Data Processing Agreement (DPA)
Notice: This document is the Data Processing Agreement (DPA) of Atrium and constitutes Annex II to the General Terms and Conditions. It prevails over the General Terms in all matters relating to the processing of personal data.
Version 1.0 · Issue date: 29 May 2026
Preamble
This Data Processing Agreement (hereinafter, "DPA" or "Agreement") governs the processing of personal data that Duetri SL (a company in the process of incorporation), with Tax ID [pending] and address at [pending] (hereinafter, "the Processor" or "Duetri"), carries out on behalf of the Client identified in the General Terms and Conditions of Atrium (hereinafter, "the Controller"), in the framework of the provision of the Atrium service.
This DPA complies with Article 28 of Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018, on Personal Data Protection and guarantee of digital rights (LOPDGDD). It forms an integral part of the General Terms and Conditions of Atrium and prevails over them in all matters relating to the processing of personal data.
Part I — General framework of the processing
1 · Purpose
The Controller entrusts the Processor with the processing of the personal data necessary for the provision of the Atrium service, on the terms described in this DPA and its annexes. The Processor shall process such data solely and exclusively in accordance with the documented instructions of the Controller, this Agreement and applicable law.
2 · Duration
This DPA shall be in force from the date of acceptance until the termination of the main contract (General Terms and Conditions of Atrium). Obligations subsequent to termination (return, deletion and confidentiality) shall survive termination during the applicable legal periods.
3 · Nature and purpose of the processing
| Aspect | Description | |---|---| | Nature of the processing | Collection, storage, consultation, modification, organisation, internal communication on the platform, conservation, deletion and, where appropriate, automated analysis through integrated artificial intelligence. | | Main purpose | Provision of the Atrium SaaS service for the administration of properties and communities of owners. | | Specific purposes | Management of communities, owners and tenants; convocations and minutes; economic management (fees, special levies, expenses and income); incidents and communications; access to the resident portal; documentation generation; support and maintenance. | | Scope | The Processor shall not use the data for its own purposes other than the provision of the service, except as provided in section 13.3. |
Part II — Personal data processed
4 · Type of personal data and categories of data subjects
4.1. Categories of personal data
The processing usually includes the following categories:
- Identification data: name, surnames, ID/NIE/passport, postal address, email address, telephone.
- Economic and financial data: bank account (SEPA mandates), payment history, debts, special levies, fees, billing.
- Professional data (for employees of the Controller's office): position, area, access credentials.
- Data on the dwelling or unit: ownership, participation coefficient, use (dwelling, premises, garage, storage room), resident or non-resident status.
- Communications and incidents: notices, complaints, messages exchanged through the platform.
- Platform usage data: access logs, IP address, activity carried out (for security and traceability purposes).
4.2. Special categories of data (art. 9 GDPR)
The Atrium service is not designed to process special categories of data (health, biometric data, ideology, religion, sexual orientation or other similar). If the Controller decides to upload this type of information to the platform (for example, in minutes or documents), it shall do so under its exclusive responsibility and shall guarantee the appropriate legal basis in accordance with art. 9 GDPR.
4.3. Data of minors
The Atrium service is not aimed at minors under 14 years of age. The Controller undertakes not to collect personal data directly from minors without adequate authorisation from those exercising parental authority or guardianship, in accordance with art. 7 LOPDGDD. The Processor does not carry out differentiated processing based on the age of data subjects.
4.4. Categories of data subjects
- Staff of the Controller's office (employees and collaborators).
- Members of the governing bodies of the communities (president, vice-president, members).
- Owners and co-owners.
- Tenants and authorised residents.
- Suppliers and service providers of the communities.
- Visitors or occasional contacts registered by the Controller.
Part III — Obligations of the parties
5 · Obligations of the Processor (Duetri)
The Processor undertakes to:
a) Process personal data only in accordance with the documented instructions of the Controller, including international transfer, unless required by Union or Member State law. In such case, it shall inform the Controller of the legal requirement before processing, unless expressly prohibited for important reasons of public interest.
b) Not use personal data for its own purposes other than the provision of the service.
c) Ensure that persons authorised to process personal data have committed to respecting confidentiality (see section 16).
d) Apply appropriate technical and organisational measures to guarantee a level of security adequate to the risk (Annex III), in accordance with art. 32 GDPR.
e) Respect the subcontracting conditions provided in section 8 to use another processor.
f) Assist the Controller, taking into account the nature of the processing and the available information, in the obligations incumbent on the Controller (see sections 12 and 13).
g) Delete or return to the Controller the personal data once the provision of the service has ended (see section 15).
h) Make available to the Controller all information necessary to demonstrate compliance with the obligations of art. 28 GDPR, and allow audits on the terms of section 14.
i) Keep a record of processing activities carried out on behalf of the Controller, in accordance with art. 30.2 GDPR, which it shall make available to the supervisory authority if required.
j) Notify the Controller, without undue delay, of any personal data security breach (see section 11).
