Platform
Athena PlatformThe whole platformAegisAutonomous detection and responseVigil24/7 agentic SOCCitadelSecurity technology management
Explore
OutcomesWhat the business fundsAI DefendersThe four DefendersAdversariesThe ten enterprise risksResourcesBlog and moreTrust CenterSecurity and governance
Company
AboutWhy Athena existsLeadershipThe teamCareersOpen rolesPartnersProgram and portalNews RoomAnnouncementsContactReach the team
Request a briefing
Legal · Data Processing

Data Processing & International Transfers

Last updated: 14 June 2026

This document is a comprehensive legal framework draft. It must be reviewed and approved by licensed attorneys before publication and enforcement. It does not constitute legal advice.

1. Overview

This document describes Athena Agentic's framework for processing personal data and implementing international data transfers in compliance with:

  • The EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
  • The UK General Data Protection Regulation (UK GDPR) (as retained in UK law by the European Union (Withdrawal) Act 2018)
  • The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (Cal. Civ. Code § 1798.100 et seq.)
  • The Australian Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
  • The Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws (Canada)
  • Quebec Law 25 (Act to modernize legislative provisions as regards the protection of personal information)

2. Roles and Responsibilities

2.1 Website and Prospect Data Processing

For Personal Data collected through the Website (inquiries, briefing requests, job applications, partner applications), Athena Agentic acts as an independent data controller and processes such data in accordance with the Privacy Policy.

2.2 Platform Customer Data Processing

For Customer Data and Customer Content processed within the Platform on behalf of enterprise customers:

  • The customer acts as the data controller (or where the customer processes data on behalf of its own customers, the customer may be a data processor)
  • Athena Agentic acts as the data processor
  • Processing is governed by the applicable Customer Agreement and executed Data Processing Agreement (DPA)

Athena Agentic processes Customer Data solely:

(a) for the purposes of providing the contracted services;

(b) in accordance with the customer's documented instructions; and

(c) as required by applicable law.

We do not process Customer Data for our own commercial purposes, and we do not sell Customer Data.

3. Data Categories Processed

3.1 Data Controller Categories (Website / Prospect)

CategoryExamplesLegal Basis (GDPR)
IdentifiersName, email, company, job titleLegitimate interests / Contract
Professional informationRole, company size, use caseLegitimate interests
Communication dataInquiry content, correspondenceLegitimate interests / Contract
Usage dataPages visited, session dataLegitimate interests
Security dataIP addresses, access logsLegitimate interests / Legal obligation
Application dataCV, employment history, qualificationsPre-contractual / Legitimate interests

3.2 Data Processor Categories (Platform Customers)

Customer Data categories are determined by the customer and may include, depending on customer configuration:

  • Security telemetry and event logs
  • Asset and inventory data
  • Vulnerability and risk data
  • Incident and alert data
  • User and account identifiers
  • Network flow and traffic data
  • Endpoint telemetry

4. International Transfer Mechanisms

4.1 EEA to Third Country Transfers

For transfers of Personal Data originating from the European Economic Area to countries not subject to an adequacy decision (including the United States), Athena Agentic relies on:

Standard Contractual Clauses (SCCs):

  • European Commission Decision 2021/914/EU (Implementing Decision of 4 June 2021)
  • Module 2 (Controller to Processor) for transfers of Website/prospect data to processors
  • Module 4 (Processor to Processor) where applicable
  • Transfer Impact Assessments (TIAs) conducted to assess risks in destination countries
  • Supplementary technical measures applied where TIA identifies elevated risks, including:
  • End-to-end encryption with customer-controlled keys where applicable
  • Pseudonymisation of data where technically feasible
  • Minimisation of data transferred internationally

4.2 UK to Third Country Transfers

For transfers of Personal Data originating from the United Kingdom:

  • UK International Data Transfer Agreement (IDTA) (approved by the UK ICO) where applicable; or
  • UK Addendum to EU SCCs (where parties have incorporated the EU SCCs with UK IDTA addendum)
  • UK Transfer Risk Assessments (TRAs) conducted to assess adequacy of protections

4.3 Canada Transfers

For transfers of Personal Data subject to PIPEDA or provincial laws:

