Data Processing Agreement
Last Updated: January 2026
This Data Processing Agreement (“DPA”) supplements the Terms of Service for customers who require GDPR compliance.
1. Definitions
| Term | Definition |
|---|---|
| Controller | The entity determining purposes and means of processing |
| Processor | The entity processing data on behalf of the Controller |
| Data Subject | The individual whose personal data is processed |
| Personal Data | Any information relating to an identified or identifiable person |
| Processing | Any operation performed on Personal Data |
| Sub-processor | Third party engaged by Processor to process data |
2. Scope and Roles
2.1 Relationship
- You (Customer) are the Controller of Personal Data
- ThinkHive is the Processor acting on your instructions
2.2 Data Processed
This DPA applies to Personal Data in:
- Agent traces submitted to ThinkHive
- User account information
- Any PII contained in your AI agent interactions
3. Processing Instructions
3.1 Purpose
ThinkHive processes Personal Data only to:
- Provide the Services described in the Terms
- Fulfill your documented instructions
- Comply with applicable law
3.2 Documented Instructions
Your instructions are documented in:
- The Terms of Service
- Your account settings
- Written requests to our support team
3.3 Instruction Conflicts
If we believe an instruction violates GDPR, we will inform you promptly.
4. Data Security
4.1 Security Measures
ThinkHive implements appropriate technical and organizational measures:
Technical Measures:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication
- Network security and monitoring
- Regular security testing
Organizational Measures:
- Staff training on data protection
- Confidentiality agreements
- Access limited to authorized personnel
- Incident response procedures
4.2 Security Certifications
ThinkHive maintains:
- SOC 2 Type II certification
- Annual penetration testing
- Continuous vulnerability scanning
5. Sub-processors
5.1 Authorized Sub-processors
You authorize ThinkHive to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure hosting | USA |
| Neon | Database services | USA |
| Auth0 | Authentication | USA |
| Stripe | Payment processing | USA |
| OpenAI | AI analysis | USA |
| Anthropic | AI analysis | USA |
5.2 Sub-processor Changes
We will notify you of new sub-processors 30 days before engagement. You may object by contacting us within that period.
5.3 Sub-processor Agreements
We ensure all sub-processors are bound by data protection obligations no less protective than this DPA.
6. Data Subject Rights
6.1 Assistance
ThinkHive will assist you in responding to Data Subject requests for:
- Access to their data
- Rectification of inaccurate data
- Erasure of data
- Restriction of processing
- Data portability
- Objection to processing
6.2 Response Timeline
We will respond to your assistance requests within 10 business days.
7. Data Breach Notification
7.1 Notification
In case of a Personal Data breach, ThinkHive will:
- Notify you without undue delay (within 72 hours)
- Provide details of the breach
- Describe likely consequences
- Outline remedial measures taken
7.2 Cooperation
We will cooperate with your breach notification obligations to supervisory authorities and Data Subjects.
8. Data Transfers
8.1 Transfer Mechanisms
For transfers outside the EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Additional safeguards as required
8.2 SCCs
The EU Standard Contractual Clauses are incorporated by reference:
- Module Two (Controller to Processor)
- Annex I, II, III as specified in this DPA
9. Audits
9.1 Audit Rights
You may audit our compliance with this DPA:
- Upon reasonable notice (30 days)
- During business hours
- No more than once per year (unless breach occurs)
- At your expense
9.2 Third-Party Audits
We will provide copies of:
- SOC 2 reports
- Penetration test summaries
- Relevant certifications
10. Data Retention and Deletion
10.1 Retention
We retain Personal Data only as long as necessary to:
- Provide the Services
- Comply with legal obligations
- Resolve disputes
10.2 Deletion
Upon termination or your request:
- We will delete Personal Data within 30 days
- Except where retention is required by law
- We will provide certification of deletion upon request
11. GDPR Compliance
11.1 Records
We maintain records of processing activities as required by Article 30 GDPR.
11.2 DPO
Our Data Protection Officer can be contacted at: dpo@thinkhive.ai
11.3 Supervisory Authority
Our lead supervisory authority is the Irish Data Protection Commission (for EU matters).
12. Term and Termination
This DPA:
- Takes effect when you start using the Services
- Continues while you use the Services
- Survives termination for data deletion obligations
13. Contact
For DPA-related matters:
- Email: dpa@thinkhive.ai
- DPO: dpo@thinkhive.ai
Annex I: Details of Processing
Categories of Data Subjects:
- Your employees using AI agents
- End users interacting with your AI agents
Categories of Personal Data:
- Names, email addresses (in traces)
- User queries and AI responses
- IP addresses and device information
Processing Operations:
- Storage of trace data
- Analysis for patterns and quality
- Generation of reports and insights
Duration:
- Per your account settings (default 90 days)