Legal
Data Processing Agreement
Last updated: February 2026
1. Scope and Parties
This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Agreement”) between the entity identified as the Customer in the applicable order form or subscription (“Controller” or “Customer”) and Thoriad (“Processor” or “we”).
This DPA applies to the extent that Thoriad processes Personal Data on behalf of the Customer in the course of providing the Thoriad governed AI notebook platform (the “Service”). It supplements and is incorporated into the Agreement. In the event of conflict between this DPA and the Agreement, this DPA prevails with respect to data processing matters.
2. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Thoriad on behalf of the Customer through the Service.
- “Processing” means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
- “Data Subject” means the natural person to whom the Personal Data relates.
- “Sub-processor” means a third party engaged by Thoriad to process Personal Data on behalf of the Customer.
- “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA), and any successor legislation.
3. Roles and Responsibilities
3.1 Customer as Controller
The Customer determines the purposes and means of processing Personal Data. The Customer is responsible for ensuring that its use of the Service complies with Applicable Data Protection Law, including obtaining any required consents and providing any required notices to Data Subjects.
3.2 Thoriad as Processor
Thoriad processes Personal Data solely on behalf of and in accordance with the Customer’s documented instructions. We will not process Personal Data for any other purpose unless required by law, in which case we will inform the Customer in advance (unless prohibited by law).
4. Categories of Data Processed
In the course of providing the Service, Thoriad may process the following categories of Personal Data:
- Identity data: names, email addresses, usernames, and organisational roles of individuals using the Service
- Authentication data: SSO tokens, session identifiers, and identity provider attributes
- Notebook content: code, markdown, execution outputs, and file attachments created by users, to the extent they contain or reference Personal Data
- Usage metadata: IP addresses, browser fingerprints, access timestamps, and feature usage patterns
- Audit log data: event records including user identifiers, actions performed, timestamps, and hash-chain integrity values
Data Subjects include the Customer’s employees, contractors, and any individuals whose Personal Data is included in notebook content processed through the Service.
5. Security Measures
Thoriad implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
5.1 Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Encryption keys are managed by Cloudflare’s infrastructure.
5.2 Access Control
The Service enforces role-based access control with five roles and 23 granular permissions. Organisation administrators configure access policies. Thoriad personnel access to customer data is restricted to authorised operations staff, logged, and subject to multi-factor authentication.
5.3 Data Loss Prevention
Three-tier DLP scanning operates at all data boundaries: Tier 1 (regex pattern matching), Tier 2 (semantic AI analysis), and Tier 3 (third-party integration, available on Enterprise plans). DLP scanning detects and blocks transmission of sensitive data including PII, financial data, API keys, and proprietary information.
5.4 Audit Logging
All data processing activities are recorded in SHA-256 hash-chained, tamper-evident audit logs across 32 event types. Logs are available to Customer administrators and can be exported to SIEM systems via webhooks in CEF, LEEF, or CloudEvents format.
5.5 Sandbox Isolation
Code execution occurs in air-gapped Linux containers with no default network egress. Each execution session runs in an isolated environment that is destroyed after use.
6. Sub-processors
6.1 Authorised Sub-processors
The Customer authorises Thoriad to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure (compute, storage, networking) | Global (300+ PoPs) |
| Anthropic PBC | AI model inference (via Cloudflare AI Gateway) | United States |
| Stripe, Inc. | Payment processing | United States |
6.2 Notification of Changes
We will notify the Customer at least 30 days before engaging a new sub-processor. The Customer may object to the engagement by providing written notice within that period. If Thoriad cannot reasonably accommodate the objection, the Customer may terminate the affected portion of the Service.
6.3 Sub-processor Obligations
Thoriad ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA. Thoriad remains liable for the acts and omissions of its sub-processors.
7. Data Subject Rights
Thoriad will assist the Customer in fulfilling its obligations to respond to Data Subject requests under Applicable Data Protection Law, including requests for access, rectification, erasure, portability, restriction, and objection. Where a Data Subject contacts Thoriad directly, we will redirect the request to the Customer without undue delay.
The Service provides administrative tools that enable Customer administrators to access, export, correct, and delete user data directly.
8. Data Breach Notification
Thoriad will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification will include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
- The name and contact details of our data protection contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects
Thoriad will cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each breach.
9. International Data Transfers
To the extent that the processing of Personal Data involves a transfer from the EEA, UK, or Switzerland to a jurisdiction that has not received an adequacy decision, the parties agree to rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs): The EU Commission’s Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated into this DPA by reference. For UK transfers, the International Data Transfer Addendum applies.
- Supplementary Measures: Thoriad implements supplementary measures including encryption in transit and at rest, access controls, and DLP scanning to ensure an essentially equivalent level of protection.
- Region Hints: Enterprise customers may configure region hints to prefer specific Cloudflare data centre locations for data storage and processing.
10. Data Retention and Deletion
Upon termination of the Agreement, Thoriad will delete all Personal Data processed on behalf of the Customer within 90 days, except where retention is required by Applicable Data Protection Law or for the establishment, exercise, or defence of legal claims. The Customer may request an export of their data within 30 days of termination.
During the term of the Agreement, data retention periods are governed by the Customer’s plan:
- Starter: 30-day audit log retention
- Team: 1-year audit log retention
- Enterprise: Unlimited audit log retention with configurable archival policies
11. Audits and Compliance
Thoriad will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law. Upon reasonable written request and subject to appropriate confidentiality obligations, the Customer (or a qualified third-party auditor appointed by the Customer) may conduct an audit of Thoriad’s data processing activities, no more than once per year, with at least 30 days’ advance notice.
Thoriad may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2 Type II), or summaries of security assessments, to the extent these adequately address the Customer’s concerns.
12. Data Protection Impact Assessments
Thoriad will provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law and to the extent the assessment relates to the processing performed by Thoriad.
13. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set forth in the Agreement. Nothing in this DPA limits either party’s liability with respect to any rights that Data Subjects may have under Applicable Data Protection Law.
14. Term and Termination
This DPA takes effect on the date the Customer first accesses the Service and remains in effect for the duration of the Agreement. Obligations relating to the processing and deletion of Personal Data survive termination of this DPA until all Personal Data has been deleted or returned.
15. Governing Law
This DPA is governed by the same law that governs the Agreement. For matters relating to GDPR compliance, the laws of the EU Member State in which the Customer is established shall apply. For matters relating to UK GDPR compliance, the laws of England and Wales shall apply.
16. Contact
For questions about this DPA or to exercise rights under it, contact us at:
Thoriad — Data Protection
Email: dpa@thoriad.com