Data Processing Agreement
AtlanticM&A — Standard Processor Terms
Effective date: March 29, 2026 | Version 1.0
This Data Processing Agreement ("DPA") forms part of the agreement between the entity accepting these terms ("Controller", "Customer", "you") and Lamb and Flag TopCo Corp, operating as AtlanticM&A ("Processor", "we", "us"), for the provision of the AtlanticM&A platform ("Service").
This DPA incorporates the Standard Contractual Clauses approved by the European Commission (Decision 2021/914) as set out in Annex III below.
1. Definitions
- Personal Data means any information relating to an identified or identifiable natural person processed through the Service.
- Processing means any operation performed on Personal Data, including collection, storage, analysis, and deletion.
- Data Subject means the individual to whom Personal Data relates.
- GDPR means Regulation (EU) 2016/679 (General Data Protection Regulation).
- Sub-Processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope of Processing
2.1 Categories of Data Subjects
- Customer employees and contractors using the platform
- Individuals named in meeting transcripts (attendees, speakers)
- Individuals referenced in project governance structures
- Individuals named in M&A deal documentation uploaded by the Customer
2.2 Categories of Personal Data
- Identity data: names, email addresses, job titles
- Professional data: project roles, workstream assignments, governance positions
- Communication data: meeting transcript content (when uploaded by Customer)
- Usage data: login timestamps, feature usage, session data
- Authentication data: hashed passwords, MFA configuration (no plaintext passwords stored)
2.3 Purpose of Processing
Personal Data is processed solely for the purpose of providing the Service, including:
- User authentication and access control
- Project management and collaboration features
- AI-powered meeting transcript analysis (when opted in by the Customer)
- Report generation and distribution
- Platform notifications and communications
2.4 Duration of Processing
Processing continues for the duration of the Customer's subscription. Upon termination, data is available for export for 30 days, after which it is permanently and irreversibly deleted from all systems including backups within 35 days (Aurora backup retention period).
3. Processor Obligations
3.1 Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required by Union or Member State law.
3.2 Confidentiality
The Processor ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security Measures
The Processor implements appropriate technical and organisational measures, including:
- Encryption at rest (AES-256 for all data stores including Aurora, S3, and DynamoDB)
- Encryption in transit (TLS 1.2+ enforced, HSTS headers)
- Row-Level Security (RLS) ensuring strict tenant data isolation at the database level
- AWS WAF with OWASP rule sets, IP reputation filtering, and rate limiting
- Multi-factor authentication (TOTP, passkeys) available for all users
- VPC network isolation with no public internet egress from application containers
- Automated vulnerability scanning and dependency auditing
- Access logging via AWS CloudTrail with 90-day retention
Full technical details are available in the Security Technical Addendum.
3.4 Sub-Processors
The Controller authorises the use of the Sub-Processors listed in Annex II (Security Technical Addendum, Section 7). The Processor shall inform the Controller of any intended addition or replacement of Sub-Processors, giving the Controller the opportunity to object within 30 days.
3.5 Data Subject Rights
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR (access, rectification, erasure, portability, restriction, objection). The Service provides self-service tools for data export (Article 20) and account deletion (Article 17).
3.6 Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. Notification shall include the nature of the breach, categories of Data Subjects affected, likely consequences, and measures taken to address the breach.
3.7 Deletion and Return
Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies unless Union or Member State law requires storage. Data export is available via the Account Settings page during the 30-day post-termination window.
3.8 Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes GDPR.
4. AI Processing — Specific Provisions
The Service includes AI-powered features (meeting transcript analysis, work plan generation, dependency analysis) using AWS Bedrock (Claude). The following specific provisions apply:
- AI processing is performed within the US-East-1 AWS region via private VPC endpoint (no public internet transit)
- Transcript data is not used to train, improve, or fine-tune any AI models
- AI processing is initiated only by explicit Customer action (uploading a transcript or clicking "Analyze")
- AI-generated suggestions (proposed updates) require explicit human approval before any data changes are made
- The Controller may disable AI features at any time via platform settings
5. International Data Transfers
The Service processes all data in the United States (AWS US-East-1, N. Virginia). The transfer mechanisms below apply based on the Controller's jurisdiction.
5.1 EEA/Swiss Transfers
For transfers of Personal Data from the EEA or Switzerland to the United States:
- Standard Contractual Clauses (SCCs) — EU Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor), incorporated by reference in Annex III below.
- Supplementary Measures — Encryption at rest and in transit, VPC network isolation, row-level security, access logging, and the technical measures described in Section 3.3 above.
5.2 UK Transfers
For transfers of Personal Data from the United Kingdom to the United States:
- UK International Data Transfer Addendum (IDTA) — The UK Addendum to the EU SCCs, as approved by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, is incorporated by reference in Annex IV below. The UK Addendum supplements the EU SCCs (Annex III) to ensure compliance with the UK GDPR and Data Protection Act 2018.
- Supplementary Measures — The same technical measures described in Section 3.3 apply.
5.3 Brazil Transfers (LGPD)
For transfers of Personal Data from Brazil to the United States:
- Legal basis: The EU SCCs (Annex III) are recognised by the Brazilian National Data Protection Authority (ANPD) as an appropriate safeguard for international transfers under Article 33 of the Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018).
