1.1 Terms
The Terms define rules for accounts, workspaces, AI-assisted work, customer apps, acceptable use, access, service changes, support, and responsibility boundaries.
COMPLIANCE CENTER
Atom9 is built for companies that need websites, login, workflows, content, automation, customer data, and AI help without losing control of privacy, security, approvals, legal duties, or evidence.
Atom9 follows applicable privacy, security, consumer, AI, and sector compliance duties through product controls, documented roles, approval gates, audit trails, and clear customer responsibilities.
Legal anchors: Compliance 1.1 to 1.6 map the documents and Compliance 3 defines the product controls used across them.
The Terms define rules for accounts, workspaces, AI-assisted work, customer apps, acceptable use, access, service changes, support, and responsibility boundaries.
The Privacy notice explains what data Atom9 handles, why it is used, how AI uses context, how data is shared, and how people exercise rights.
The GDPR page defines when Atom9 is controller, processor, or using sub-processors, and how customer apps fit into that responsibility chain.
The Cookie Policy separates required session and security storage from optional preference, analytics, third-party, and customer-site storage.
The Security page explains approved product surfaces, account responsibilities, workspace safety, customer-app launch security, AI prompt safety, integration care, and reporting paths without exposing internal architecture.
The DORA page explains financial-sector digital operational resilience alignment for ICT risk, incidents, resilience testing, third-party provider risk, continuity, and evidence.
A person creates an Atom9 account, signs in with an approved login method, manages account security, and accesses workspaces or customer apps where the person has access.
A workspace owns projects, team access, content, contacts, files, approvals, billing references, connected tools, and customer-app configuration.
An AI agent uses approved project context and connected tools to draft, build, inspect, explain, and record work according to workspace settings.
A customer app uses Atom9 infrastructure while keeping its own customer relationship, notices, service-specific KYC, and lawful basis decisions.
Approval gates require clear human decisions before plans, AI-generated outputs, launch checks, sensitive workflow changes, and regulated use cases become live.
Atom9 follows data minimisation by asking for the data needed to run the account, workspace, and customer app. Extra customer KYC belongs to the customer app flow.
Atom9 saves important decisions, approvals, prompts, generated assets, tool actions, provider settings, and launch checks as an evidence trail with enough context to explain them later.
Email verification, OIDC linking confirmation, passkeys, session controls, role boundaries, service authentication, permission checks, and provider controls are baseline product controls.
High-risk sectors, regulated workflows, special data categories, child data, financial data, health data, and unusual data requests trigger stronger setup, approval, and compliance review paths.
Legal anchors: Compliance 4.5 blocks prohibited practices, Compliance 4.7 handles high-risk workflows, and Compliance 4.2 covers transparency.
Atom9 explains agent behaviour in practical terms and shows users what the agent is doing, what it needs, what it changed, what tools it used, and what the person must approve.
Atom9 makes AI chat, AI-generated content, tool use, model/provider identity, and relevant automated actions visible in the product history where the workflow requires accountability.
Atom9 keeps important project, launch, customer-facing, and regulated changes under human oversight instead of silent automation.
Atom9 uses risk classification to route sensitive sectors, high-impact use cases, regulated decisions, and unusual data requests into stronger questions, model/provider checks, evidence trails, and approval steps.
Atom9 does not support workflows designed for unlawful manipulation, unlawful discrimination, social scoring, prohibited biometric use, illegal profiling, or other uses prohibited by applicable AI, privacy, consumer, or sector law.
Atom9 records AI provider, model identity, tool access, data settings, prompts, outputs, approvals, tests, and relevant decisions where the workflow requires accountability.
Atom9 requires stronger documentation, human oversight, test evidence, data governance review, incident escalation, and launch approval before a high-risk or regulated AI workflow can be treated as ready.
Atom9 documents whether Atom9, the customer, or an external model provider is acting as provider, deployer, processor, or sub-processor for an AI workflow and records the resulting responsibilities.
Atom9 supports customer decisions about where data is stored and processed, including EU-focused deployments where residency is required.
Atom9 separates product operation, provider access, support access, customer configuration, and service credentials so operational control can be documented and limited.
Atom9 documents infrastructure, file storage, search, email, AI, observability, payment, and support providers so customers understand which systems support their service.
Atom9 uses lawful transfer mechanisms, transfer risk review, contractual controls, and provider settings when personal data is processed outside the EU/EEA.
The customer defines what the customer app does, what data it needs, who may use it, and what laws apply to the service.
The customer approves customer-facing privacy notices, cookie notices, terms, consent text, KYC wording, AI disclosures, and sector-specific disclosures before launch.
The customer is responsible for the accuracy, lawfulness, and relevance of data they enter, import, request, or instruct Atom9 to process.
The customer controls team invitations, roles, offboarding, project access, and who may approve sensitive actions.
The customer must identify regulated duties such as finance, health, employment, children, consumer protection, professional advice, accessibility, or public-sector requirements.
Legal anchors: Compliance 7.1 to 7.4 define the records kept for chats, approvals, tool actions, and launch checks.
