Data Processing Addendum

Definitions

"Controller", "Data Subject", "Personal Data", "Personal Data Breach" and "Processing" shall have the same meaning as in the Data Protection Law, and their cognate terms shall be construed accordingly.

Data Protection Law means the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as applicable) and any other relevant local laws relating to the protection of Personal Data, the privacy of individuals and the privacy of electronic communications.

EU Standard Contractual Clauses means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

UK International Data Transfer Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.

1.1 If ThoughtRiver processes any Personal Data on the Customer's behalf when performing its obligations under the Terms, the parties record their intention that the Customer shall be the Data Controller and ThoughtRiver shall be a Data Processor and in any such case:

1.1.1 the Customer agrees that the Personal Data may be transferred or stored outside the European Economic Area (EEA) or the country or countries where the Customer and the Authorised Users are located so long as there is an adequate safeguard in accordance with the Data Protection Law;

1.1.2 the Customer shall ensure that the Customer is entitled to transfer the relevant Personal Data to ThoughtRiver so that ThoughtRiver may lawfully use, Process and transfer the Personal Data in accordance with the Terms (including the specification at the Annex);

1.1.3 ThoughtRiver shall ensure any persons authorised by ThoughtRiver to Process the Personal Data have committed themselves to confidentiality;

1.1.4 ThoughtRiver shall Process the Personal Data only in accordance with the Terms, the Data Protection Law and any lawful instructions reasonably given by the Customer from time to time (including as set out in the Annex). In the event that ThoughtRiver believes such instructions to be contrary to Data Protection Law then it will immediately notify the Customer;

1.1.5 in the event Union or Member State law requires ThoughtRiver to Process Personal Data otherwise in accordance with the Customer’s instructions, ThoughtRiver shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest; and

1.1.6 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each party shall take appropriate technical and organisational measures against unauthorised or unlawful Processing of the Personal Data or its accidental loss, destruction or damage (including, as appropriate, the measures referred to in Article 32(1) of the GDPR).

1.2 ThoughtRiver may use sub-processors in connection with the Processing anticipated in the Terms. Provided that any sub-processor shall be required to adhere to equivalent obligations as set out in this addendum, in particular the sub-processor shall be required to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this addendum. ThoughtRiver shall be liable in accordance with this Terms for the acts and omissions of any such sub-processors.

1.3 ThoughtRiver shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors and shall give the Controller the opportunity to object to such changes. A list of our sub-processors as amended from time to time can be found here.

1.4 Where ThoughtRiver uses sub-processors based outside of the UK or EU, the transfer of Personal Data to such sub-processors will at all times be governed by an appropriate safeguard.

1.5 EU Standard Contractual Clauses. The EU Standard Contractual Clauses will apply to Personal Data that is transferred from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that is not recognized as providing an adequate level of protection for Personal Data.

1.6 UK Data Transfer Addendum. The UK International Data Transfer Addendum will apply to Personal Data that is transferred from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized as providing an adequate level of protection for Personal Data.

1.7 ThoughtRiver shall notify the Customer without undue delay upon ThoughtRiver or any sub-processor becoming aware of a Personal Data Breach affecting the Customer’s Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Law.

1.8 ThoughtRiver shall co-operate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach. The Customer shall pay ThoughtRiver’s reasonable costs.

1.9 ThoughtRiver shall provide all reasonable information necessary to demonstrate compliance with its obligations set out in this Addendum. In addition and at the expense of the Customer, ThoughtRiver shall allow for and contribute to reasonable audits, including inspections, conducted by the Customer or another auditor mandated by the Customer upon the Customer first providing reasonable notice.

1.10 At the cost of the Customer, ThoughtRiver shall provide reasonable assistance to the Customer in responding to requests from Data Subjects exercising their rights under Data Protection Law in relation to the Terms.

1.11 On termination of the Terms, ThoughtRiver shall, at the choice of the Customer, delete or return to the Customer all Personal Data provided to it by the Customer under the Terms and shall delete existing copies unless (i) it has been archived on back-up systems which ThoughtRiver will securely isolate and protect from further Processing; or (ii) ThoughtRiver is required to keep it under Union or Member State law.

DETAILS OF PROCESSING OF PERSONAL DATA

The Customer’s personal data may include any personal data that is included within any document that is uploaded by the Customer to the Platform. Depending on the document type, this may include individual names (e.g. contract signatories), customer lists (of the Customer or its clients/suppliers) including name, address, date of birth and customer attributes. The Customer does not intend to supply sensitive personal data within the documents it uploads to the Platform.

The processing of personal data by ThoughtRiver (and any sub-processor) is in conjunction with the Customer’s use of the Platform including for the purpose of providing contract risk reviews, extraction of data points, training of properties created within the Platform and user functionality, product feature enhancement and customer success support. Further details on the way in which ThoughtRiver may use such data is set out in the Privacy and Security Policy.

Either party may make reasonable amendments to paragraphs 2 and 3 of this Annex by written notice to the other party from time to time to meet its requirements under the applicable Data Protection Law (including the GDPR).

Subprocessors

Summary of sub-processors who may process Personal Data for the purposes of the Agreement.

Terms used in this list shall have the same meaning as those given in the Terms and/or Data Processing Addendum as defined otherwise.

Name	Location	Data Subjects	Framework	Categories of Personal Data	Processing Operations
Microsoft Azure	UK	Authorised Users	GDPR	Name, IP address, email address and any other personal data included in a contract uploaded to the Platform	The provision of data centre infrastructure (incl. buildings, physical security, hvac, servers, storage, networks) and associated maintenance.
Twilio Inc. (“SendGrid”)	US	Authorised Users	GDPR EU SCCs and UK Addendum	Name Email address	Occasionally transferring personal data in the provision of the SendGrid product (limited to the activation of the Customer’s account and password reset services for the Platform).
Okta, Inc	EU	Authorised Users	UK GDPR UK adequacy decision	Email address IP address	Authentication gateway. This service validates the user is permitted to access the system using username (email) and password with optional MFA.
Abbyy Vantage (new as of 15 December 2023)	EU	Authorised Users, Featured Individuals	UK GDPR UK adequacy decision	Name, IP address, email address and any other Personal Data included in a Contract uploaded to the Platform	Conversion of PDF/scans to DOCX format

The new EU Standard Contractual Clauses and UK Addendum at ThoughtRiver

Personal Data Transfers

ThoughtRiver may transfer personal data outside of the EU and UK where this is necessary in order to provide the services to you (details of which can be found in our DPA).

ThoughtRiver currently instructs only one sub-processor outside of the UK and EU: Twilio Inc.

Twilio provide the SendGrid service which acts as the password reset function for users on the ThoughtRiver platform. When a user requests a password reset, the user’s name and email address will be sent to Twilio for the purposes of resetting the user’s password.

Adequate Safeguards

While transfers from customers to ThoughtRiver are covered by the adequacy rules (and are therefore not restricted transfers), we recognise that onward transfers of personal data from ThoughtRiver to Twilio are restricted transfers.

In order to provide an adequate safeguard for such onward transfers, we have entered into a data protection addendum with Twilio which incorporates both the EU SCCs (for EU data) and the UK Addendum (for UK data). You can view these here.

We are therefore confident that the personal data of your users will be protected under our DPA with Twilio; however, please do not hesitate to contact us with any questions you may have.