- Supplementary Measures — The same technical measures described in Section 3.3 apply. The Processor complies with the LGPD principles of purpose limitation, data minimisation, and security.
5.4 Japan Transfers (APPI)
For transfers of Personal Data from Japan to the United States:
- Adequacy: The European Commission has adopted an adequacy decision for Japan (Decision 2019/419), establishing mutual recognition between the EU GDPR and Japan's Act on the Protection of Personal Information (APPI). The EU SCCs (Annex III) provide an additional safeguard layer.
- Consent basis: Where required under APPI Article 28, the Controller is responsible for obtaining consent from data subjects for the cross-border transfer or ensuring an alternative legal basis under APPI.
- Supplementary Measures — The same technical measures described in Section 3.3 apply.
5.5 South Korea Transfers (PIPA)
For transfers of Personal Data from the Republic of Korea to the United States:
- Adequacy: The European Commission has adopted an adequacy decision for South Korea (Decision 2022/254), establishing mutual recognition between the EU GDPR and Korea's Personal Information Protection Act (PIPA). The EU SCCs (Annex III) provide an additional safeguard layer.
- PIPA compliance: Where required under PIPA Article 17, the Controller is responsible for obtaining consent from data subjects for the cross-border transfer or notifying the data subject of the recipient, purpose, and items of personal information transferred.
- Supplementary Measures — The same technical measures described in Section 3.3 apply.
5.6 Ongoing Obligations
The Processor shall promptly inform the Controller if it becomes aware of any changes in legislation or government practices that may affect the level of protection afforded to Personal Data. If the Processor determines it can no longer comply with its obligations under the transfer mechanism, it shall promptly notify the Controller.
6. Liability and Indemnification
Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the main Service Agreement. Nothing in this DPA limits either party's liability to Data Subjects under GDPR.
Annex I — Details of Processing
| Controller | [Customer entity name and address] |
| Processor | Lamb and Flag TopCo Corp (dba AtlanticM&A), 159 N Wolcott St, Ste 133, Casper, WY 82601, United States |
| Contact | privacy@atlanticma.com |
| Subject Matter | Post-merger integration and transformation project management SaaS platform |
| Nature of Processing | Collection, storage, organisation, retrieval, AI analysis, reporting, deletion |
| Duration | Duration of subscription + 30-day export window |
| Data Subjects | Customer employees, contractors, meeting attendees, individuals referenced in deal documentation |
| Personal Data | Names, emails, job titles, project roles, meeting transcript content, usage data, authentication data |
| Special Categories | None intentionally processed. Customer must not upload special category data. |
Annex II — Sub-Processors
See Security Technical Addendum, Section 7 for the current list of Sub-Processors with processing purposes, data locations, and certifications.
Annex III — Standard Contractual Clauses
The Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 are incorporated by reference. Module Two (Controller to Processor) applies. The SCCs are available at: EUR-Lex Decision 2021/914.
For the purposes of the SCCs:
- Clause 7 (Docking clause): Not applicable
- Clause 9(a) (Sub-processor authorisation): Option 2 — General written authorisation with 30-day objection period
- Clause 11 (Redress): Optional clause not applied
- Clause 13 (Supervision): The supervisory authority of the Member State where the Controller is established
- Clause 17 (Governing law): The law of the Member State where the Controller is established
- Clause 18 (Choice of forum): The courts of the Member State where the Controller is established
Annex IV — UK International Data Transfer Addendum
For transfers of Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses ("UK Addendum"), as approved by the UK Information Commissioner under Section 119A of the Data Protection Act 2018 on 21 March 2022, is incorporated by reference.
The UK Addendum is available at: ICO — International Data Transfer Agreement and Guidance.
For the purposes of the UK Addendum:
| Table | Details |
|---|---|
| Table 1: Parties | Exporter: The Controller (Customer entity) Importer: Lamb and Flag TopCo Corp (dba AtlanticM&A), 159 N Wolcott St, Ste 133, Casper, WY 82601, United States Contact: privacy@atlanticma.com |
| Table 2: Selected SCCs | The EU SCCs (Annex III of this DPA) as incorporated by reference, Module Two (Controller to Processor), with the selections specified in Annex III above. |
| Table 3: Appendix Information | As set out in Annex I (Details of Processing) of this DPA. List of sub-processors as set out in the Security Technical Addendum (Section 7). |
| Table 4: Ending the Addendum | Neither party may end the UK Addendum in accordance with Section 19 of the UK Addendum. The Addendum terminates automatically when the DPA terminates. |
Approved UK Addendum version: Version B1.0, in force 21 March 2022, as amended by the UK Information Commissioner from time to time under Section 18 of the Mandatory Clauses.
Execution
To execute this DPA, please contact privacy@atlanticma.com with your entity details. A countersigned copy will be returned within 5 business days.
Lamb and Flag TopCo Corp (dba AtlanticM&A) · 159 N Wolcott St, Ste 133, Casper, WY 82601, United States
Version 1.0 · Effective March 29, 2026