Legal
Privacy Policy
How Atitic processes personal data, keeps it inside the EU, and hands it back if you leave.
Effective: [to be set – legal.privacy_effective_date] · Version 1.0
1. Who we are
Atitic is operated by [COMPANY_LEGAL_NAME], a company incorporated in Lithuania, registration number [REGISTRATION_NO], registered address [REGISTERED_ADDRESS]. For questions about this Privacy Policy, contact [email protected].
Where required by GDPR Art. 37, our Data Protection Officer can be reached at the same address.
2. Controller vs. processor roles
Atitic acts in two distinct capacities:
- Controller. When you visit our marketing website, sign up for a trial, correspond with us, or use administrative features of the Service that concern your own account, we determine the purposes and means of the processing and are the controller. Examples: account credentials, billing records, marketing emails you have opted into, contact-form submissions, cookies on
atitic.eu. - Processor. When you or your Authorised Users upload personal data about your own data subjects to the Service in the course of running your compliance programme (for example, RoPA records, DSAR requests, breach notifications, staff acknowledgements), Atitic acts as a processor on your behalf. The Data Processing Addendum (DPA) governs that processing – see Terms § 11.
3. What we collect and why
Account data: full name, business email, hashed password (Argon2id), MFA seed (encrypted), display language, timezone, tenant memberships and role assignments, session activity (last-seen IP, device fingerprint, revocation state). Purpose: authenticating you, delivering the Service, and providing an audit trail of who did what.
Billing data: tenant contact, VAT ID (if applicable), Stripe customer ID, subscription state and past invoices. Payment card details are handled by Stripe and never touch Atitic servers.
Communications: the content of any email you send us (support, sales, legal), and metadata about outbound transactional emails we send you (delivery, bounce, open metrics from Mailjet).
Marketing data: if you complete a self-survey lead magnet, we collect the answers together with the email address you submit so we can deliver the report. You may opt out of subsequent marketing at any time.
Product telemetry: server-side request logs (timestamp, path, status, request-id, tenant-id, user-id) for a limited period, used for operations, security, and abuse-prevention. We do not use third-party analytics or cookie-based tracking on the marketing site or product.
Customer Data uploaded by you: whatever your Authorised Users choose to upload as evidence, policies, RoPA records, DPIAs, breach reports, and so on. We process this Customer Data strictly as a processor on your instructions.
4. Legal bases for processing
- Performance of a contract (Art. 6(1)(b) GDPR): providing the Service under our Terms.
- Legitimate interests (Art. 6(1)(f) GDPR): securing the Service, preventing abuse, managing our business (billing, accounting, dispute defence), improving the product on the basis of aggregated / anonymised usage.
- Legal obligation (Art. 6(1)(c) GDPR): tax records, statutory book-keeping, responding to law-enforcement requests where compliance is compulsory.
- Consent (Art. 6(1)(a) GDPR): where we ask you to opt in, for example to marketing communications or non-essential cookies. You can withdraw consent at any time.
5. Retention
Account and Customer Data are retained for as long as your subscription is active. After termination, we retain the data for 30 days to enable self-service export, then delete it from primary systems within a further 30 days and from backups on the standard rotation described below.
Billing records are retained for seven (7) years to satisfy tax and statutory obligations.
Server logs containing personal data (IPs, request-ids) are retained for 90 days for security purposes, then deleted or fully anonymised.
Marketing communications: we retain your contact record until you opt out plus a reasonable period thereafter to prove compliance with your opt-out.
6. Subprocessors and hosting regions
Atitic uses the following subprocessors. The current list, kept up-to-date, is the authoritative version; changes are notified at least 30 days in advance via in-product notice or email to the account owner.
| Subprocessor | Purpose | Region |
|---|---|---|
| EU datacenter provider ([DATACENTER_NAME]) | Compute + primary Postgres hosting | EU |
| S3-compatible object storage ([OBJECT_STORAGE_PROVIDER]) | Encrypted evidence + attachment storage | EU |
| Stripe Payments Europe | Payment processing, invoicing, subscription lifecycle | EU + Ireland |
| Mailjet (Sinch) | Transactional and branded outbound email | EU (France) |
| Google – Gemini API | AI features: Ask Atitic, evidence proposals | Model calls routed to EU endpoints where available; see AI section below |
| Cloudflare | Edge CDN, DNS, TLS termination, bot mitigation | Global anycast; personal data in HTTP headers only |
| HashiCorp Vault (self-hosted) | Secrets and encryption-key management | EU (same datacenter as primary) |
7. International transfers
In the default deployment, Customer Data does not leave the European Union. Where a subprocessor is a global provider (Cloudflare, Stripe), transfers of limited operational metadata may occur; those transfers are governed by Standard Contractual Clauses ("SCCs") and, where applicable, the EU–US Data Privacy Framework. Copies of the SCCs used are available on request.
8. Security, encryption, and tenant isolation
In transit: TLS 1.2+ enforced for all client connections and for internal service-to-service traffic. HSTS is set on the marketing and platform hosts. TLS certificates are issued by Let's Encrypt and rotated automatically.
At rest: Postgres data files and object-storage buckets are encrypted with industry-standard algorithms (AES-256 or equivalent). Backups are encrypted independently.
Tenant isolation: Atitic is multi-tenant. Every tenant-scoped table in Postgres is protected by row-level security (RLS), enforced by the database itself, with a per-request tenant context set at the start of every request and cleared on completion. RLS is forced (not merely enabled), so no privileged application role can bypass it. Object storage segregates tenant data by prefix and per-object access policy.