6 · Obligations of the Controller (Client)
The Controller undertakes to:
a) Comply with applicable data protection regulations, especially with regard to the legitimation of processing, information to data subjects and the exercise of their rights.
b) Collect consent or have another valid legal basis for the processing of the data it enters or manages in Atrium.
c) Inform data subjects that their data will be processed by Duetri as Data Processor, including this information in the Controller's privacy policy or in the relevant forms.
d) Not enter manifestly excessive data into Atrium in relation to the purposes of the service, nor special categories of data without the appropriate legal basis.
e) Carry out, when applicable, the impact assessments and, where appropriate, prior consultations with the supervisory authority.
f) Keep up to date the contact information of the Controller itself and of the persons designated as interlocutors in data protection matters.
g) Correctly configure the permissions and accesses of its Users and review them periodically.
7 · Confidentiality
The Processor guarantees that the persons with access to the personal data of the Controller (employees, collaborators and subprocessors) are subject to confidentiality obligations of a contractual or legal nature, and have received adequate training in data protection matters. This obligation survives the termination of their relationship with the Processor.
Part IV — Subprocessors and international transfers
8 · Subprocessors
8.1. General prior authorisation
The Controller expressly authorises the Processor to use the subprocessors listed in Annex II for the provision of the service.
8.2. New subprocessors
The Processor may incorporate new subprocessors or replace existing ones, notifying the Controller at least 30 days in advance, by email or through update published at duetri.com/legal/subprocesadores.
The Controller may object with reasons, in writing and within 15 days following the notification. In the event of substantiated opposition, the parties shall attempt in good faith to find an alternative solution. If no agreement is reached, the Controller may terminate the contract without penalty, retaining the right to refund of the amounts paid in advance corresponding to periods not provided.
8.3. Required guarantees
Every subprocessor shall comply, through a written contract with the Processor, with the same data protection obligations established in this DPA, in particular those relating to technical and organisational measures. The Processor is liable to the Controller for compliance by the subprocessor.
9 · International data transfers
9.1. General rule: processing in the European Union
Personal data is stored and processed, as a general rule, in infrastructures located in the European Union (Frankfurt, Germany).
9.2. Artificial intelligence functionalities
For the provision of the artificial intelligence functionalities integrated in Atrium (Scriba assistant, OCR, assisted writing, incident classification and similar), the Processor uses Anthropic PBC models, headquartered in the United States. These functionalities:
a) Are available exclusively to users with office management role of the Controller (owner, admin, member). Users with viewer role (read-only) and vecino (owner portal) cannot invoke the AI in any case. This restriction is applied at the server level (API middleware), so that any attempt at direct invocation by an unauthorised role is rejected with a forbidden access error.
b) Process the personal data strictly necessary to respond to each request (user query and aggregated tenant context) and are not used for the training of Anthropic models, in accordance with the contractual conditions in force with that provider.
c) Are carried out under the Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914) and, where appropriate, the Data Privacy Framework while the corresponding adequacy decision is in force.
The Processor shall keep available to the Controller the documentation that accredits the guarantees applied.
Part V — Security and rights of data subjects
10 · Security measures
The Processor implements the technical and organisational measures described in Annex III, sized to the risk in accordance with art. 32 GDPR. These include, among others, encryption in transit and at rest, access control, tenant segregation, backups, activity logging and continuity plans.
The Processor may update its security measures to improve them. Any material reduction in the level of protection shall be notified to the Controller with reasonable notice.
11 · Notification of security breaches
11.1. Deadline and form
The Processor shall notify the Controller, without undue delay and in any case within 72 hours following its knowledge, of any breach of the security of personal data processed on behalf of the Controller.
11.2. Content of the notification
The notification shall be made by email to the contact designated by the Controller and shall include, to the extent that the information is available:
- Description of the nature of the breach, including the categories and the approximate number of data subjects and records affected.
- Contact details of the Processor's Data Protection Officer or designated person.
- Probable consequences of the breach.
- Measures taken or proposed to remedy the breach and mitigate its possible negative effects.
11.3. Communication to authority and data subjects
The obligation to communicate the breach to the supervisory authority and, where appropriate, to the data subjects, corresponds to the Controller. The Processor shall provide reasonable assistance so that the Controller can comply with those obligations.
