attababy
Launch Console

Data Processing Addendum

Last updated: November 27, 2025

DATA PROCESSING ADDENDUM

Effective Date: November 27, 2025
This Data Processing Addendum (“DPA”) forms part of the Terms of Service (“Agreement”) between:

Attababy LLC
A Delaware Limited Liability Company
Principal Operations: Miami Beach, FL, USA
(“Processor”)

and

Customer (“Controller”),
each a “Party” and collectively the “Parties.”

1. Purpose

This DPA governs Processor’s handling of Personal Data processed on behalf of Controller in connection with the services provided under the Agreement.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on Personal Data.
  • Controller: The entity determining the purposes and means of Processing.
  • Processor: Attababy LLC, acting on behalf of Controller.
  • Sub-processor: Any third party engaged by Attababy to process Personal Data.
  • Sovereignty Metadata: Region, residency, retention, and regulatory constraints applied to workloads.
  • Applicable Laws: GDPR, CCPA/CPRA, HIPAA (if applicable), EU AI Act, and any regional data-protection statute triggered by Controller.

3. Roles of the Parties

Controller determines:

  • purpose of data processing
  • retention and residency requirements
  • sovereignty metadata
    Processor processes data only according to Controller’s documented instructions.

4. Processor Obligations

Processor shall:

  1. Process only per Controller’s instructions, including region locks, residency rules, and retention policies.
  2. Maintain zero-persistence defaults unless otherwise instructed in writing.
  3. Ensure confidentiality of all personnel with access to Personal Data.
  4. Implement appropriate technical and organizational security measures, including:
    • encrypted storage
    • encrypted transit
    • isolated private enclaves
    • sovereign routing controls
    • audit logging
  5. Assist Controller with data-subject rights requests.
  6. Assist with DPIAs, if applicable.
  7. Notify Controller of a data breach without undue delay.
  8. Delete or return Personal Data at the end of service unless law requires retention.

5. Sub-Processors

Processor may engage sub-processors only for infrastructure or audit-logging purposes.

Current sub-processors:

Sub-processor

Purpose

Location

TBD (colocation provider)

Physical racks + network

USA

TBD (monitoring/logging provider)

System logs (non-content)

USA or EU

Processor shall provide notice of new sub-processors and allow objections.

6. International Transfers

Personal Data shall not leave regions specified in Controller’s sovereignty metadata.

No cross-region transfers occur without express written approval.

7. Breach Notification

Processor will notify Controller of any confirmed breach within 72 hours or sooner where required.

8. Data Retention & Deletion

Processor shall:

  • retain no plaintext content by default
  • retain metadata only as required for security, billing, or compliance
  • destroy all ephemeral data per Controller’s sovereignty metadata

9. Return or Destruction of Data

Upon termination:

  • All Personal Data shall be deleted or returned, per Controller’s written request.

10. Governing Law

This DPA shall be governed by the laws of the State of Delaware, USA.

11. Entire Agreement

This DPA supplements, but does not replace, the Agreement.

IN WITNESS WHEREOF, the Parties have caused this DPA to be executed as of the Effective Date.

—End of DPA—

If you have questions about this Data Processing Addendum, please contact us at
legal@attababy.com

Scroll to Top