Data Processing Addendum

This summary is for customers and prospective customers who will process personal data through the Atherna platform, and for the privacy, security, and procurement teams who review our terms. It describes our standard Data Processing Addendum (DPA) in plain language. The DPA itself is a contractual document that forms part of your agreement with Atherna.

Under data-protection laws such as the GDPR and UK GDPR, you are the controller of the personal data you put into Atherna, and Atherna acts as your processor. We process that data only to provide the service, and only on your documented instructions.

We process the personal data contained in the documents and matters you choose to load, for the purpose of providing the Atherna platform to you. You decide what data to provide, for how long, and for what purpose. We do not use your data for our own purposes, and we do not train our models on it.

The DPA commits us to appropriate technical and organizational measures to protect personal data, consistent with our wider security program. These include encryption in transit and at rest, access controls, tenant isolation, and a complete audit trail. Our Security page sets out the details.

We use a limited set of vetted sub-processors, such as infrastructure providers, to deliver the service. The DPA sets out how we engage them, the obligations we impose on them, and how we notify you of changes so you can object. A current list of sub-processors is available on request.

If an individual exercises their rights, such as access, correction, or deletion, the DPA commits us to help you respond, using the controls available in the platform and reasonable assistance from our team.

Atherna operates across the United States, the United Kingdom, the United Arab Emirates, Singapore, and India. Where personal data is transferred across borders, the DPA relies on appropriate safeguards, such as the Standard Contractual Clauses, and supports data-residency options where you require them.

On termination, or at your request, we return or delete the personal data we process on your behalf, except where the law requires us to keep it. In the ordinary course of using the platform, customer matter data is not retained beyond your session.

The DPA gives you the right to verify our compliance, including through the audit reports and security documentation we make available, such as our SOC 2 report, and reasonable additional assurances where your regulator requires them.

If we become aware of a personal-data breach affecting your data, the DPA commits us to notify you without undue delay and to provide the information you need to meet your own notification obligations.