1.1 Atom9 account controller
Atom9 is controller for account creation, login, security, provider linking, service notices, direct support, and direct account relationship data.
GDPR AND DATA ROLES
Atom9 can be the account provider, a workspace platform, a processor for customer data, and the login layer for customer apps. The GDPR role depends on who decides the purpose and means of the processing.
Atom9 applies GDPR requirements as binding operating rules: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.
Legal anchors: GDPR 1.1 to 1.4 define the roles, and GDPR 4.1 defines the data processing agreement path.
Atom9 is controller for account creation, login, security, provider linking, service notices, direct support, and direct account relationship data.
The customer is controller for its workspace content, projects, contacts, files, team records, customer records, and customer service decisions. Atom9 processes that customer-controlled data to provide the service.
The customer app owner is controller for its users, KYC fields, bookings, forms, service eligibility, customer notices, consent text, and retention choices.
Infrastructure, email, search, file storage, AI providers, analytics, payment, monitoring, and support systems act as processors or sub-processors according to configuration and contract.
Personal data is information about an identified or identifiable person, including name, email, login events, messages, forms, bookings, files, support requests, and audit records.
Health, biometric, political, religious, union, sex life, sexual orientation, racial or ethnic origin, and similar protected categories are restricted processing. Atom9 requires appropriate configuration and lawful basis before this data is used.
Processing means collecting, storing, reading, changing, transmitting, deleting, exporting, generating, analysing, or otherwise using personal data.
A controller decides why and how personal data is processed. A processor processes personal data for the controller under documented instructions. A sub-processor is a provider used by a processor.
Atom9 uses contract as a legal basis for account access, workspace service delivery, billing, support, project work, and customer commitments.
Atom9 uses legitimate interests for security, fraud prevention, abuse prevention, service reliability, audit trails, internal administration, and product safety where rights and freedoms are balanced.
Atom9 uses legal obligation for accounting, tax, legal requests, incident duties, compliance records, and obligations imposed by applicable law.
Atom9 uses consent where required for optional analytics, marketing, certain cookies, optional communications, or customer-app flows that rely on consent. Consent can be withdrawn where consent is the legal basis.
When Atom9 acts as processor, the customer defines the legal basis for its workspace or customer-app data and Atom9 processes that data according to documented instructions.
For production customers, Atom9 provides or operates under a data processing agreement covering processor instructions, confidentiality, security measures, sub-processors, rights assistance, incident support, deletion, return, retention, and transfer safeguards.
Atom9 processes customer-controlled data according to the configured service, agreement, and documented customer instructions. Atom9 does not use customer processor data for unrelated purposes.
Atom9 limits access to people and providers who need it for service operation, support, security, compliance, or legal duties.
Atom9 deletes, returns, anonymises, or retains data according to the agreement, law, backup lifecycle, security requirements, and customer instructions.
Atom9 keeps its own account data limited to what is needed for login, verification, security, sessions, notices, workspace access, support, and platform operation.
A customer app can require extra information to deliver its own service, such as address, booking details, company profile, documents, eligibility checks, consent records, or sector KYC.
Service-specific data is collected at the customer app boundary, explained to the user, and controlled by the customer unless Atom9 is separately acting as controller for a specific Atom9 account purpose.
Requests can include access, rectification, erasure, restriction, objection, portability, withdrawal of consent, complaint handling, and information about automated processing.
Atom9 responds to requests where Atom9 is controller and verifies identity and authority before changing or disclosing data.
When a customer is controller, Atom9 forwards, assists, or acts according to the data processing agreement and product workflow.
Atom9 applies legal exceptions for security, identity verification, legal claims, accounting, compliance, backup ageing, and customer controller instructions where applicable.
Atom9 uses authentication controls, session controls, role boundaries, service authentication, logging, backups, provider controls, and operational monitoring.
Atom9 investigates suspected personal data breaches, contains the issue, assesses risk, preserves evidence, and notifies customers, users, or authorities where required.
Atom9 keeps records for important processing purposes, approvals, AI actions, provider settings, transfer safeguards, and compliance decisions where accountability requires evidence.
Atom9 assists customers with information needed for data protection impact assessments where the customer use case is likely to create high risk.
Atom9 selects providers with attention to security, confidentiality, location, transfer safeguards, service purpose, and customer notice requirements.
Atom9 explains what the agent is doing, what context it uses, what tools it used, what decision is needed, and what a human must approve before important outcomes continue.
Atom9 makes AI-generated content, AI chat, tool use, model/provider identity, and automated actions visible in the product history where relevant.
Atom9 routes high-risk sectors, regulated workflows, unusual data requests, special-category data, and high-impact decisions into stronger questions, approvals, compliance checks, and launch gates.
Atom9 requires human approval before the agent publishes, launches, or changes sensitive workflows where human control is required.
Atom9 saves prompt history, approvals, tests, compliance checks, launch decisions, provider settings, and relevant tool results with the project.
Privacy
You can change this later from the footer. Read the Cookie Policy and Privacy Policy.