Data Processing Agreement (DPA)


Last updated: 17 December 2025


This Data Processing Agreement (“Agreement”) forms part of the Terms of Service between Thrive (“Processor,” “we,” “us,” or “our”) and the customer entity that accepts this Agreement (“Customer” or “Controller”).It applies where the Processor processes Personal Data on behalf of the Customer in the course of providing Services.By using the Services, the Customer agrees to the terms of this Agreement.


1. Definitions


For the purposes of this Agreement, the following terms have the meanings given below, consistent with definitions used in comparable DPAs :

  • “Applicable Data Protection Law” means all laws and regulations governing the processing of Personal Data under this Agreement, including the UK GDPR, EU GDPR, the Data Protection Act 2018 and any applicable amendments or successor legislation .
  • “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.For this Agreement, the Customer acts as the Controller .
  • “Processor” means a natural or legal person which processes Personal Data on behalf of the Controller.For this Agreement, Thrive acts as the Processor .
  • “Personal Data” means any information relating to an identified or identifiable natural person .
  • “Processing” means any operation performed on Personal Data, such as collection, storage, use, disclosure or deletion .
  • “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data .
  • “Subprocessor” means a third party engaged by the Processor to process Personal Data on behalf of the Controller .


2. Roles and Scope


The Customer is the Controller and Thrive is the Processor with respect to Personal Data processed under the Terms of Service .This Agreement applies only where Thrive processes Personal Data on behalf of the Customer in the context of providing the Services.It does not apply where Thrive acts as a controller, for example with respect to Personal Data collected via its own website; those activities are covered by our Privacy Policy.


3. Processing Instructions


The Processor shall process Personal Data only:

  • On documented instructions from the Customer ;
  • To provide, maintain and improve the Services ;
  • To provide technical support ;
  • To comply with applicable law ; and
  • As further instructed by configuration or use of the Services.


The Processor shall not use Personal Data contained in Customer‑provided content for service improvement or machine‑learning model training unless expressly authorised by the Customer .If the Processor believes that an instruction violates Applicable Data Protection Law, it will promptly inform the Customer .


4. Confidentiality and Access


The Processor shall ensure that personnel authorised to process Personal Data are subject to confidentiality obligations and receive appropriate training .Access to Personal Data is limited to personnel who need it to fulfil their duties and is controlled through role‑based permissions and least‑privilege principles .


5. Security Measures


The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of Personal Data in transit, access controls, authentication mechanisms, monitoring and logging of relevant systems, secure development practices and incident response procedures .These measures take into account the state of the art, the costs of implementation, the nature, scope and context of the processing, and the risks for individuals.


6. Subprocessing


Thrive does not engage subcontractors to process Customer Personal Data except for third‑party infrastructure providers that are necessary to deliver the Services (such as cloud hosting).These providers are bound by contractual obligations equivalent to those in this Agreement.Thrive remains responsible for their actions and will not permit them to process Personal Data for any purpose other than providing the Services .Thrive will inform the Customer of any intended changes to this list of providers and will provide the Customer with the opportunity to object to such changes.


7. International Transfers


Where Personal Data is transferred outside the UK or European Economic Area, Thrive will implement appropriate safeguards such as the UK international data transfer addendum to the Standard Contractual Clauses or other mechanisms recognised under Applicable Data Protection Law .By using the Services, the Customer authorises such transfers.Thrive remains liable for its obligations under this Agreement even when data is transferred internationally.


8. Data Subject Rights


The Processor shall assist the Customer in responding to requests from data subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, objection and portability .If the Processor receives a request directly from a data subject, it will promptly forward it to the Customer unless legally required to respond directly .


9. Personal Data Breaches


In the event of a Personal Data Breach, the Processor shall notify the Customer without undue delay after becoming aware of the breach and will provide information to enable the Customer to comply with its legal obligations .The parties will cooperate in the investigation, mitigation and remediation of the breach.Each party is responsible for damages or regulatory penalties arising from a breach to the extent it was caused by that party’s failure to comply with this Agreement or applicable law .


10. Impact Assessments and Consultation


Taking into account the nature of processing and the information available, the Processor shall assist the Customer in conducting data protection impact assessments and, where necessary, consultations with supervisory authorities .


11. Audit and Compliance


Upon written request, the Processor shall provide documentation necessary to demonstrate compliance with this Agreement.If such documentation is insufficient, the Customer may conduct an audit (or appoint a mutually agreed independent auditor) once per year, upon at least sixty (60) days’ notice, during normal business hours and subject to reasonable confidentiality and security measures .The Processor may propose alternative means to satisfy audit obligations, such as third‑party certifications or audit reports .


12. Data Return or Deletion


Upon termination of the Services, the Customer may request that the Processor return or delete Personal Data.The Processor will delete Customer Personal Data within three months of account closure, unless retention is required by law or agreed otherwise .If the Customer requests an earlier deletion, the Processor will comply unless retention is legally required.Aggregate or anonymised data may be retained for analytics or security purposes.


13. Liability and Indemnity


Each party’s liability under this Agreement is subject to the limitations and exclusions set out in the Terms of Service.The Customer shall indemnify the Processor against claims and expenses arising from the Customer’s failure to comply with Applicable Data Protection Law or provide lawful instructions.The Processor shall indemnify the Customer against third‑party claims resulting from the Processor’s breach of this Agreement.


14. Governing Law and Jurisdiction


This Agreement is governed by the laws of England and Wales.Any disputes arising under or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales, unless otherwise required by Applicable Data Protection Law.


15. General Provisions


This Agreement will remain in effect for the duration of the Service Agreement.If any part of this Agreement is held invalid or unenforceable, the remaining provisions will remain in full force.This Agreement may be updated from time to time to reflect changes in data‑protection laws or practices; such updates will be effective when published on our website or otherwise communicated to the Customer.

Start a project

Practical AI systems for teams shipping in production.

Strategy, implementation, and enablement from one partner. We help teams move faster with less risk.

Book intro call View services
Thrive.

AI and machine learning solutions for enterprise teams.

chat@thrivegroup.ai +442045386635

© Thrive 2026. All rights reserved.