Secrets: integration tokens, IdP secrets, cloud credentials, and DKIM keys are stored in HashiCorp Vault with envelope encryption. Application code retrieves secrets at request time using short-lived tokens.
9. Backup, disaster recovery, RTO and RPO
Postgres uses point-in-time WAL streaming to an off-cluster replica plus daily base backups retained for 30 days. Object-storage buckets are versioned with a 30-day lifecycle window. All backups are encrypted and stored in an EU region separate from the primary.
Our Recovery Time Objective (RTO) for the production workload is 4 hours and our Recovery Point Objective (RPO) is 15 minutes. These targets are exercised in an annual DR drill; the most recent drill report is available under NDA on request. Actual RTO/RPO for a specific incident depends on the failure mode and is measured in the post-incident review that we share with affected customers.
10. Access controls, RBAC, SCIM, and privileged access
Customer-side controls. The Service enforces role-based access control (RBAC) with per-module permissions at the read / manage / approve granularity. Tenants may create custom roles, enforce MFA on their users, and, on eligible plans, provision users via SCIM 2.0 from their identity provider. SAML 2.0 and OIDC single sign-on are supported.
Audit trail. Every mutation across the platform writes to a tamper-evident audit log with actor, target, timestamp, and payload. The audit log is exportable via API and included in the Portability Report.
Privileged access on Atitic side. Production access is restricted to named Atitic engineers with a documented business need. Access requires MFA and short-lived credentials. Every privileged session is logged, and standing "super-admin" tenant impersonation is not permitted; where support requires access to a customer workspace, it is time-bounded, logged, and disclosed to the customer through an audit record.
11. Penetration testing and vulnerability management
Atitic engages an independent third-party firm to conduct a penetration test at least once per year, and additionally after material architectural changes. Executive-summary reports are available under NDA on request. Findings are triaged against CVSS severity with the following remediation SLAs: critical – 72 hours, high – 14 days, medium – 60 days, low – 180 days. Dependency vulnerabilities are surfaced by automated scanning of first-party and container images; patches follow the same SLA. A security disclosure programme is published at [email protected].
12. AI features, model provider, and training arrangements
Optional AI features are powered by Google Gemini via Google's direct API. When you use an AI feature (Ask Atitic, evidence proposals, or similar), the prompt together with a scoped subset of Customer Data (retrieved via tenant-scoped vector search) is sent to the model provider solely to generate the response, which is then returned to your workspace and stored as a proposal for human review.
Atitic's contract with the model provider prohibits the use of API traffic for training or model improvement, and Atitic does not use Customer Data to train any AI model. API traffic is not retained by the model provider beyond what is required to serve the immediate request (in accordance with Google's published API terms). AI features can be disabled at the tenant level from platform settings.
AI proposals are advisory. A human in your organisation must accept, edit, or reject each proposal before it takes effect in your compliance state. Model outputs may be incorrect and must not be relied on as legal advice.
13. Data export, portability, and audit-log continuity
You may export your workspace at any time using the built-in Portability Report in three formats: JSON (machine-readable), XLSX (multi-sheet workbook), and PDF (auditor-friendly). The Portability Report explicitly includes:
- All entities: framework programs, policies, evidence, risks, RoPA records, DPIAs, breach records, DSAR requests, assets, ICT contracts, ICT services, tasks;
- The relationships between requirements and their linked evidence / policies / risks / tasks / DPIAs / processing activities / breaches / assets / ICT contracts / ICT services;
- Version history where the model records it (e.g. policy versions);
- The complete tamper-evident audit log for the workspace.
Uploaded evidence files remain retrievable from the object-storage bucket configured on your tenant; the Portability Report references each artifact by its object key so you can pull the bytes independently even if the Service becomes unavailable.
The REST API covers the same entities and relationships that appear in the product UI, so an exit can be automated end-to-end.
14. Your data-protection rights
If personal data about you is processed by Atitic, you have the following rights under GDPR:
- Access (Art. 15) – ask what personal data we hold about you.
- Rectification (Art. 16) – correct inaccurate data.
- Erasure (Art. 17) – ask us to delete your data, subject to legal-hold exceptions.
- Restriction (Art. 18) – limit processing.
- Portability (Art. 20) – receive your data in a machine-readable format.
- Object (Art. 21) – object to processing based on legitimate interests or direct marketing.
- Withdraw consent at any time where processing is based on consent.
- Complain to a supervisory authority. In Lithuania, this is the State Data Protection Inspectorate (VDAI, vdai.lrv.lt). You may also lodge a complaint with the authority in your Member State of habitual residence or place of the alleged infringement.
Where Atitic acts as a processor for a customer, requests concerning your data should be sent to that customer (the controller). We will assist the controller in responding as required by our DPA.
To exercise a right where Atitic is the controller, email [email protected]. We will respond within one month, extensible by two further months for complex requests as permitted by Art. 12(3) GDPR.
15. Cookies and tracking
The marketing site (atitic.eu) and the platform host use only first-party cookies strictly necessary to deliver the Service (session, CSRF token, language preference). We do not use third-party analytics, ad trackers, or cross-site cookies. Details are set out in our Cookie policy.
16. Changes to this policy
We may update this policy from time to time. Material changes will be notified by in-product notice or email at least 30 days before they take effect. Historical versions are available on request.
17. Contact
Privacy queries: [email protected].
Security queries: [email protected].
Postal: [COMPANY_LEGAL_NAME], [REGISTERED_ADDRESS].