Harmonia
Get started

Data Processing Addendum

The terms under which Atlas Minds processes personal data on your behalf.

Last updated: June 27, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Atlas Minds Co. ("Atlas Minds", "we", "us", the "Processor") and the customer ("you", the "Controller") that uses the Harmonia CRM platform (the "Service"). It governs how we process personal data on your behalf and reflects the requirements of applicable data protection laws, including the GDPR and UK GDPR.

If a conflict exists between this DPA and the Terms of Service on the subject of data protection, this DPA controls.

1. Roles of the parties

For personal data contained in Customer Data, you are the controller (or a processor acting on behalf of your own customers) and Atlas Minds is the processor. We process that personal data only on your documented instructions, which include your configuration and use of the Service, unless required to act otherwise by law (in which case we will inform you, where legally permitted).

For personal data we collect as a controller in our own right (for example, account administrator contact details), our Privacy Policy applies.

2. Subject matter and details of processing

  • Subject matter: provision of the Harmonia CRM Service.
  • Duration: for the term of your subscription, plus the limited post-termination period described in Section 9.
  • Nature and purpose: hosting, storing, organizing, transmitting, and otherwise processing Customer Data to operate, secure, maintain, and support the Service and its features (CRM records, communications, scheduling, workflows, reporting, and AI-assisted features) as directed by you.
  • Types of personal data: contact details, communications content and metadata, business and pipeline data, and any other personal data you choose to submit to the Service.
  • Categories of data subjects: your contacts, leads, customers, end users, employees, and other individuals whose data you load into the Service.

3. Our obligations

We will:

  • process personal data only on your documented instructions;
  • ensure that personnel authorized to process personal data are bound by confidentiality;
  • implement appropriate technical and organizational measures to protect personal data, as described in Section 4 and our Security overview;
  • assist you, taking into account the nature of the processing, in responding to data subject requests and in meeting your obligations around security, breach notification, and data protection impact assessments; and
  • make available information reasonably necessary to demonstrate compliance with this DPA.

4. Security measures

We maintain technical and organizational measures appropriate to the risk, including database-enforced tenant isolation (row-level security), encryption in transit and at rest, encryption of sensitive integration credentials, role-based access control under least privilege, input validation, signed webhooks, rate limiting, and audit logging. Details are described in our Security overview. We may update these measures provided they do not materially reduce the overall level of protection.

5. Sub-processors

You authorize us to engage sub-processors to provide the Service. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. The current list of sub-processors, with the purpose and data each one processes, is maintained in our Privacy Policy. We will provide a mechanism to learn of changes to sub-processors and a reasonable opportunity to object to a new sub-processor on legitimate data protection grounds.

6. Data subject requests

Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection). The Service also provides self-service tools that let you access, correct, export, and delete Customer Data directly. If we receive a request directly from one of your data subjects, we will refer them to you.

7. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably available to us to help you meet your own notification obligations.

8. International transfers

Where we transfer personal data from the EEA, the UK, or another region with transfer restrictions to a country without an adequacy decision, we rely on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated into this DPA by reference where required.

9. Return and deletion

On termination or expiry of your subscription, we will, at your choice, make Customer Data available for export for a limited period (typically 30 days) and then delete it in the ordinary course, subject to legal retention requirements and routine, time-limited backups that are overwritten on their normal cycle.

10. Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint, subject to reasonable notice, confidentiality, and frequency limits, and in a manner that does not compromise the security or data of other customers. Where available, we may satisfy audit requests by providing third-party reports or certifications.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

12. Contact

Data protection questions: support@atlasmindsco.com.

Atlas Minds Co., builder of Harmonia CRM.