AtlasSwift - Cross-Border Fulfillment & Product Sourcing for Emerging MarketsAtlasSwift

Data Processing Addendum (DPA)

Last updated:August 19, 2025

This DPA forms an integral part of the AtlasSwift Terms of Service. It applies when the Merchant (controller) entrusts personal data of its customers to AtlasSwift (processor) for the provision of the Services. It complements the Privacy Policy.

1) Purpose scope

This DPA governs the processing of personal data carried out by AtlasSwift on behalf of the Merchant in connection with the Services described in the ToS, in compliance with the GDPR/UK GDPR and applicable local laws.

2) Roles definitions

The Merchant acts as the controller: it determines the purposes and means of processing. AtlasSwift acts as the processor: it processes data based on the Merchant’s documented instructions. The terms “personal data,” “processing,” and “personal data breach” have the meanings given in the GDPR/UK GDPR.

3) Description of processing

3.1 Categories of data subjects

Merchant’s end customers, prospects who placed an order, and Merchant staff who use the Platform.

3.2 Categories of data

  • Identification data: first/last name, phone, email, address.
  • Order data: products, quantities, value, statuses (confirmation, delivery, payment collection).
  • Proof/log data: photos, OTP codes, signatures, execution logs, timestamps.
  • Technical data: account identifiers, access events, metadata required for support.

3.3 Purposes of processing

Order execution, logistics, tracking and proof of execution, invoicing/payouts, fraud prevention, support, and legal obligations.

3.4 Duration

For the duration of the Services, then according to applicable statutory retention periods (see section 12).

The Merchant determines the lawful basis and the information to be provided to data subjects.

4) Documented instructions

AtlasSwift processes data only on the basis of the Merchant’s written instructions (ToS, order forms, support tickets). If an instruction is manifestly unlawful, AtlasSwift will inform the Merchant without delay.

5) Data security

AtlasSwift implements appropriate technical and organizational measures, including:
  • Encryption of data in transit and at rest where relevant.
  • Role-based access controls, MFA for sensitive access.
  • Logging, incident detection, and response procedures.
  • Environment segmentation, regular backups and restore testing.
  • Security review of critical vendors and adequate contractual clauses.

Obligation of means: measures are proportionate to risk and the state of the art at the time of processing.

6) Confidentiality

Individuals authorized by AtlasSwift to process data are bound by a contractual confidentiality obligation and receive appropriate data protection training.

7) Sub-processors

The Merchant authorizes AtlasSwift to engage sub-processors (hosting, support, payments, messaging, transport) providing equivalent safeguards. AtlasSwift remains fully responsible to the Merchant for the obligations of sub-processors.

AtlasSwift will notify in advance any new sub-processing or significant change and offer a reasonable right to object within 10 business days where feasible without interrupting the Service.

8) Location international transfers

Data are processed mainly in the EU/EEA/UK. Any transfer to a third country is made with appropriate safeguards (e.g., updated Standard Contractual Clauses, supplementary measures, adequacy decisions) and with Merchant information where required.

9) GDPR assistance to Merchant

AtlasSwift assists the Merchant, to a reasonable extent, with DPIAs, prior consultations, and risk assessments related to processing carried out via the Platform.

10) Data breaches

AtlasSwift will notify the Merchant without undue delay and, where possible, within 72 hours after becoming aware of a personal data breach affecting data processed on its behalf, providing the nature of the incident, categories of data concerned, and measures taken or proposed.

The Merchant remains responsible for notifications to authorities/subjects where required by law, with AtlasSwift’s support.

11) Data subject rights

AtlasSwift uses reasonable means to help the Merchant respond to data subject requests (access, rectification, erasure, objection, portability, restriction) where such requests concern data processed via the Platform.

12) Retention, return deletion

Upon completion of the Services or on the Merchant’s instruction, AtlasSwift will delete or anonymize personal data processed on its behalf, unless there is a legal obligation to retain them (e.g., accounting, fraud prevention). On request, data can be returned in a structured, commonly used format.

13) Audits attestations

The Merchant may, at its expense, conduct a reasonable audit by an independent third party, at most once per twelve (12) months, during business hours, with 30 days’ prior written notice, and without materially disrupting AtlasSwift’s operations. AtlasSwift may provide reports/attestations (e.g., ISO/SOC, penetration tests) to reduce the need for on-site audits.

Confidential information disclosed during an audit remains subject to the NDA/ToS.

14) Documentation cooperation

AtlasSwift maintains records of its processing activities related to the Services and makes available to the Merchant the information necessary to demonstrate compliance with this DPA and applicable requirements. The Parties cooperate in good faith with supervisory authorities.

15) Liability limitation

Subject to mandatory law, AtlasSwift’s liability under this DPA is aligned with the “Liability limitation” clause of the ToS. No cap applies where legally excluded (e.g., willful misconduct) in the competent jurisdiction.

16) Precedence, language changes

In the event of conflict among data-processing related documents, the order of precedence is: (i) signed Contract/Order Form, (ii) this DPA, (iii) ToS, (iv) Privacy Policy. The French version prevails. Translations may be provided for convenience. AtlasSwift may propose DPA updates for legal compliance; such updates will be notified to the Merchant.

17) Effective date term

This DPA becomes effective upon the Merchant’s acceptance of the ToS and remains in force for the duration of the Services and until data deletion/anonymization by AtlasSwift, in accordance with section 12.

18) Data protection contacts

These addresses are the valid contact channels for DPA-related questions.