Data Processing Addendum

This DPA forms part of the Terms of Service for customers processing personal data through Thawly. Last updated 2026-05.

1. Definitions

"Customer" means the entity using Thawly under a paid or free subscription. "Customer Data"means any data uploaded to or generated by Customer's use of Thawly. "Personal Data" has the meaning given in UK GDPR. "Processor" and "Controller" have the meanings given in UK GDPR.

2. Roles

Customer is the Controller of Customer Data. Thawly is the Processor, processing only on documented instructions from the Customer (which the Terms of Service constitute).

3. Categories of data processed

  • Customer's authorised users' email addresses (via Clerk)
  • Company names, deal values, lost dates, lost reasons, notes uploaded by Customer
  • Public signal data sourced from UK government and commercial APIs

Thawly does notprocess contact-level personal data (names, emails, phone numbers) of third-party individuals at Customer's monitored companies.

4. Sub-processors

Thawly engages the following sub-processors. Customer consents to their use; we'll notify customers of changes 30 days in advance.

  • Vercel — application hosting
  • Supabase — database and storage
  • Clerk — authentication
  • Resend — transactional email
  • Anthropic — AI message drafting (Claude API)
  • Stripe — payment processing

5. Security measures

See /legal/security for details. Summary: TLS in transit, AES-256 at rest, access via SSO, no contact data stored, EU/UK hosting where supported.

6. Data subject rights

Thawly provides Customer the means to fulfil data subject requests (access, rectification, erasure, portability) directly within the application. Customers can export or delete their data at any time.

7. Data breach notification

Thawly will notify Customer without undue delay (and within 72 hours of confirmation) of any personal data breach affecting Customer Data, with the information needed for Customer to meet its own notification obligations.

8. Return or deletion of data

On termination of the Agreement, Customer Data is deleted from active systems within 30 days and from backups within 90 days, unless retention is required by law.

9. International transfers

Where data is transferred outside the UK or EEA (e.g. for AI processing via Anthropic), transfers rely on UK Standard Contractual Clauses or equivalent safeguards. Customers can request copies of the safeguards in place.

10. Contact

For DPA-related questions or to request a counter-signed copy, email privacy@thawly.co.uk.