Data Processing Agreement
Last Updated: March 16, 2026
Introduction
This Data Processing Agreement ("DPA") sets forth the terms under which Athena Information Technology Services LLC ("Processor," "Athena IT," "we," "us," or "our") processes personal data on behalf of its clients ("Controller," "Client," "you") in the course of providing managed IT services. This DPA supplements and is incorporated into the managed services agreement between Athena IT and the Client.
Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data, including collection, storage, use, transmission, or deletion
- Data Subject: An identified or identifiable natural person whose personal data is processed
- Sub-processor: A third party engaged by Athena IT to process personal data on behalf of the Client
- Applicable Data Protection Laws: All laws and regulations applicable to the processing of personal data, including GDPR, CCPA/CPRA, LGPD, PIPEDA, and other relevant regulations
Scope and Purpose of Processing
Athena IT processes personal data solely for the purpose of providing managed IT services as defined in the managed services agreement with the Client. The types of personal data processed and categories of data subjects are determined by the Client's use of our services and are specified in the service agreement.
Obligations of Athena IT
As a data processor, Athena IT shall:
- Process personal data only on documented instructions from the Client
- Ensure that persons authorized to process personal data have committed to confidentiality
- Implement appropriate technical and organizational security measures
- Engage sub-processors only with prior consent of the Client and under written agreements that impose equivalent data protection obligations
- Assist the Client in responding to data subject rights requests
- Assist the Client in ensuring compliance with security, breach notification, and data protection impact assessment obligations
- Delete or return all personal data to the Client upon termination of services, unless retention is required by law
- Make available all information necessary to demonstrate compliance and allow for audits
Security Measures
Athena IT implements the following technical and organizational measures to protect personal data:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls with least-privilege principles
- Multi-factor authentication for all administrative access
- Regular security assessments and penetration testing
- 24/7 security monitoring and incident detection
- Employee security training and background checks
- Physical security controls for data center access
- Business continuity and disaster recovery plans
- Regular backups with tested restoration procedures
Sub-processors
Athena IT maintains a list of approved sub-processors. We will notify the Client of any intended changes to sub-processors, providing the Client with an opportunity to object. If the Client objects to a new sub-processor and the objection cannot be reasonably resolved, either party may terminate the affected services.
International Data Transfers
When personal data is transferred to countries outside the jurisdiction of the Client, Athena IT ensures appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement or Addendum where applicable
- Adequacy decisions where available
- Transfer impact assessments for transfers to countries without adequacy decisions
Data Breach Notification
In the event of a personal data breach, Athena IT shall notify the Client without undue delay and no later than 48 hours after becoming aware of the breach. The notification shall include:
- A description of the nature of the breach, including categories and approximate number of data subjects affected
- The name and contact details of the point of contact for further information
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
Data Subject Rights
Athena IT shall assist the Client in fulfilling its obligations to respond to data subject requests, including requests for access, rectification, erasure, restriction, data portability, and objection to processing. Athena IT shall promptly notify the Client of any requests received directly from data subjects.
Term and Termination
This DPA shall remain in effect for the duration of the managed services agreement. Upon termination, Athena IT shall, at the Client's election, return or securely delete all personal data within 90 days, except where retention is required by applicable law.
Contact Us
For questions about this Data Processing Agreement:
- Phone: (510) 224-4906
- Email: team@athenait.ai
- Address: 2261 Market St, STE 85291, San Francisco, CA 94114