Data Processing Agreement
Last updated: April 16, 2026
This Data Processing Agreement ("DPA") describes the terms under which Thalian, LLC ("Thalian," "we," "our," or "us") processes personal data on behalf of customers ("you," "your," or "Controller"), in compliance with GDPR and applicable data protection laws. This DPA forms part of and is incorporated into the Thalian Terms of Service. In the event of any conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA controls.
1. Definitions and scope
This DPA applies to all customers who use Thalian's services and who are subject to GDPR (EU 2016/679), UK GDPR, or equivalent data protection regulation.
- Controller: Your organization: the entity that determines the purposes and means of processing personal data through the Thalian platform.
- Processor: Thalian, LLC: we process personal data only on your behalf and under your documented instructions, as set out in this DPA and our Terms of Service.
- Applicable law: This DPA is governed by GDPR (EU 2016/679), UK GDPR, and equivalent data protection legislation applicable to the Controller's jurisdiction.
By using Thalian, you agree to the terms of this DPA on behalf of your organization.
2. Categories of personal data
Thalian processes the following categories of data solely to provide the service to your organization.
Identity data
Email addresses, display names, account status, role assignments, department, manager relationships, and MFA enrollment state: synced from connected identity providers (Okta, Microsoft Entra ID, Google Workspace, JumpCloud, OneLogin, PingOne).
Access and entitlement data
Application access records, role assignments within SaaS applications, OAuth authorizations, last-used timestamps, and access history: used to generate security findings and identify access hygiene gaps.
Device data
Device identifiers, operating system versions, compliance status, encryption state, and owner email: synced from connected device management platforms (Jamf, Intune, Iru, CrowdStrike, SentinelOne, and others).
Audit and activity data
Platform-generated audit events including login activity, privilege changes, and administrative actions: used for behavioral anomaly detection and security posture analysis.
HR data (if connected)
Employment status, start/termination dates, department, and job title: synced from HR systems (Rippling, BambooHR, Workday) to enable offboarding gap detection and cross-platform identity reconciliation.
3. Processing purposes
All processing is strictly limited to the purpose of delivering the Thalian service:
- Security analysis: Running 400+ cross-platform rules to identify identity, access, device, and compliance risks across your connected systems.
- AI-powered intelligence: Generating security findings, briefings, dossiers, and remediation recommendations via Claude (Anthropic API). Data is sent to Anthropic for real-time inference only, not for model training.
- Remediation execution: Performing approved actions (e.g., suspending a user, revoking a token) via connected platform APIs on your explicit instruction. All actions are logged in an immutable audit trail.
- Service delivery and support: Syncing integration data, generating reports, delivering alert notifications, and enabling support resolution. No processing occurs beyond what is required to deliver the contracted service.
4. Thalian's processing obligations
As your data processor, Thalian commits to the following:
- Process only on documented instructions: We process personal data only as directed by your use of the service and as described in this DPA and the Terms of Service. We will not process data for any other purpose without your prior written consent.
- Confidentiality: All personnel authorized to process personal data are bound by confidentiality obligations. Access to production data is limited to authorized personnel and is logged.
- Technical and organizational security measures: We implement and maintain appropriate measures as described in our Security & Trust page, including encryption in transit and at rest, role-based access controls, and row-level data isolation.
- Assist with data subject rights: We will assist you in responding to data subject requests (access, correction, deletion, portability) to the extent we hold the relevant data. Contact privacy@thalian.ai to initiate a request.
- Notify of security incidents: We will notify affected customers within 72 hours of becoming aware of a personal data breach that impacts their personal data, providing details sufficient for you to meet your own notification obligations under GDPR Article 33.
- Support data protection impact assessments: We will provide reasonable assistance if you are required to conduct a DPIA in relation to your use of the Thalian service.
5. Authorized sub-processors
We engage the following sub-processors to deliver the Thalian service. All sub-processors are bound by data processing agreements no less protective than this DPA. The full list, including data categories and vendor compliance links, is maintained at thalian.ai/subprocessors.
- Supabase: Database and authentication (US, AWS us-east-1)
- Cloudflare: Hosting, CDN, edge compute (global edge network; customer data at rest remains US-only)
- Anthropic: AI inference via Claude API (US)
- Stripe: Payment processing (US)
- Loops: Transactional and lifecycle email (US)
- Sentry: Error monitoring; PII scrubbed; 10% trace sampling (US)
- Plain: Support chat widget (US)
We will notify customers of any intended changes to this list (addition or replacement of sub-processors) with at least 14 days' notice, providing the opportunity to object.
6. Cross-border data transfers
All Thalian customer data is stored and primarily processed in the United States.
- Standard Contractual Clauses: For transfers of personal data from the European Economic Area to the United States, Thalian relies on the EU Standard Contractual Clauses (SCCs) as the lawful transfer mechanism under GDPR Article 46.
- UK International Data Transfer Agreement: For transfers from the United Kingdom, Thalian relies on the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs as applicable.
- Sub-processor transfer compliance: All sub-processors that receive personal data originating from the EEA or UK are required to maintain equivalent transfer mechanisms. Details are available on request.
7. Data retention and deletion
- Active subscriptions: Personal data is retained for the duration of the customer subscription. Plan-based retention limits apply: 7 days (Free), 1 year (Pro), unlimited (Enterprise).
- Integration disconnect: Disconnecting an integration triggers immediate deletion of credentials. Associated identity, device, application, and entitlement data is purged within 30 days.
- Account termination: Upon account deletion or subscription termination, all workspace data is permanently deleted within 30 days. Audit logs are retained for a minimum of 365 days total; upon termination, they are anonymized (personal identifiers removed) and retained for an additional 12 months for legal and compliance purposes, then permanently deleted.
- Deletion on request: You may request deletion of specific personal data records at any time by contacting privacy@thalian.ai. We will fulfill the request within 30 days and confirm in writing.
8. Audit and compliance verification
We support your right to verify our compliance with this DPA.
- Documentation: We will make available all information reasonably necessary to demonstrate compliance with our obligations as a processor, including this DPA and our security documentation.
- Third-party audits: Upon written request and at your expense, we will cooperate with audits conducted by you or a third-party auditor appointed by you, subject to reasonable notice and confidentiality obligations.
9. Need a signed DPA?
Enterprise customers can request a countersigned copy of this DPA for their records. Contact us and we'll turn it around within 5 business days.
10. Contact
For all DPA-related inquiries, data subject requests, or to execute a signed DPA for your organization:
← Back to home