Products
Customers
Resources
Company
Book a DemoRequest a demo

Investor management

Investor Management

Fundraising Datarooms

Investor Onboarding

Investor Portal

Portfolio Management

Portfolio Management

Portfolio Management

Private Equity

Private Credit

All Platforms

Integrations

Implementation

Security

Case Studies
Customer Success
Blog
About Us
Careers
Partners
Industry Recognition
Book a demoBook a Demo

Contact our sales team

Investor Management

Investor Management

Fundraising Datarooms

Investor Onboarding

Investor Portal

Portfolio Management

Portfolio Management

Private Equity

Private Credit

All Platforms

Integrations

Implementation

Security

Case Studies

Customer Success

Customer Success

Customer Philosophy

Customer Success

Support

Technical Capabilities

Technical Products & APIs

Productivity Plugins

Integration Capabilities

Enterprise Co-dev

Security

Security & Trust

Need help? Contact our sales team

About Us

Careers

Partners

Industry Recognition

Blog

Knowledge Hub

Tab 1
Tab 2
Tab 3
Tab 3
Tab 3

Atominvest Data Processing Addendum

 

Last modified:  8 April 2026

 

This Data Processing Addendum (“DPA”) forms part of the Atominvest Terms  between Atominvest Software Ltd. (“Company”) and (“Customer”).

The terms used in this DPA shall have the meanings set forth in the Agreement unless otherwise provided. Except as modified below, the terms of the Agreement remain in effect.

In consideration of the mutual obligations set out herein, the Parties hereby agree that this DPA shall form part of  the Agreement.

 

1. Definitions

 

1.1 In this DPA, the following terms shall have the meanings set out below:

 

1.1.1 “Applicable Laws” means all applicable laws relating to the processing of Personal Data, including  the Data Protection Laws.      

 

1.1.2 “Customer Personal Data” means any Personal Data Processed by Company on behalf of the Customer pursuant to or in connection with the Agreement.

 

1.1.3 “Data Protection Laws” means (a) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated, or re-enacted from time to time) which relates to the protection of individuals with regards to the processing of personal data to which a party is subject, including (i) the Data Protection Act 2018; (ii) the UK GDPR; (iii) the EU GDPR; the California Consumer Privacy Act as amended by the California Privacy Rights Act and any binding regulations promulgated thereunder (“CCPA”); and (b) any code of practice or guidance published by the UK Information Commissioner’s Office (or equivalent regulatory body) from time to time.

 

1.1.4 “EEA” means the European Economic Area.

 

1.1.5 “EEA Restricted Transfer” means a transfer of Customer Personal Data from the EEA, either directly or via onward transfer, to any country that is not subject to an adequacy decision under the EU GDPR.

 

1.1.6 “EU GDPR” means EU General Data Protection Regulation 2016/679. 

 

1.1.7 “EU Standard Contractual Clauses” means the standard contractual clauses in respect of transfers as set out in the Annex to the Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

 

1.1.8 “Subprocessor” means any third party (including any Company affiliates) appointed by or on behalf of Company to Process Customer Personal Data, as listed at https://www.atominvest.co/legals/sub-processors

 

1.1.9 “UK GDPR” means Regulation 2016/679 as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time).

 

1.1.10 “UK Restricted Transfer” means a transfer of Customer Personal Data from the UK, either directly or via onward transfer, to any country not recognized by the UK Government (or otherwise recognised under Data Protection Laws applicable in the United Kingdom) as providing an adequate level of protection for personal data.

 

1.1.11 “UK Transfer Mechanism” means any lawful transfer mechanism recognised under the UK GDPR and the Data Protection Act 2018 for the transfer of personal data from the United Kingdom to a country outside the United Kingdom, including:

(a) the International Data Transfer Agreement (“IDTA”); and

(b) the International Data Transfer Addendum to the EU Standard Contractual Clauses (“UK Addendum”),

in each case as issued or approved by the UK Information Commissioner and as amended, updated or replaced from time to time.

 

1.2 The terms, “Commission”, “Commissioner”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” have the same meaning as defined in Data Protection Laws.

