil its audit obligation by providing a current ISO 27001 or SOC 2 certificate.
11. Rights of Data Subjects
Atelyr assists the Controller in handling data subject requests. Requests received by Atelyr directly are forwarded to the Controller within five business days.
12. Data Breaches
Atelyr will notify the Controller without undue delay and within 48 hours of discovery of a Data Breach.
13. Confidentiality
Atelyr treats all personal data processed under this DPA as confidential.
14. Termination and Return or Deletion of Data
Upon termination, Atelyr deletes all personal data, unless legally required to retain. The Controller may request return within 30 days after termination, to the extent technically feasible.
15. Liability
The liability regime of the Main Agreement applies. Atelyr is not liable for damage arising from processing carried out per the Controller's instructions or from AI Providers selected by the Controller.
16. Amendments
Atelyr may amend this DPA with at least 30 days notice. Material amendments give the Controller a right to terminate.
17. General Provisions
This DPA is governed by Dutch law. Disputes will be submitted to the competent court in Noord-Holland. Contact: [email protected].
Annex A - Processing Activities
Categories of data subjects include Users (employees/freelancers of the Controller) and End Users (callers/chat users of the Controller's AI agent). Personal data processed includes contact data, technical data, audio recordings, AI-generated transcripts, interaction metadata, and billing data. Retention periods follow the Controller's agreement, with End User conversation data retained for a maximum of 90 days unless otherwise consented to or required for dispute handling.