Data Processing Agreement
Last updated: March 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between [COMPANY LEGAL NAME] ("Processor", "we", "ThinQr") and the customer ("Controller", "you") and governs the processing of personal data by ThinQr on behalf of the Controller.
1. Scope & Purpose
This DPA applies to all personal data processed by ThinQr in connection with the Service, where ThinQr acts as a data processor on behalf of the Controller. The processing is carried out for the purpose of providing the ThinQr Business Operating System as described in our Terms of Service.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1).
- "Processing" means any operation performed on personal data, as defined in GDPR Art. 4(2).
- "Data Subject" means the identified or identifiable person to whom personal data relates.
- "Subprocessor" means a third party engaged by ThinQr to process personal data on behalf of the Controller.
3. Processing Details
Categories of Data Subjects
- Controller's employees and team members
- Controller's administrators and managers
- Individuals whose data is included in documents uploaded by the Controller
Types of Personal Data Processed
- Identity data: Names, email addresses, job titles, profile photos
- Employment data: Department, contract type, hire date, role, compensation details (if entered by Controller)
- Business data: Company name, industry, business processes, training content
- Document data: Content of uploaded documents (contracts, policies, handbooks)
- Usage data: Feature interactions, timestamps, IP addresses
- Communication data: Support ticket content, conversation threads
Nature and Purpose of Processing
Personal data is processed to provide the following services: authentication, business process mapping and analysis, AI-powered training generation, team management, document storage and processing, support ticket handling, and operational briefings.
Duration of Processing
Processing continues for the duration of the service agreement. Upon termination, data is retained for a 30-day grace period and then permanently deleted within 90 days, except where retention is required by law (see Section 10).
4. Obligations of the Processor
ThinQr shall:
- Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country (GDPR Art. 28(3)(a)).
- Ensure that persons authorized to process personal data have committed themselves to confidentiality (GDPR Art. 28(3)(b)).
- Implement appropriate technical and organizational security measures (GDPR Art. 28(3)(c), Art. 32). See Section 5.
- Assist the Controller in responding to data subject requests (GDPR Art. 28(3)(e)). See Section 7.
- Assist the Controller in ensuring compliance with data protection impact assessments and prior consultation obligations (GDPR Art. 28(3)(f)).
- At the Controller's choice, delete or return all personal data after the end of the service (GDPR Art. 28(3)(g)). See Section 10.
- Make available all information necessary to demonstrate compliance and allow for audits (GDPR Art. 28(3)(h)). See Section 8.
5. Security Measures
ThinQr implements the following technical and organizational measures to protect personal data:
- Encryption: TLS 1.2+ for data in transit. AES-256 encryption at rest for database storage (via Supabase/AWS).
- Access control: Row-Level Security (RLS) policies on all database tables, ensuring tenant isolation at the database level. Role-based access control for API endpoints.
- Authentication: Secure authentication via Supabase Auth with password hashing (bcrypt), magic link support, and session management.
- Rate limiting: API rate limiting via Upstash Redis to prevent abuse (auth: 5/min per IP, AI: 20/min per company, general: 100/min per user).
- Input validation: Zod schema validation on all API inputs. Content-Length enforcement on large payloads.
- Security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
- Monitoring: Server-side logging (without PII), error tracking, uptime monitoring.
- Development practices: Regular security audits, dependency vulnerability scanning (
npm audit), automated testing (unit + E2E).
6. Subprocessors
The Controller authorizes ThinQr to engage the following subprocessors. ThinQr will notify the Controller of any intended changes to this list, giving the Controller the opportunity to object.
| Subprocessor | Purpose | Location | Data Processed |
|---|---|---|---|
| Supabase | Database, Auth, Storage | EU (aws-eu-central-1) | All user data |
| Vercel | Hosting, CDN | US/EU (fra1) | Request data, cookies |
| Anthropic (Claude) | AI training generation, business mapping | US | Business data (not stored for training) |
| OpenAI | Contract OCR, embeddings | US | Document text (not stored for training) |
| Stripe | Payment processing | US/EU | Payment data |
| Resend | Transactional email | US | Email addresses, names |
| Upstash | Rate limiting | EU (fra1) | IP addresses (hashed) |
For subprocessors located in the United States, ThinQr has entered into Standard Contractual Clauses (SCCs) as approved by the European Commission to ensure adequate data protection.
7. Data Subject Requests
ThinQr shall promptly notify the Controller if it receives a request from a data subject to exercise their rights under GDPR (access, rectification, erasure, portability, objection, restriction).
ThinQr shall assist the Controller in fulfilling such requests by providing necessary information and technical support, taking into account the nature of the processing.
ThinQr shall not respond directly to a data subject request unless instructed to do so by the Controller or required by law.
8. Audit Rights
ThinQr shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Art. 28, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and shall not unreasonably disrupt ThinQr's operations. The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by ThinQr.
9. Data Breach Notification
In the event of a personal data breach, ThinQr shall notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33.
The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
- The name and contact details of ThinQr's DPO.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach and mitigate its effects.
ThinQr shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
10. Data Deletion on Termination
Upon termination of the service agreement, ThinQr shall, at the Controller's choice:
- Return all personal data to the Controller in a structured, commonly used, machine-readable format (JSON/CSV); or
- Delete all personal data and certify in writing that deletion has been completed.
Data deletion follows this timeline: 30-day grace period (read-only access), then permanent deletion from production systems within 60 days and from backups within 90 days. Financial records required by Dutch tax law (AWR) are retained for 7 years.
11. Governing Law
This DPA is governed by the laws of the Netherlands and is subject to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands.
In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
12. Contact
For questions about this DPA or to exercise rights under it:
[COMPANY LEGAL NAME]
[REGISTERED ADDRESS]
Data Protection Officer: [DPO EMAIL]
KvK: [KVK NUMBER]