 

2. Processing of Customer Personal Data

 

2.1 This DPA applies to the Company’s Processing of Customer Personal Data in the course of the Company providing Services to the Customer. As such, the Company is the Processor and the Customer is the Controller.

 

2.2 The Company will only Process Customer Personal Data in accordance with the Customer’s documented instructions unless Processing is required by Applicable Laws to which the Company is subject, in which case the Company will, to the extent permitted by Applicable Laws, inform the Customer of that legal requirement before Processing the Personal Data.

 

2.3 The Customer (i) instructs the Company (and authorises the Company to instruct each Subprocessor) to Process Customer Personal Data and, subject to compliance with Data Protection Laws, transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement; and (ii) represents and warrants that (a) it is and will at all relevant times remain authorised to give such instructions, and (b) all such instructions comply with Applicable Laws.

 

2.4 The Company will promptly notify the Customer if, in the Company’s reasonable opinion, any instructions of the Customer violate Applicable Laws.

 

2.5 Annex 1 to this DPA sets out certain information regarding the Company’s Processing of the Customer Personal Data as required by Article 28(3) of the UK GDPR. Any amendments to Annex 1 shall be agreed by the parties in writing. 

 

3. Company Personnel

 

The Company will ensure that any Company employee, agent or contractor who may have access to the Customer Personal Data is subject to confidentiality undertakings in respect of the Customer Personal Data.

 

4. Security

 

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company will implement appropriate technical and organisational measures in respect of Customer Personal Data to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the UK GDPR.

 

4.2 In assessing the appropriate level of security, the Company will take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

 

5. Subprocessing

 

5.1 Customer authorises the Company to appoint (and permit each Subprocessor appointed in accordance with this paragraph 5 to appoint) Subprocessors in accordance with this paragraph 5 and any restrictions in the Agreement. Before appointing any Subprocessor, the Company shall inform the Customer of the appointment (including the name and location of such Subprocessor and the activities it will perform). The Customer may object to the appointment of the Subprocessor by giving written notice to the Company within ten (10) days of being informed by the Company of such appointment.

 

5.2 A correct and up to date list of the sub-processors engaged by the Company in accordance with paragraph 5.1 is included at https://www.atominvest.co/legals/sub-processors.

 

5.3 With respect to each Subprocessor, the Company will:

 

5.3.1 ensure that the arrangement between the Company and the Subprocessor is governed by a written contract including terms offering at least the same level of protection for Customer Personal Data as those set out in this DPA and shall meet the requirements of Article 28(3) of the UK      GDPR; and

 

5.3.2 If that arrangement involves:

 

a)  an EEA Restricted Transfer, ensure that the EU Standard Contractual Clauses are at all relevant times incorporated into the agreement between the Company and the Subprocessor or before the Subprocessor first Processes Customer Personal Data, procure that it enters into an agreement incorporating the EU Standard Contractual Clauses with the Customer; or

b) a UK Restricted Transfer, ensure that a UK Transfer Mechanism is implemented.      

 

6. Data Subject Rights

 

6.1 The Services provide the Customer with a number of means by which the Customer may retrieve, correct, delete or restrict Customer Personal Data. The Customer may use these means as technical and organizational measures to assist it in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects.

 

6.2 The Company will (i) promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and (ii) not respond to that request except as required by Applicable Laws to which the Company is subject, in which case the Company will, to the extent permitted by Applicable Laws, inform the Customer of that legal requirement before the Company responds to the request.

 

7. Personal Data Breach

 

7.1 The Company will notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

 

7.2 The Company will cooperate with the Customer and take such reasonable commercial steps as requested by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

 

8. Deletion or Return of Customer Personal Data

 

8.1 Subject to paragraph 8.2, within ninety (90) days of the expiration or termination of the Agreement (the “Termination Date”), the Company will delete permanently the Customer Personal Data unless the Customer has previously deleted all such Customer Personal Data before the Termination Date. Prior to the Termination Date, the Customer may access the Services to retrieve any Customer Personal Data.

