Data Processing Addendum
This addendum is incorporated by reference into your subscription agreement with Attera. A counter-signed PDF version is available on request. Email contact@attera.io with subject "DPA".
i.Roles
For personal data submitted into Attera by you ("Customer Data"), you are the Controller and Attera is the Processor under Article 4 GDPR. Attera processes Customer Data only on your documented instructions.
ii.Scope and purpose
Attera will process Customer Data solely to:
- Provide, maintain, and support the Attera service.
- Generate compliance document drafts as requested by you.
- Comply with applicable law.
Attera will not sell, share for advertising, or train AI models on Customer Data.
iii.Data residency
Customer Data is processed and stored exclusively on infrastructure located in the European Union (Belgium primary, with Hetzner data centres in Germany and Finland). Data is never replicated outside the EU. There is no US edge cache, no CDN mirroring your documents, and no third-party LLM API in the inference path. The AI runs on hardware we own and operate in Leuven.
iv.Security measures
- Encryption in transit: TLS 1.3 on all network connections; HSTS enforced.
- Encryption at rest: AES-256 on object storage and database volumes.
- Access control: Least-privilege internal access; audit logging on every action.
- Backups: Encrypted snapshots stored EU-only. Cadence and retention are documented in your subscription agreement.
- Personnel: Written confidentiality obligations for everyone with access.
- Audit trail: Append-only hash-chained audit log per workspace.
v.Sub-processors two only
Attera engages two sub-processors:
| Provider | Region | Purpose |
|---|---|---|
| Hetzner Online GmbH | DE · FI | Hosting, storage, and database services (Falkenstein, Germany · Helsinki, Finland) |
| Tailscale Inc. | Coordination only | Private network coordination; customer data does not transit Tailscale servers |
That is the entire list. We will give 30 days' notice by email before adding any new sub-processor that handles Customer Data.
vi.Personal data breach notification
We will notify you without undue delay (and in any case within 72 hours of becoming aware) of any confirmed personal data breach affecting your Customer Data, with available details and mitigation steps. The named contact is security@attera.io.
vii.Data subject rights
We will assist you in responding to data subject requests under Articles 15–22 GDPR within reasonable timeframes. Most requests can be completed by you directly using the product's export and delete controls.
viii.Audits
Customers can request annual evidence of our security controls. Enterprise customers may conduct documentation-based audits on reasonable notice. The full list of claims we can prove today, and what we have not yet attested, is on the security page.
ix.Deletion and return
On termination or written request, we will delete all Customer Data within 30 days, save where retention is required by law (e.g. audit logs).
x.Liability and conflict
This DPA forms part of the Terms. In case of conflict between this DPA and the Terms with respect to processing of personal data, this DPA controls.