Atom
Install
Get started with Atom
Documentation
Learn how to use Atom

Data Processing Addendum

Last updated: April 29, 2026

This Data Processing Addendum ("DPA") applies when Atom processes personal data on behalf of a business, agency, studio, or other organization under the Atom Terms of Service or a separate order form. If a signed agreement says something different, the signed agreement controls.

1. Roles

The customer is the controller or business for customer personal data. Atom is the processor or service provider for personal data Atom processes to provide licensing, support, security, feedback handling, and related product services.

For AI processing through a customer-selected AI provider, the customer is responsible for its own relationship, account settings, and legal basis with that AI provider.

2. Processing Instructions

Atom will process customer personal data only to provide, secure, support, and improve Atom; to comply with law; and as otherwise instructed by the customer through use of the product or a written agreement.

3. Categories of Data

  • Account and purchase data, such as email address, order records, and receipts.
  • License and seat data, such as entitlement records, seat counts, and device seat identifiers.
  • Support data, such as messages sent to Atom and any files or details the customer chooses to share.
  • Optional feedback data, such as customer descriptions plus encrypted chat logs and tool activity for the reported chat.
  • Product-use data sent to customer-selected AI providers, such as prompts, project context, preview frames, and explicitly attached files.

4. Confidentiality

Atom will treat non-public customer information as confidential and use it only to provide, secure, support, and improve the product, or as required by law.

5. Security Measures

Atom uses reasonable technical and organizational measures appropriate for a small software vendor, including HTTPS, limited administrative access, local encryption of customer AI keys, encrypted local logs, encrypted optional feedback logs, and local-only MCP integration design. More detail is available in the Security Overview.

6. Subprocessors

Atom may use subprocessors to provide hosting, authentication, licensing, checkout, payment, support, and optional product functionality. The current list is available at Subprocessors.

7. Data Subject Requests

If Atom receives a request from an individual about customer personal data, we will either direct the individual to the customer or assist the customer where reasonably possible.

8. Deletion and Return

Upon request, Atom will delete customer personal data that Atom controls unless retention is needed for legal, accounting, security, dispute, or legitimate business reasons. Customer project files remain on the customer's systems unless the customer explicitly sends them to Atom for support.

9. Security Incidents

If Atom confirms a security incident involving customer personal data processed by Atom, we will notify affected customers without undue delay and, where feasible, within 72 hours.

10. International Transfers

Atom and its service providers may process data in the United States and other countries where they operate. Where applicable, the customer and Atom will rely on appropriate legal mechanisms for international transfers.

11. Audits and Information Requests

Atom will provide reasonable information needed to verify compliance with this DPA, such as this DPA, the Security Overview, the Privacy Policy, and responses to reasonable security questionnaires.

12. Contact

Data protection questions can be sent to hey@davey.design.