Data Processing Agreement (DPA)

Last Updated: 2025-12-05

This Data Processing Agreement ("Agreement" or "DPA") forms part of the Terms of Service and governs the processing of personal data by Thrin Check Limited ("Processor", "we", "our") on behalf of the customer ("Controller", "you", "your") when using the Thrin Docs document management system (the "Service"). This DPA ensures compliance with applicable data protection laws, including GDPR, UK GDPR, CCPA, and other international privacy standards.

1. Definitions

  • Controller: The entity that determines the purposes and means of processing personal data.
  • Processor: Thrin Check Limited, which processes data on behalf of the Controller.
  • Personal Data: Any information relating to an identifiable individual.
  • Processing: Any operation performed on personal data, including storage, access, modification, transmission, or deletion.
  • Sub-processor: Third-party providers engaged by the Processor to assist in delivering the Service.

2. Subject Matter and Duration

This DPA governs the Processor’s handling of Personal Data uploaded, stored, or processed within Thrin Docs. Processing continues for as long as the Controller uses the Service or until termination and data deletion.

3. Nature and Purpose of Processing

The Processor processes Personal Data solely to:

  • Provide secure document storage and retrieval
  • Manage user accounts and authentication
  • Enforce access control and permissions
  • Maintain security, audit logging, and monitoring
  • Provide customer support and resolve technical issues
  • Comply with legal and regulatory obligations

The Processor will never:

  • Sell Personal Data
  • Use Personal Data for advertising or marketing
  • Process Personal Data without documented instructions from the Controller

4. Categories of Data Subjects

  • Users of the Service
  • Employees or members of the Controller’s organization
  • Clients or third parties whose data appears in uploaded documents

5. Types of Personal Data

  • Names, email addresses, phone numbers
  • Login and authentication details
  • Document metadata
  • Uploaded files containing personal or sensitive data
  • Audit logs, IP addresses, and device information

The Processor does not control the categories of data uploaded by the Controller.

6. Controller Responsibilities

  • Inform data subjects about data processing
  • Ensure Personal Data is collected lawfully
  • Avoid uploading illegal or unauthorized content
  • Maintain adequate security measures internally

The Controller is responsible for the accuracy and legality of Personal Data provided.

7. Processor Responsibilities

7.1 Processing on Instructions

We process Personal Data only according to documented instructions from the Controller.

7.2 Confidentiality

All personnel with access to Personal Data are bound by confidentiality obligations.

7.3 Security Measures

  • End-to-end encryption
  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • Role-based access controls
  • Audit logging and monitoring
  • Firewalls, vulnerability scans, and penetration testing

7.4 Assistance and Cooperation

  • Responding to data subject requests
  • Supervisory authority notifications
  • Data protection impact assessments (DPIAs)

7.5 Data Breach Notification

We will notify the Controller without undue delay and within legally required timeframes if a personal data breach occurs.

8. Sub-Processors

We may engage sub-processors for:

  • Cloud hosting and storage
  • Email delivery
  • Monitoring and analytics
  • Security and encryption services

We maintain a list of sub-processors, notify you of changes, and ensure contractual compliance with this DPA.

9. International Data Transfers

For transfers outside your region, we ensure Standard Contractual Clauses (SCCs), appropriate safeguards, and compliance with applicable laws.

10. Data Retention and Deletion

  • You may request data export upon termination
  • Personal Data will be deleted unless legally required
  • Backups are deleted according to normal backup cycles

Deletion requests may be made at any time.

11. Audits and Compliance

The Controller may request compliance documentation or conduct audits, subject to reasonable notice and confidentiality obligations. We maintain GDPR-required processing records.

12. Liability

Liability under this DPA follows the limitations defined in the Terms of Service. Neither party is liable for indirect damages.

13. Termination of DPA

This DPA terminates automatically upon termination of the Terms of Service or deletion of all Personal Data upon instruction.

14. Contact

Thrin Check Limited
Email: support@thrindocs.com
Address: Lagos, Nigeria

Ready to transform your document management?

Join thousands of teams who trust ThrinDocs to manage their documents. Start your free 14-day trial today, no credit card required.

✓ No credit card required ✓ 14-day free trial ✓ Cancel anytime