11.4. Requirements from public authorities
If the Processor receives a requirement from a judicial, administrative or law enforcement authority relating to personal data processed on behalf of the Controller, it shall notify the Controller without undue delay and before responding to the requirement, unless such notification is legally prohibited or could compromise an ongoing investigation. In any case, the Processor shall limit itself to providing the information strictly required by the requirement.
12 · Exercise of rights of data subjects
If a data subject directs a request to exercise rights (access, rectification, deletion, objection, restriction, portability or withdrawal of consent) directly to the Processor, the Processor shall transfer it to the Controller without undue delay, together with the information available to it, so that the Controller can attend to it within the legal periods.
The Processor shall make available to the Controller the tools and reasonable information to facilitate the exercise of rights by data subjects.
Part VI — Assistance and audit
13 · Assistance to the Controller
13.1. Impact assessments
The Processor shall assist the Controller, to the extent that it is in possession of the necessary information, in carrying out data protection impact assessments (DPIA) and, where appropriate, in prior consultations with the supervisory authority.
13.2. Available information
The Processor makes available to the Controller:
- This DPA and its Annexes.
- The security policy and relevant technical documentation (through the product documentation portal).
- The updated list of subprocessors at
duetri.com/legal/subprocesadores. - The activity records reasonably requested, in accordance with section 14.
13.3. Aggregated statistical data
The Processor may generate and use aggregated and fully anonymised statistical data (that is, that do not allow the identification of the Controller, data subjects or specific communities) for the purpose of improving the service, preventing incidents and preparing internal reports. This use does not constitute processing on its own account of personal data.
14 · Audits
14.1. Right to audit
The Controller has the right to verify, at its own cost, compliance by the Processor with the obligations set out in this DPA, through audits to be carried out once a year (except in the event of a relevant incident or legitimate requirement from the supervisory authority, in which case they may be ad hoc).
14.2. Procedure
- Minimum notice of 30 calendar days.
- Reasonable maximum duration (indicatively, one working week).
- Carried out during working hours and without unduly interfering with the Processor's operations.
- By the Controller itself or by an independent auditor, subject to confidentiality obligations.
- Without access to data of other clients or to information considered strictly confidential of the Processor.
14.3. Reasonable alternative
The right of audit shall be deemed to be fulfilled if the Processor provides the Controller with certifications from independent third parties (for example, ISO 27001 or equivalent), external audit reports or completed security questionnaires, provided that they reasonably cover the object of the audit requested.
14.4. Costs
The costs of the audit shall be borne by the Controller. If the audit reveals a substantial breach by the Processor, the reasonable costs shall be borne by the latter.
Part VII — End of the processing
15 · Return or deletion of data at the end
15.1. Controller's option
Once the main contract has ended, and at the Controller's choice, the Processor shall:
a) Return the personal data by standard export (CSV or XLS), in accordance with section 18 of the General Terms; or
b) Delete the personal data.
In the absence of express instruction within 30 days following termination, the Processor shall proceed to deletion.
15.2. Deletion deadlines
- Data in production systems: within the 30 days following termination or the deletion instruction.
- Backups: are purged automatically in the current retention cycle (Annex III) after such deletion, without new copies of the Controller's data. In any case, the Controller's data shall not remain in backups beyond 90 days from termination.
15.3. Exceptions
The Processor may retain data strictly necessary for compliance with legal obligations (for example, retention of invoices, attention to administrative or judicial requirements), duly blocked, during applicable legal periods. Such data shall not be the subject of active processing.
16 · Staff confidentiality
The Processor guarantees that the personnel at its service who have access to the personal data of the Controller:
- Are subject to a duty of confidentiality of contractual or legal origin.
- Have received the necessary training in data protection matters.
- Have an access profile limited to what is strictly necessary for the performance of their functions (principle of least privilege).
Part VIII — Final provisions
17 · Liability
17.1. General regime
Each party shall be liable to the other for damages effectively caused as a consequence of the breach of its obligations under this DPA or applicable regulations.
17.2. Limitation
The liability of the Processor arising from or related to this DPA is subject to the liability limits provided in the General Terms (section 15 of the General Terms), except in cases of wilful misconduct, gross negligence or those in which the limitation is prohibited by mandatory law.
17.3. Administrative sanctions
If a supervisory authority imposes an administrative sanction on one of the parties arising from a breach attributable to the other, the latter shall assume its proportional part according to the degree of respective responsibility.
18 · Modification and termination
18.1. Modification
This DPA may be modified by written agreement of the parties or when necessary to adapt it to relevant regulatory changes, by notification to the Controller with a minimum notice of 30 days. If the Controller does not accept the modification, it may terminate the main contract without penalty in accordance with the General Terms.
18.2. Termination
The termination of the main contract entails the termination of this DPA, without prejudice to obligations that survive in accordance with section 2.
