Thauth.devLegal
Legal/Thauth Data Processing Agreement (DPA)

Legal document

Thauth Data Processing Agreement (DPA)

Processing, subprocessors, and customer-controller obligations for regulated data handling.

Last updated April 22, 2026Download MarkdownCookie policy

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between you (“Customer”, “Controller”) and Thauth (“Processor”, “we”, “us”).

This DPA applies where Thauth processes Personal Data on behalf of Customer.

1. Definitions

“Applicable Data Protection Law” means all laws applicable to the processing of Personal Data, including the GDPR where applicable.

“Controller” means the entity determining the purposes and means of processing Personal Data.

“Processor” means the entity processing Personal Data on behalf of the Controller.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation performed on Personal Data.

“Subprocessor” means any third party engaged by Processor to process Personal Data.

“Data Subject” means the individual to whom Personal Data relates.

2. Scope and Roles

2.1 The parties acknowledge that:

  • Customer acts as Controller
  • Thauth acts as Processor

2.2 This DPA applies to all processing of Personal Data carried out by Thauth on behalf of Customer in connection with the Service.

3. Nature and Purpose of Processing

3.1 Thauth processes Personal Data to provide an authorization service, including:

  • Evaluating authorization rules
  • Returning allow/deny decisions
  • Storing authorization models and related metadata

3.2 Categories of Personal Data may include:

  • User identifiers (e.g., IDs, emails)
  • Authorization-related attributes
  • Request metadata

3.3 Categories of Data Subjects include:

  • Customer’s end users
  • Customer employees or contractors

4. Processing Instructions

4.1 Thauth shall process Personal Data only:

  • On documented instructions from Customer
  • As necessary to provide the Service
  • As required by applicable law

4.2 If Thauth is required by law to process Personal Data outside Customer instructions, it shall inform Customer unless legally prohibited.

5. Confidentiality

5.1 Thauth shall ensure that:

  • Personnel authorized to process Personal Data are bound by confidentiality obligations
  • Access is limited to those who require it

6. Security Measures

6.1 Thauth shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Access control mechanisms
  • Authentication systems
  • Logging and monitoring
  • Infrastructure isolation
  • Encryption in transit where applicable

6.2 Security measures are designed to protect against:

  • Unauthorized access
  • Accidental or unlawful destruction
  • Loss, alteration, or disclosure

7. Subprocessing

7.1 Customer authorizes Thauth to engage Subprocessors.

7.2 Current Subprocessors include:

  • Contabo (infrastructure hosting)
  • Polar (payment processing)
  • Resend (email delivery)

7.3 Thauth shall:

  • Enter into agreements with Subprocessors imposing data protection obligations equivalent to this DPA
  • Remain responsible for Subprocessor performance

7.4 Thauth may update Subprocessors and will provide notice where required.

8. Data Subject Rights

8.1 Thauth shall, taking into account the nature of processing:

  • Assist Customer in responding to Data Subject requests

8.2 Thauth shall:

  • Not respond directly to Data Subjects unless instructed by Customer or required by law

9. Data Breach Notification

9.1 Thauth shall notify Customer without undue delay after becoming aware of a Personal Data Breach.

9.2 Notification shall include, where available:

  • Nature of the breach
  • Categories of affected data
  • Likely consequences
  • Measures taken or proposed

10. Data Protection Impact Assessments (DPIA)

Thauth shall provide reasonable assistance to Customer in fulfilling obligations related to:

  • Data Protection Impact Assessments
  • Prior consultations with supervisory authorities

11. Audits and Compliance

11.1 Thauth shall make available information necessary to demonstrate compliance.

11.2 Customer may conduct audits:

  • With reasonable notice
  • During normal business hours
  • Not more than once per year (unless required by law)

11.3 Audits must not:

  • Disrupt operations
  • Compromise security of other customers

12. International Transfers

12.1 Personal Data may be processed outside the EEA.

12.2 Where required, Thauth shall implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs)

13. Data Retention and Deletion

13.1 Upon termination of the Agreement:

  • Thauth shall delete or return Personal Data at Customer’s choice

13.2 Thauth may retain data where required by law or for legitimate security purposes.

14. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service.

15. Conflict

In the event of conflict between this DPA and the Terms, this DPA shall prevail with respect to data protection matters.

16. Governing Law

This DPA shall be governed by applicable data protection laws.

Annex 1 – Processing Details

Subject Matter

Provision of authorization infrastructure services.

Duration

For the duration of the Agreement.

Nature of Processing

Evaluation, storage, and retrieval of authorization-related data.

Categories of Data Subjects

  • Customer end users
  • Customer personnel

Categories of Personal Data

  • Identifiers (user IDs, emails)
  • Authorization attributes
  • Request metadata

Annex 2 – Subprocessors

  • Contabo — Hosting infrastructure
  • Polar — Payment processing
  • Resend — Email delivery

Cookie Notice

We use essential cookies for sign-in, session security, and CSRF protection. We do not use analytics or advertising cookies right now. Learn more