  • Contractual obligations requiring equivalent protection are imposed on recipients
  • Individuals are notified of international transfers in the Privacy Policy
  • Quebec Law 25 privacy impact assessments (PIAs) conducted for high-risk transfers involving Quebec residents

4.4 Australia Transfers

For transfers of Personal Data subject to the Australian Privacy Act:

  • Transfers are made only to recipients that provide an equivalent level of protection
  • Contractual obligations are imposed on offshore recipients requiring compliance with the Australian Privacy Principles
  • APP 8 cross-border disclosure obligations are satisfied

4.5 Adequacy Decisions

Where an adequacy decision exists for the destination country (as recognized by the European Commission, UK ICO, or applicable authority), Athena Agentic may rely on such decision in lieu of SCCs or IDTAs.

5. Sub-Processor Management

5.1 Sub-Processor Obligations

All sub-processors engaged by Athena Agentic to process Personal Data are required to:

(a) execute data processing agreements imposing obligations at least as protective as those imposed on Athena Agentic under applicable law and customer DPAs;

(b) process Personal Data only for the purposes authorized by Athena Agentic and the applicable customer;

(c) implement appropriate technical and organisational security measures;

(d) comply with applicable international transfer requirements;

(e) notify Athena Agentic of any actual or suspected Personal Data breach within applicable timeframes; and

(f) cooperate with audits and inspections.

5.2 Sub-Processor Changes

We will provide notice of any addition or change to sub-processors through the mechanism specified in the applicable DPA, providing customers the opportunity to object where contractually provided.

5.3 Sub-Processor List

A current sub-processor list is available to customers upon request. Contact Privacy@athenaagentic.com.

6. Data Subject Rights Fulfillment

6.1 Responses to Data Subjects

When Athena Agentic receives data subject rights requests directly regarding Customer Data for which a customer is the data controller:

(a) we will promptly notify the relevant customer;

(b) the customer is responsible for fulfilling the data subject's rights;

(c) we will provide reasonable cooperation and technical assistance to the customer in fulfilling data subject requests.

6.2 Response Timelines

JurisdictionResponse Timeline
GDPR (EEA)30 days (extendable by 2 months)
UK GDPR1 month (extendable by 2 months)
CCPA / CPRA45 days (extendable by 45 days with notice)
PIPEDA (Canada)30 days
Australia (Privacy Act)30 days

7. Data Breach Notification

7.1 Notification to Customers

In the event of a Personal Data breach affecting Customer Data, Athena Agentic will notify affected customers without undue delay and within the timeframe specified in the applicable DPA, which shall not exceed:

  • 72 hours where practicable for GDPR/UK GDPR-covered breaches
  • The timeframe required by applicable law for other breaches

Notifications will include, to the extent known at the time:

(a) a description of the nature of the breach and data categories affected;

(b) the approximate number of data subjects and records affected;

(c) the likely consequences of the breach;

(d) measures taken or proposed to address the breach; and

(e) contact details for the data protection officer or designated point of contact.

7.2 Notification to Regulators

Customers are responsible for notifying relevant supervisory authorities and data subjects of breaches affecting their Customer Data, subject to applicable law. Athena Agentic will provide reasonable cooperation.

8. Data Protection Impact Assessments (DPIAs)

Athena Agentic will conduct Data Protection Impact Assessments for processing activities that are likely to result in high risk to individuals' rights and freedoms, including:

  • Large-scale processing of security telemetry potentially including personal data
  • Processing using new technologies with high inherent risk
  • Systematic monitoring of publicly accessible areas (where applicable)

Customers who require DPIA support for their own compliance obligations may request cooperation from Athena Agentic.

9. Records of Processing Activities

Athena Agentic maintains internal records of processing activities as required by Article 30 GDPR and equivalent provisions, covering:

  • Categories of data subjects and Personal Data processed
  • Purposes of processing
  • Categories of recipients
  • International transfers and applicable transfer mechanisms
  • Retention periods
  • Technical and organisational security measures

10. Contact and Requests

For data processing inquiries, DPA requests, sub-processor lists, or transfer safeguard copies:

Email: Privacy@athenaagentic.com Subject: Data Processing Inquiry

Source of truth: /docs/legal/DataProcessingAndInternationalTransfers.md  ·  All legal documents