 

8.2 Notwithstanding the foregoing, the Company may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws (and the Company may retain business contact information for the Customer’s staff); provided, however, that the Company will ensure the confidentiality of all such Customer Personal Data and will ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its retention, and for no other purpose.

 

9. Data Protection Impact Assessments and Audit Rights

 

9.1 The Company will provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required of it by Article 35 or 36 of the UK GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Company.

 

9.2 The Company shall, in accordance with Data Protection Laws, make available to the Customer such information that is in its possession or control as is necessary to demonstrate the Company’s compliance with the obligations placed on it under this DPA, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose (subject to a maximum of one audit request in each Contract Year).

 

9.3 The Company may satisfy any request under clause 9.2 above, or any request for an audit or inspection, by providing the Customer with recent third-party assurance reports, certifications (such as SOC 2 Type II or ISO 27001), summaries of penetration tests, security questionnaires, or other comparable information, to the extent such materials reasonably address the relevant requirement.

 

9.4 To the extent the information and materials made available under clauses 9.2 and 9.3  above  do not reasonably address the Customer's specific requirements, the Customer (or another auditor mandated by the Customer and approved by the Company, such approval not to be unreasonably withheld) may, upon reasonable prior written notice of not less than thirty (30) days and not more than once in each Contract Year (as defined in the Agreement) (unless otherwise required by a competent Supervisory Authority), conduct an audit or inspection of the Company's relevant records, systems and controls for the purpose of assessing the Company's compliance with this DPA.

 

9.5 Any audit or inspection under clause 9.4 shall be:

a)  conducted during normal business hours;

b) conducted in a manner designed to minimise disruption to the Company's business and to preserve the confidentiality and security of information relating to the Company and its other customers;

c)  subject to appropriate confidentiality obligations, including the Customer entering into an NDA with the Company (or the auditor doing so) on terms reasonably acceptable to the Company, where not already covered by the Agreement;

d) at the Customer's cost, including the Company's reasonable internal and third-party costs incurred in supporting the audit, chargeable at the rates set out in the Order Form; and

e)  scoped to exclude any information or systems that would compromise the confidentiality of other customers' data or the Company's proprietary information unrelated to the subject matter of the audit.

 

9.6 If the EU Standard Contractual Clauses apply, nothing in this clause 9 varies or modifies the EU Standard Contractual Clauses nor affects any Supervisory Authority’s or Data Subject’s rights under the EU Standard Contractual Clauses.

 

10. Restricted Transfers

 

10.1 The Customer hereby authorises the Company (or any Subprocessor) to transfer (where applicable) Customer Personal Data outside of the UK and EEA provided that the Company shall ensure that such transfers are made in compliance with Data Protection Laws. Where such transfers constitute an EEA Restricted Transfer or a UK Restricted Transfer, the Customer expressly acknowledges and agrees that the following additional clauses will apply and be incorporated by reference into this DPA, as applicable:

a) in the case of an EEA Restricted Transfer, the EU Standard Contractual Clauses, as published at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj,  and the following modules shall apply:

      i)    Module Two (Controller to Processor) of the EU Standard Contractual Clauses  shall apply where the Customer is a Controller and the Company is a Processor; and

      ii)    Module Three (Processor to Processor) shall apply in respect of any transfers to Subprocessors.

b) in the case of a UK Restricted Transfer, and in addition to the EU Standard Contractual Clauses noted at clause 10.1(a), Part 2: Mandatory Clauses of the UK Addendum, as may be revised from time to time under Section ‎‎18 of those Mandatory Clauses and published here: https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf

    

10.2 The parties agree that the information required for the purposes of the EU Standard Contractual Clauses and, where applicable, the UK Addendum, is set out in Annex 2 of this DPA.

 

10.3 By entering into this DPA, the parties are deemed to have executed the EU Standard Contractual Clauses and, where applicable, the UK Addendum, including the Annexes thereto as completed in accordance with this clause 10 and Annex 2 of this DPA.

