Gatlas

Data Processing Agreement

Last updated: June 29, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Bifrost Partners LLC ("Gatlas", "we", "us"), a Delaware limited liability company with its registered address at 2810 N Church St, PMB 540960, Wilmington, Delaware 19802-4447, USA, and the customer that uses the Gatlas platform ("Customer", "you"). It governs our processing of personal data on your behalf and reflects the requirements of Article 28 of the EU General Data Protection Regulation ("GDPR") and equivalent data-protection laws. Where it conflicts with our general terms, this DPA prevails for matters of personal-data processing.

1. Roles and Definitions

For personal data contained in the systems you connect to Gatlas (including data about your customers, prospective customers, and site visitors), you act as the controller and Gatlas acts as the processor. "Personal data", "processing", "controller", "processor", "sub-processor", and "data subject" have the meanings given in the GDPR. "Protected customer data" means personal data about a merchant's customers accessed through a connected platform such as Shopify.

2. Details of Processing

  • Subject matter: Provision of the Gatlas data-integration and analytics platform.
  • Duration: For the term of your use of the platform, plus any deletion period set out below.
  • Nature and purpose: Read-only synchronization of data from the systems you connect into a data warehouse, and execution of queries, views, and reports that you request. Read-only analytics; no use for advertising, marketing, resale, or model training.
  • Types of personal data: As determined by the systems and streams you configure. For Shopify, this includes customer name, email address, and order/customer shipping and billing addresses. Other connectors may include contact, account, and transaction data.
  • Categories of data subjects: Your customers, prospective customers, and site visitors.

3. Our Obligations

  • We process personal data only on your documented instructions, including as configured through the platform, unless required to do otherwise by law (in which case we will inform you unless legally prohibited).
  • We ensure that personnel authorized to process personal data are bound by confidentiality.
  • We implement appropriate technical and organizational measures (Section 8).
  • We process the minimum personal data necessary to provide the service, and limit our use of it to that purpose.

4. Sub-processors

You provide general authorization for us to engage the sub-processors below to deliver the service. We impose data-protection obligations on each sub-processor no less protective than those in this DPA, and remain responsible for their performance.

  • Supabase — database, authentication, and encrypted secrets storage.
  • Vercel — web application hosting.
  • Railway — background data-synchronization processing.
  • Anthropic — optional AI assistant / query feature; processes only the data you query, does not train on it, and supports zero data retention.

We will give you reasonable prior notice of any new or replacement sub-processor, and you may object on reasonable data-protection grounds.

5. Assistance to You

Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, in responding to data-subject requests (access, rectification, erasure, restriction, portability, and objection), and in meeting your obligations regarding security, breach notification, data-protection impact assessments, and prior consultation. For Shopify, we honor the mandatory customer data-request, customer-redaction, and shop-redaction webhooks.

6. Personal Data Breach

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide information reasonably available to us to help you meet your notification obligations.

7. Deletion and Return

On termination of your use of the platform, or at your request, we will delete or return personal data we process on your behalf and delete existing copies, unless retention is required by law. When you delete a connection, the related synced data is deleted; when you delete your account, all associated data is deleted within 30 days; backups are purged on their normal cycle.

8. Security Measures

  • Encryption of personal data in transit (TLS) and at rest.
  • Encrypted backups; OAuth credentials stored in an encrypted secrets vault, separate from application data.
  • Logical isolation of each customer's data and row-level security.
  • Least-privilege access controls, strong authentication for staff, and logging of access to personal data.
  • Separation of test and production data, and a documented security incident-response process.

9. Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable notice and subject to confidentiality, allow for and contribute to audits conducted by you or an auditor you mandate.

10. International Transfers

Where we transfer personal data outside the European Economic Area or other restricted jurisdictions, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, which are incorporated into this DPA by reference where applicable.

11. Governing Law

This DPA is governed by the laws of the State of Delaware, USA, without prejudice to mandatory data-protection law applicable to you (including, where relevant, the GDPR).

12. Contact

For data-protection matters, contact us at privacy@gatlas.ai.