Data Processing Agreement

Last updated: 2026-05-06

This DPA governs Atalaia's processing of personal data on behalf of customers subject to the LGPD (Lei nº 13.709/2018) or the EU GDPR.

1. Roles

Customer is the controller; Atalaia is the processor.

2. Processing scope

Atalaia processes only the data necessary to deliver the contracted service: account email, domain configuration, DMARC reports, and audit logs.

3. Subprocessors

• Cloudflare (CDN, edge compute, analytics)
• Stripe (billing)
• Resend or AWS SES (transactional email — product side)

4. International transfers

EU/UK transfers are covered by Standard Contractual Clauses where applicable.

5. Security measures

TLS in transit, AES-256 at rest, least-privilege IAM, audit logging, incident response within 72 hours of awareness.

6. Term and deletion

Upon termination, Atalaia deletes or returns customer personal data within 30 days unless retention is required by law.