ThorStack is the processor; you're the controller. This DPA covers the GDPR, UK GDPR, NDPA, and equivalent regimes — and includes our sub-processor list, security measures, and breach notification commitments.
1. Scope of this DPA
This Data Processing Addendum (“DPA”) forms part of the agreement between Metasession Ltd. (“ThorStack”) and the Customer for the provision of the ThorStack platform.
It applies to all Customer Personal Data processed by ThorStack on behalf of the Customer in connection with the Services. The Customer is the data controller; ThorStack is the data processor.
Where the Customer is a processor for an upstream controller, ThorStack acts as a sub-processor on the same terms.
2. Nature & purpose of processing
ThorStack processes Customer Personal Data only to the extent required to provide the Services described in the Order Form, including:
- Operating, monitoring, and maintaining the Customer's deployment.
- Synchronizing data with the integrations the Customer authorizes.
- Generating AI agent outputs in response to Customer instructions.
- Producing aggregated, non-identifying telemetry for service improvement.
- Responding to Customer support requests.
Processing categories typically include identifiers, contact information, professional information, financial transactions, and content the Customer ingests.
3. ThorStack's obligations
ThorStack will:
- Process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required by law to do otherwise.
- Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
- Implement and maintain technical and organizational measures appropriate to the risk (see Annex II below).
- Assist the Customer in fulfilling data-subject rights requests within reasonable timeframes.
- Notify the Customer without undue delay (and in any event within 72 hours) of any Personal Data Breach affecting Customer Personal Data.
- Make available all information necessary to demonstrate compliance with this DPA, and allow for audits as set out below.
4. Sub-processors
The Customer authorizes ThorStack to engage the sub-processors listed below to perform specific processing activities on behalf of the Customer.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Default cloud infrastructure (compute, storage, network) | Customer-selected |
| Google Cloud Platform | Alternative cloud (Operator and Sovereign tiers) | Customer-selected |
| Microsoft Azure | Alternative cloud (Sovereign tier) | Customer-selected |
| OpenAI | Marketing-site AI assistant; optional LLM provider in customer deployments | US |
| Anthropic | Optional LLM provider in customer deployments | US |
| Google Vertex | Optional LLM provider in customer deployments | Customer-selected |
| Cal.com | Marketing-site meeting scheduling | EU |
| Resend | Transactional and marketing email | US |
| Cloudflare | Edge network, DDoS protection, DNS | Global |
| Sentry | Application error monitoring (no customer data) | EU/US |
ThorStack will give the Customer at least 30 days' notice of any proposed addition or replacement of a sub-processor. The Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected portion of the Services.
5. International transfers
Where ThorStack transfers Customer Personal Data from the EEA, UK, or Switzerland to a country not deemed adequate by the relevant authority, the parties agree that the EU Standard Contractual Clauses (Module Two: controller-to-processor) and the UK Addendum apply, incorporated by reference.
ThorStack will assist the Customer in carrying out a transfer impact assessment when reasonably required.
6. Security measures (Annex II)
- Encryption — TLS 1.2+ in transit; AES-256 at rest. BYOK supported on Sovereign.
- Tenancy isolation — separate database, app instance, vector store, and storage prefix per Customer.
- Access control — least-privilege, role-based access; multi-factor authentication required for all ThorStack personnel.
- Network security — segmented VPCs, allow-listed egress, DDoS protection at edge.
- Logging & monitoring — full audit trails per tenant; security event monitoring in production.
- Vulnerability management — automated SAST and dependency scanning; quarterly penetration testing; bug bounty.
- Backup & recovery — encrypted backups with 30-day rolling retention; documented disaster recovery procedures.
- Personnel — background checks, mandatory security training, signed confidentiality agreements.
7. Audit & compliance
ThorStack maintains a SOC 2 Type II report. The Customer may request a copy under NDA via security@thorstack.com.
On reasonable advance notice and no more than once per year, the Customer may request an audit of ThorStack's processing activities at the Customer's expense. Audits must not unreasonably interfere with ThorStack's operations.
8. Personal Data Breach notification
ThorStack will notify the Customer without undue delay — and in any event within 72 hours — of becoming aware of any Personal Data Breach affecting Customer Personal Data, providing the information required under Article 33(3) GDPR to the extent available.
9. Deletion & return
On termination of the Services, ThorStack will delete or return Customer Personal Data within 30 days, except to the extent retention is required by law. Backups roll out of retention within 30 days of deletion. ThorStack will provide written confirmation of deletion on request.
10. Liability
The liability of each party under or in connection with this DPA is subject to the limitations and exclusions set out in the Order Form and Terms of Service.
Questions?
- Sign a counter-signed DPA: legal@thorstack.com
- DPO contact: dpo@thorstack.com
- Sub-processor change alerts: subprocessors@thorstack.com