Record of Processing Activities
GDPR Article 30(2) — Processor Record
Version 1.0 | March 29, 2026
1. Processor Details
| Processor name | Lamb and Flag TopCo Corp (dba AtlanticM&A) |
| Registered address | 159 N Wolcott St, Ste 133, Casper, WY 82601, United States |
| Data protection contact | privacy@atlanticma.com |
| Representative in the EU | To be appointed when required under Article 27 |
2. Categories of Processing
| # | Processing Activity | Categories of Data Subjects | Categories of Personal Data | Transfers to Third Countries | Retention |
|---|---|---|---|---|---|
| 1 | User account management | Customer employees and contractors | Name, email, hashed password, MFA config, session tokens, login timestamps | N/A — processed in US-East-1. SCCs apply for EEA controllers. | While account active + 30 days post-termination |
| 2 | Project management | Customer employees, project team members, governance participants | Names, email addresses, job titles, project role assignments, task assignments, workstream ownership | N/A — processed in US-East-1. SCCs apply for EEA controllers. | While subscription active + 30 days |
| 3 | Meeting transcript analysis (AI) | Meeting attendees, individuals discussed in meetings | Names, statements attributed to individuals, action item assignments, opinions expressed | Transcript → AWS Bedrock (US-East-1) via VPC private endpoint. Not used for model training. | While subscription active + 30 days. Transcript stored in S3 (encrypted). |
| 4 | AI dependency analysis | N/A — processes task titles, not personal data | Task titles and workstream names (may incidentally contain personal names if used in task titles) | Task data → AWS Bedrock (US-East-1) via VPC private endpoint. Not used for model training. | AI results are ephemeral (session state). Task data follows project retention. |
| 5 | Report generation & distribution | Report recipients (email addresses), individuals named in report content | Email addresses of distribution list members, project data included in generated reports | Email sent via AWS SES (US-East-1) | Distribution config while subscription active. Generated reports not retained server-side. |
| 6 | Document storage | Individuals named in uploaded documents (TSA addendums, templates) | Document content (may contain personal data uploaded by Controller) | N/A — stored in AWS S3 (US-East-1), encrypted AES-256 | While subscription active + 30 days |
| 7 | Governance & team management | Steering committee members, IMO members, workstream leads | Names, roles, organisational side (acquirer/target), governance positions | N/A — processed in US-East-1 | While subscription active + 30 days |
| 8 | Payment processing | Account billing contacts | Processed entirely by Paddle (Merchant of Record). AtlanticM&A does not receive or store payment card data. | Paddle processes in UK/Global (PCI DSS Level 1) | Managed by Paddle per tax regulations |
| 9 | Customer feedback | Users submitting feedback | Email address, feedback text, browser info, page URL | N/A — processed in US-East-1 | Until resolved or deleted by administrator |
| 10 | Audit logging | All platform users | User ID, action performed, timestamp, IP address | N/A — processed in US-East-1. CloudTrail logs in same region. | Application logs: while subscription active. CloudTrail: 90 days. |
3. Sub-Processors
A complete list of sub-processors with processing purposes, data locations, and certifications is maintained in the Security Technical Addendum (Section 7).
| Sub-Processor | Processing | Location | Safeguards |
|---|---|---|---|
| AWS (multiple services) | Compute, database, storage, AI, email, auth, monitoring | US-East-1 | SOC 2 II, ISO 27001, SCCs, EU-US DPF |
| AWS Bedrock (Claude) | AI transcript analysis, work plan generation, dependency analysis | US-East-1 | SOC 2 II, ISO 27001, no model training |
| Paddle | Payment processing (MoR) | UK / Global | PCI DSS Level 1 |
| GitHub | CI/CD pipeline trigger | US | SOC 2 II, no customer data |
4. Technical and Organisational Security Measures
A description of the technical and organisational security measures implemented pursuant to GDPR Article 32 is provided in the Security Technical Addendum and the Data Protection Impact Assessment.
Key measures include:
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Row-Level Security for tenant data isolation
- VPC network isolation with private endpoints (no public internet egress)
- Multi-factor authentication (TOTP, WebAuthn)
- AWS WAF with OWASP rule sets and rate limiting
- DynamoDB-backed distributed rate limiting
- CloudTrail audit logging
- Automated backup with 35-day retention
- Incident response procedure with 72-hour notification
5. International Transfers
All processing occurs in AWS US-East-1 (N. Virginia, United States). For transfers from the EEA/UK/Switzerland, the following safeguards are in place:
- Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor), EU Commission Decision 2021/914
- AWS compliance: AWS participates in the EU-US Data Privacy Framework and maintains its own SCCs with customers
- Supplementary measures: Encryption, VPC isolation, access controls as described in Section 4
Full details of the international transfer mechanism are set out in the Data Processing Agreement (Section 5).
6. Document Control
| Version | 1.0 |
| Date | March 29, 2026 |
| Next review | March 2027 or upon material change in processing |
| Approved by | Richard Parry, Director |
Lamb and Flag TopCo Corp (dba AtlanticM&A) · 159 N Wolcott St, Ste 133, Casper, WY 82601, United States
For enquiries: privacy@atlanticma.com