Data Processing Agreement (DPA)

1. Definitions

• 'Data Protection Laws' means the UK GDPR and the Data Protection Act 2018, the EU GDPR, and other applicable data protection law, as in force from time to time.
• 'Personal Data', 'Controller', 'Processor', 'Data Subject', 'Processing' have the meanings given in Data Protection Laws.
• 'Customer Personal Data' means personal data processed by Thrones on behalf of the Customer in connection with the Service.
• 'Sub-processor' means a third party engaged by Thrones to process Customer Personal Data.

2. Scope and roles

In respect of Customer Personal Data, the Customer is the Controller and Thrones is the Processor. The subject matter, duration, nature and purpose of processing, the types of Personal Data and categories of Data Subjects are described in the Annex to this DPA.

3. Customer instructions

Thrones processes Customer Personal Data only on the Customer's documented instructions, including transfers to a third country or an international organisation, except where Thrones is required to act otherwise by law. In the latter case, Thrones informs the Customer of that legal requirement before processing, unless the law prohibits it on important grounds of public interest.

Documented instructions include the Terms of Service, this DPA, the configuration options available in the Service, and any additional written instructions reasonably agreed between the parties. If Thrones considers that an instruction infringes Data Protection Laws, Thrones will inform the Customer.

4. Confidentiality

Thrones ensures that personnel authorised to process Customer Personal Data are bound by appropriate contractual or statutory confidentiality obligations.

5. Security measures

Thrones implements and maintains technical and organisational measures appropriate to the risks, including the measures set out in Article 32 of the UK/EU GDPR. A summary of the measures in force is in the Annex. Thrones may update the measures provided that the level of security is not materially reduced.

6. Sub-processors

The Customer gives Thrones a general written authorisation to engage Sub-processors to provide the Service. A current list of Sub-processors is available on request at privacy@thrones.ai.

Thrones imposes on each Sub-processor data protection obligations that are, in substance, no less protective than those of this DPA, and remains liable to the Customer for the acts and omissions of its Sub-processors.

Thrones gives the Customer advance notice of intended changes to the list of Sub-processors so as to give the Customer a reasonable opportunity to object. If the Customer reasonably objects on data protection grounds and the parties cannot resolve the matter, the Customer may terminate the affected part of the Service without penalty; no refund will be given for periods already consumed.

7. Assistance to the Customer

Taking into account the nature of the processing, Thrones assists the Customer with appropriate technical and organisational measures, insofar as possible, to fulfil its obligation to respond to requests from Data Subjects. If Thrones receives a Data Subject request directly, Thrones forwards it to the Customer without undue delay and does not otherwise respond to the Data Subject.

Thrones assists the Customer in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to Thrones.

8. Personal data incidents

Thrones notifies the Customer without undue delay and in any event within 72 hours of becoming aware of any incident affecting Customer Personal Data. The notice contains the information Thrones can reasonably provide at that point, with further detail provided as it becomes available.

9. International transfers

The Customer authorises Thrones and its Sub-processors to transfer Customer Personal Data outside the United Kingdom and the European Economic Area in connection with providing the Service. Such transfers are made under appropriate safeguards, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and — where applicable — the EU-US Data Privacy Framework and its UK Extension.

Where the Standard Contractual Clauses apply, the parties are deemed to have entered into them as follows: the Customer is the data exporter (controller), Thrones is the data importer (processor), Module 2 applies for controller-to-processor transfers, with the docking clause and optional clauses where permitted under local law. The UK Addendum applies where the UK GDPR applies to the transfer.

10. Audit

Thrones makes available to the Customer the information reasonably necessary to demonstrate compliance with this DPA and allows audits conducted by the Customer or an auditor mandated by it, subject to reasonable confidentiality and security requirements. Audits are conducted not more than once in any twelve-month period (save where required by a supervisory authority or following an incident), on at least 30 days' prior written notice, during business hours and at the Customer's cost. Reports by independent auditors (such as SOC 2 or ISO 27001, where available) will be provided in lieu of on-site audits where they sufficiently address the Customer's concerns.

11. Deletion and return

Upon termination or expiry of the Service, Thrones will — at the Customer's choice — delete or return all Customer Personal Data and destroy existing copies, unless retention is required under applicable law. By default, if no choice is made, data is deleted within 90 days of termination. Backups containing Customer Personal Data are overwritten in the ordinary course of backup rotation.

12. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA affects liability that cannot be limited under applicable law.

13. Order of precedence

In the event of a conflict between this DPA and the Terms of Service in respect of the processing of Customer Personal Data, this DPA prevails.

14. Annex — Description of processing

Subject matter and duration: processing of Customer Personal Data to provide the Service for the duration of the Customer's subscription and the agreed post-termination deletion period.