Legal
Atlas is built for organizations with serious governance requirements. This page explains how Atlas approaches the EU General Data Protection Regulation (GDPR) and equivalent data protection laws, the roles we take when handling personal data, and the rights and tools available to our customers and to individuals.
Last updated: 21 June 2026
Atlas is an all-in-one work platform with enterprise-grade governance, including SOC 2 Type II and ISO 27001 certified controls, HIPAA support, single sign-on (SSO) and SCIM provisioning, comprehensive audit logging, regional data residency across the US, EU, and APAC, and a published list of sub-processors. We design our service to help customers meet their obligations under the GDPR and comparable data protection laws.
When customers use Atlas to store and process content (such as documents, tasks, messages, and records), Atlas acts as a data processor and the customer is the data controller. We process that content only on the customer's documented instructions, as set out in our agreement and Data Processing Agreement (DPA). We do not use customer content to train shared models or for our own independent purposes.
This page is informational only and is not legal advice. The DPA and our Terms of Service govern the relationship between Atlas and its customers and prevail over anything stated here.
Understanding who is the controller and who is the processor is central to GDPR. The controller determines the purposes and means of processing personal data; the processor handles personal data on the controller's behalf.
For the personal data that customers and their users place into the Atlas service, the customer is the controller and Atlas is the processor. The customer decides what personal data to upload, how long to keep it, and how it is used within their workspace.
For certain limited data that we determine the purposes for ourselves, such as account registration details, administrator contact information, billing data, and service operational logs used for security and to run the platform, Atlas acts as a controller. Our Privacy Policy describes how we handle data in that capacity.
As a processor, Atlas processes customer personal data for one purpose: to provide, maintain, secure, and support the Atlas service in accordance with the customer agreement, the DPA, and the customer's instructions. We do not process customer content for advertising or unrelated purposes.
Customers, as controllers, are responsible for establishing a valid lawful basis under the GDPR (for example, consent, contract, legitimate interests, or legal obligation) for the personal data they process using Atlas, and for providing any required notices to their own data subjects.
Where Atlas acts as a controller for account and billing data, we rely on the lawful bases set out in our Privacy Policy, primarily the performance of our contract with the customer and our legitimate interests in operating and securing the service.
The GDPR grants individuals a set of rights over their personal data. Atlas provides administrative tools and operational support to help customers respond to these requests within the legally required timeframes.
Because Atlas is usually the processor, an individual exercising rights in relation to data held in a customer's workspace should generally contact that customer (the controller) directly. Where appropriate, customers can reach our team at legal@wrxstack.com or submit a privacy request to obtain our assistance.
Atlas makes a Data Processing Agreement (DPA) available to customers. The DPA sets out the contractual data protection commitments required under Article 28 of the GDPR, including the subject matter and duration of processing, the nature and purpose of processing, the types of personal data and categories of data subjects, and the rights and obligations of both parties.
Our DPA incorporates the European Commission's Standard Contractual Clauses (SCCs) and equivalent transfer mechanisms to support lawful international data transfers. To request or review the DPA, visit /legal/dpa-request.
Where personal data is transferred outside the European Economic Area, the United Kingdom, or other regions with transfer restrictions, Atlas relies on appropriate safeguards. These include the Standard Contractual Clauses, the UK International Data Transfer Addendum where applicable, and supplementary technical and organizational measures such as strong encryption.
For Enterprise customers, Atlas offers regional data residency so that primary customer content can be hosted in the United States, the European Union, or the Asia-Pacific region. Selecting an EU data region can help reduce or avoid certain cross-border transfers for that customer's content.
Atlas engages a limited set of trusted sub-processors to help deliver the service, such as cloud infrastructure, content delivery, and support tooling providers. Each sub-processor is bound by data protection obligations consistent with those we accept under our DPA.
We maintain a current list of sub-processors at /legal/sub-processors. As provided in the DPA, we give customers advance notice of new or replacement sub-processors so they have an opportunity to review and, where the DPA allows, object on reasonable data protection grounds.
Atlas applies technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and loss. These include encryption of data in transit and at rest, strict access controls, and role-based access control (RBAC) for administrators and users.
Our security program is independently validated through SOC 2 Type II and ISO 27001, and includes detailed audit logging, network protections, vulnerability management, and personnel security practices. Enterprise customers may also use customer-managed encryption keys. Learn more at /security.
Atlas retains customer content for as long as the customer's account remains active or as needed to provide the service. Customers control retention within their workspace and can delete content at any time using the in-product tools.
On request, or following termination of the agreement, Atlas deletes or returns customer content in accordance with the DPA and applicable law. Self-service export tools allow customers to retrieve their data before deletion. Residual copies may persist in encrypted, time-limited backups for a defined retention window before they are securely overwritten in the ordinary course of backup rotation.
Atlas maintains an incident response process aligned with the GDPR's personal data breach requirements. If Atlas becomes aware of a personal data breach affecting customer content, we will notify affected customers without undue delay and provide information reasonably available to us to help them meet their own notification obligations.
As the controller, the customer is responsible for assessing whether the breach must be reported to a supervisory authority or to affected individuals, and for making any such notifications within the timeframes required by law.
The Atlas service is intended for organizations and their workforce and is not directed at children. We do not knowingly collect personal data from children, and customers should not use the service to process data relating to children unless they have a valid lawful basis and appropriate safeguards in place.
Atlas is a general-purpose work platform and is not designed as a repository for special categories of personal data (such as health, biometric, or similar sensitive data). Customers should not upload special-category data without ensuring they have an appropriate lawful basis, any additional conditions for processing, and suitable safeguards. Customers with regulated requirements should review our HIPAA and security commitments and contact us before processing such data.
For data protection inquiries, including DPA requests and assistance with data subject rights, contact our legal and privacy team at legal@wrxstack.com. For security matters or to report a vulnerability or suspected incident, contact security@wrxstack.com.
Individuals in the EU, the UK, and certain other regions also have the right to lodge a complaint with their local data protection supervisory authority. We encourage you to contact us first so that we can work to address your concerns directly.
This page is provided for general information and does not constitute legal advice. The applicable DPA and Terms of Service govern the rights and obligations of Atlas and its customers.
Questions about this page? Email legal@wrxstack.com or visit our contact page.