19 · Governing law and jurisdiction
This DPA is governed by Spanish and European law applicable in data protection matters. For the resolution of disputes, the corresponding clause of the General Terms shall apply.
20 · Acceptance
The Controller, by accepting the General Terms and Conditions of Atrium, also accepts this DPA and its Annexes as an integral part of the contract.
Annex I to the DPA — Description of the processing
| Concept | Detail | |---|---| | Object of the processing | Processing of personal data necessary for the provision of the Atrium service. | | Duration | Term of the main contract. | | Nature of the processing | Storage, consultation, modification, organisation, conservation, deletion and, where appropriate, automated analysis through AI. | | Purpose | Administration of properties and communities of owners, economic management, communications and support. | | Type of data | Identification, economic, professional, dwelling data, communications, platform usage data (see section 4.1). | | Categories of data subjects | Office staff, governing bodies, owners, tenants, suppliers, residents and contacts (see section 4.4). |
Annex II to the DPA — Authorised subprocessors
As of this version, the Processor uses the following subprocessors for the provision of the Atrium service:
| Subprocessor | Service provided | Data processed | Location |
|---|---|---|---|
| Neon Inc. | Serverless PostgreSQL database (main DB). | All tenant information (communities, owners, fees, invoices, incidents, meetings, etc.). | Frankfurt, Germany (EU). |
| Railway Corp. | Application hosting (Next.js + workers). | Data in transit during request processing. Does not store personal data beyond operational logs. | EU West (Amsterdam, Netherlands), 1 replica. |
| Anthropic PBC | Generative AI models (Scriba, OCR, write, classify). | Only the content of the message when an authorised user invokes the AI, together with the aggregated tenant context necessary for the response. Not used for training. Access restricted to owner, admin, member roles. | United States. |
| Resend Inc. | Transactional email sending. | Email addresses and content of emails sent (invoices, password recovery, system notices). | EU / USA. |
| Sentry (Functional Software, Inc.) | Error and performance monitoring. | Error traces and technical diagnostic data. PII is not sent deliberately. | EU (organisation configured in European region). |
Complementary services that are not GDPR subprocessors
For transparency, the following providers intervene in the Atrium ecosystem but do not process personal data of the Controller's data subjects, so they do not have the status of subprocessors under the GDPR:
- GitHub, Inc.: hosting of the product source code. Does not process Client or data subject data.
- GoDaddy LLC: registration and DNS management of the
duetri.comdomain. Does not process Client personal data.
Planned services (not yet active)
The following services are planned in the product architecture but are not active in production as of the date of this version. Their activation shall be notified to the Controller in accordance with section 8.2 and shall be incorporated into this Annex II in the corresponding version:
- Cloudflare R2: S3-compatible file storage. Currently documents are stored in the local filesystem of the hosting.
- PostHog Inc.: product analytics and feature flags. No active integration in production.
Publication and update
The current version of this Annex II shall be published and kept updated at duetri.com/legal/subprocesadores (page in preparation; the Processor undertakes to publish it within a reasonable period from the signing of the first commercial contract with a client, not exceeding 60 calendar days). In the meantime, this documentary version serves as the official list. Any addition or replacement of subprocessors shall be notified to the Controller in accordance with section 8.2.
Annex III to the DPA — Technical and organisational security measures
The Processor applies the following measures, sized to the risk:
Encryption and communications
- TLS 1.2 or higher in all communications.
- Database encryption at rest (AES-256).
- Backup encryption.
Access control
- Individual authentication for each user.
- Robust password policy and two-factor authentication (2FA) available, activatable by the user.
- Principle of least privilege: each user accesses only the data necessary for their role.
- Multi-tenant isolation by
tenant_idand Row-Level Security (RLS) in database. - Access by Duetri staff to client data only when necessary for support or incident, logged and traceable.
Backups and continuity
- Daily backups.
- Retention in accordance with the plan in force at each moment (minimum 7 days).
- Documented recovery procedure.
Traceability and audit
- User access and activity records.
- Security logs kept for a reasonable period in accordance with regulations.
- Continuous monitoring of the infrastructure and automated alerts.
Incident management
- Documented incident detection, containment, analysis and notification procedure.
- Notification to the Controller in accordance with section 11 (72 hours).
Staff
- Confidentiality commitments signed by all personnel with access to data.
- Training in data protection and security.
Providers
- Selection of subprocessors with adequate guarantees (Annex II).
- DPAs signed with each subprocessor.
Continuous improvement
- Periodic review of measures in accordance with the evolution of technology and risks.
Duetri SL (in the process of incorporation) · Contact: contacto@duetri.com · Web: https://duetri.com