Last updated: June 26, 2025
Between:
athena studio SARL, 32 Rue Philippe II, L-2340 Luxembourg (the “Processor”)
and
The Customer identified in the applicable service contract (the “Controller”)
This DPA governs athena studio’s processing of personal data on behalf of the Customer, in connection with its provision of B2B AI-powered services (the “Services”). It supplements and forms an integral part of the main Services Agreement.
• The Customer acts as the Data Controller.
• athena studio acts as the Data Processor, processing personal data solely based on the Customer’s instructions and in accordance with applicable data protection legislation, including the GDPR (EU Regulation 2016/679).
Definitions such as “Personal Data”, “Processing”, “Data Subject”, and “Sub-Processor” have the meanings set out in the GDPR.
athena studio processes Customer Personal Data exclusively to deliver the contracted Services. This includes:
• Accept all cookies
• Accept only selected categories
• Withdraw or update consent at any time by clicking the Cookie Settings button in the footer
athena studio does not use Customer Personal Data to train, improve, or retrain any AI models. Further details are outlined in athena studio’s Records of Processing Activities (ROPA) Policy, available upon request.
• Personal Data processed: Work email, name, role, AI prompt content, and usage metadata.
• Data Subjects: Employees or representatives of the Customer using the Services.
athena studio does not process sensitive or special category data under Article 9 GDPR.
The Customer authorizes athena studio to engage Sub-Processors for the provision of the Services, subject to the conditions set out in this Agreement.
All Sub-Processors are bound by written agreements that include obligations equivalent to those set forth in this DPA, including compliance with applicable data protection laws and Standard Contractual Clauses (SCCs) where relevant.
A current list of authorized Sub-Processors is maintained and made available upon request or as referenced in our Data Protection and Encryption Policy.
athena studio implements appropriate technical and organizational measures to ensure the security of personal data, including:
• TLS 1.2+ encryption in transit and AES-256 at rest
• Role-based access control
• Secure EU-based hosting
• Vendor access reviews and regular audits
Details are described in the Data Protection and Encryption Policy and Privacy by Design Policy, available upon request.
athena studio shall support the Customer in responding to Data Subject access, rectification, erasure, objection, and portability requests, in line with the Data Subject Rights and Request Policy.
Upon contract termination:
• Customer may request deletion or return of its data within 60 days
• Data will otherwise be deleted automatically after 60 days
• Backups are securely deleted within 90 days
When Customer Personal Data is transferred outside the EEA (e.g., to the USA), such transfers are governed by Standard Contractual Clauses (SCCs) as described in our International Data Transfer Policy.
In the event of a data breach affecting Customer Personal Data, athena studio will notify the Customer without undue delay (within 48 hours of confirmation), and assist in assessing impact and compliance obligations.
Refer to our Incident Response Policy for more information.
Upon written request, athena studio will provide evidence of compliance with this DPA. Audits may be conducted no more than once every 24 months, subject to reasonable notice and confidentiality protections.
This DPA remains in force for the duration of the Services contract and survives until all Customer Personal Data has been securely deleted or returned.
For questions or requests related to this DPA, contact:
📧 security@athenastudio.io
.png)
.png)