 

11. California Privacy Laws

 

11.1  To the extent that Personal Data constitutes “Personal Information” under the CCPA, the parties agree as follows:

a)  the Company shall not sell or share Personal Information;

b) the Company acknowledges that the Customer does not sell or share Personal Information to the Company in connection with the Services;

c)  the Company shall not retain, use or disclose Personal Information:

                           i)           for any purpose other than for the specific purpose of performing the Services or as otherwise permitted by the CCPA;

                          ii)           for any commercial purpose other than the provision of the Services; or
                 
                          iii)          outside of the direct business relationship between the Company and the Customer;

                         iv)          the Company shall not combine Personal Information received from the Customer with Personal Information received from other sources, except as permitted by the CCPA;

d) the Company shall implement reasonable security procedures and practices appropriate to the nature of the Personal Information; and

e)  the Company certifies that it understands and will comply with the restrictions set out in this clause.

 

12. General Terms

 

12.1 In the event of any conflict or inconsistency between this Addendum and the EU Standard Contractual Clauses or UK Transfer Mechanism, if entered into, the EU Standard Contractual Clauses or UK Transfer Mechanism shall prevail.

 

12.2 This DPA remains in effect until termination or expiration of the Agreement.

 

12.3 The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.

 

 

 

ANNEX 1

 

DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

 

This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) UK GDPR.

 

Subject matter and duration of the Processing of Customer Personal Data

The subject matter concerns the Company’s processing of Customer Data in connection with the Company providing to Customer the Services outlined in the Agreement. The Company may provide additional related software solutions to Customer in the future.

 

The nature and purpose of the Processing of Customer Personal Data

Customer wants to use the Company’s Services to help manage its general operations and maintain a database of contacts and companies including details of their investments financial performance.

 

The types of Customer Personal Data to be Processed

The Company may process Personal Data which may include but is not limited to the following categories of Personal Data: name, address, employer, phone, email address, information related to current job title and functions, tax identification information, level of finances, asset allocation needs, financial goals, interest in specific products or services, investment returns, bank account details, information about investment transactions.

 

The categories of Data Subjects to whom the Customer Personal Data relates

Processing concerns the following categories of data subjects: Individuals to whom marketing efforts are directed (including the Customer’s current clients who are being marketed additional products and services), individuals who are currently receiving products or services from the Customer, all individuals, including those who may be prospective employees, contractors or clients, or current employees, contractors or clients, who visit the Customer’s website, all others including: business contacts at institutional clients, business contacts at vendors working on behalf of or for the benefit of the Customer, event sponsors and attendees, and individuals whose personal data is included in the Customer’s correspondence.

 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of the Agreement and thereafter strictly in accordance with the Agreement and the Company’s data retention policies.

 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of the processing are specified per Subprocessor at https://www.atominvest.co/legals/sub-processors.

 

The obligations and rights of Customer and Customer affiliates

The obligations and rights of the Customer are set out in the Agreement and this DPA.

 

ANNEX 2

 

This Annex 2 sets out the information required for the purposes of the EU Standard Contractual Clauses and the UK Addendum. The parties may provide further details in the Agreement.

 

  1. Annex I.A.

List of Parties:

a.      Customer and data exporter:

Name and address of the Customer as well as contact details of a contact person are contained in the Agreement.

Role (Controller/Processor): The Customer acts as the Controller for the processing activities provided by the Company.

b.      Company and data importer:

The Company / data importer providing the processing services is the Company specified in the Agreement. The point of contact for data privacy inquiries is privacy@atominvest.co.

Role (Controller/Processor): The Company acts as Processor processing Personal Data on behalf of Customer and, in respect of transfers from the Company to its Subprocessors, the Company acts as a Processor and the Subprocessor acts as a Processor.

  1. Annex I.B.

Description of Transfer: See Annex 1 of this DPA.

  1. Annex II.

Technical and organisation measures: See the Company’s security documentation made available to the Customer on request.

  1. Annex III.

List of Subprocessors: See https://www.atominvest.co/legals/sub-processors

Supercharge your firm operations

See how our leading technology and AI-powered features can give your firm an operating edge

Book a DemoRequest a demo