Important agent conversations, clarification questions, user answers, prompt context, and generated summaries stay connected to the project.
Approval gates record what was approved, who approved it, when it was approved, and what decision created the next project state.
Tool invocations, generated content, file changes, workflow changes, and connected provider actions are logged where relevant.
Privacy, cookie, AI, security, accessibility, and sector checks stay visible before a customer app goes live.
Atom9 updates product controls, docs, notices, and customer guidance when legal, provider, security, or operational requirements materially change.
Legal anchors: Compliance 8.1 to 8.6 define how tags are used. Tags are traceability labels, not certification marks.
GDPR and privacy tags identify statements that support data roles, lawful basis, minimisation, retention, subject rights, processors, transfer safeguards, cookie choices, or customer-app notices.
EU AI Act tags identify statements that support AI literacy, transparency, human oversight, risk classification, prohibited-use blocking, high-risk handling, logging, and provider or deployer boundaries.
DORA tags identify financial-sector operational resilience statements that support ICT risk management, incident handling, resilience testing, third-party ICT risk, continuity, and evidence.
NIS2 and security tags identify statements that support account protection, risk analysis, incident handling, business continuity, supply-chain care, vulnerability handling, and secure operation.
Contract and operation tags identify statements that may be tightened by signed customer terms, DPAs, security addenda, service levels, support paths, provider terms, or customer-specific operating requirements.
Atom9 should reuse the same approval record, data-source policy, incident record, provider review, launch check, and change history across frameworks when the same fact supports more than one duty.
Atom9 needs a dedicated AI governance and EU AI Act page covering AI literacy, transparency, provider and deployer roles, high-risk screening, prohibited use, human oversight, model/provider records, incidents, and customer-app AI disclosures.
Atom9 needs a NIS2/cybersecurity page that explains cybersecurity risk management, incident handling, business continuity, supply-chain care, vulnerability handling, access control, and the public security rules customers must follow.
Atom9 needs a public sub-processor, provider, and transfer page showing service-provider categories, data locations where available, transfer safeguards, customer notice rules, provider change notice, and how customers request more detail.
Atom9 needs a public vulnerability disclosure page that explains allowed reporting, prohibited testing, safe evidence, response expectations, and the line between good-faith reporting and unauthorised security testing.
Atom9 needs an accessibility statement covering product accessibility, customer-app accessibility responsibilities, assistive-technology support, known limitations, feedback channels, European Accessibility Act screening, and how accessibility checks are included in launch review.
Atom9 also needs maintained customer-specific artifacts: data processing agreement, security addendum, service levels, order forms, incident contact process, sub-processor notice process, and regulated-sector addenda where a customer use case requires them.
Atom9 should add screening notes for the Data Act, Cyber Resilience Act, and Digital Services Act. These do not apply equally to every Atom9 customer app, but the agent should identify when cloud switching, products with digital elements, user-generated content, marketplaces, hosting, or platform moderation duties become relevant.
The Atom9 project agent must ask enough questions to identify whether a project touches AI, personal data, financial-sector services, cybersecurity-sensitive workflows, accessibility obligations, provider outsourcing, user-generated content, or regulated customer KYC before committing to a build plan.
The item has a clear purpose, enough evidence, a known owner, safe defaults, and no unresolved compliance or security blocker.
The item may be acceptable, but a person must confirm missing context, legal basis, customer wording, provider use, or launch intent.
The item touches sensitive data, regulated work, important provider dependency, high-impact decisions, or a customer-facing launch path.
The item is unsafe, unlawful, deceptive, unsupported, missing required authority, or trying to bypass a product or security control.
Atom9 grades work using the service purpose, data sensitivity, people impact, legal framework, provider dependency, security posture, evidence quality, and whether the user-facing explanation is clear.
Good signals include clear service purpose, data minimisation, verified domain, least-privilege roles, transparent notices, required approvals, passing launch checks, recorded provider use, and no restricted data outside configured scope.
Review signals include unclear owner, unclear lawful basis, new provider use, cross-border transfer, optional tracking, AI-generated customer-facing wording, ambiguous KYC, missing test evidence, or a customer notice that is not ready.
High-risk signals include special-category data, financial data, health data, child data, employment decisions, critical or important functions, automated high-impact decisions, public launch, and external providers with sensitive access.
Block signals include prohibited AI use, no lawful basis, missing authority, exposed secrets, unverified production domains, unsupported internal routes, bypassing approval gates, deceptive notices, malware, stolen data, or attempts to access another person's data.
Each important flag should record the grade, reasons, affected project or workflow, owner, next action, evidence required, due date where useful, and whether the agent may continue, must ask a question, or must stop.
The agent should explain flags in chat, show the exact reason, ask only the missing question, create an approval gate when a person must decide, and connect the final decision to the project history.
A good item must be re-graded when scope changes: new data fields, new provider, new country, new user group, AI automation, public launch, regulated purpose, or a material change to how the service works.
Privacy
You can change this later from the footer. Read the Cookie Policy and Privacy Policy.