Skip to content
Get started

Data Processing Agreement (DPA)

1. Purpose

Defines how Thesmia.ai (Processor) processes personal data on behalf of the Client (Controller).

2. Obligations

  • Processor acts only on documented instructions.

  • Confidentiality obligations for our team.

  • Technical and organisational measures in Annex A.

  • Incident notification obligations.

3. Sub‑processors

We may appoint sub‑processors (AWS, analytics). Contrary sub-processor additions will require written notice and objection right.

4. Data transfers

Any non‑EEA/UK transfers via standard contractual clauses or adequacy decisions.

5. Rights of data subjects

We’ll assist the Controller to fulfil data subject rights under UK GDPR.

6. Audit

Controller may audit compliance; Processor will support with adequate notice and at reasonable times.

7. Termination & deletion

Upon contract end, we will delete or return personal data per Controller instructions, unless legally required to retain it.

Updated: 4th July 2025