Data Processing Agreement

A Data Processing Agreement is a contract required by GDPR Article 28 (and similar provisions in CCPA, LGPD and Ley 29733) whenever a business hires a service provider to process personal data on its behalf. It defines roles (controller vs processor), security obligations, breach notification, subprocessor rules, audit rights and termination/data-return procedures.

In our case: your company is the controller of your end users' data, and Thaliq is the processor when running agents on that data. The DPA is the contract that says we will only process it for the purposes you instruct, that we will keep it secure, and that we will help you meet your own compliance obligations.

• You are a business customer using Thaliq to process data of natural persons (your customers, patients, employees, leads).
• Your customers, end users or compliance team operate under GDPR, UK GDPR, CCPA, LGPD or Ley 29733.
• Your procurement or legal team requires it as part of vendor onboarding (typical at enterprise companies).

If you are evaluating Thaliq on a free plan with synthetic or test data, you can defer this until you move data of real users.

• Roles: you are the controller, we are the processor. We process data only on your documented instructions.
• Subject matter and duration of processing: tied to your subscription term and your configured agents.
• Nature and purpose: providing the agentic platform, running agents, supporting integrations.
• Categories of data and data subjects: defined by what you configure your agents to process.
• Confidentiality of personnel and subprocessors handling the data.
• Technical and organizational security measures (per our /security/ trust center).
• Subprocessor list with prior-notice mechanism for changes (see /subprocessors/).
• Assistance with data subject requests (access, deletion, portability, etc.).
• Breach notification within 72 hours of becoming aware.
• Cooperation on Data Protection Impact Assessments where required.
• Audit rights (typically via SOC 2 report once certified; on-site audits for Enterprise on reasonable terms).
• Data return or deletion at the end of the contract.
• International transfer mechanisms (Standard Contractual Clauses where applicable).
• Liability and indemnification consistent with our Terms.

Our subprocessors are the third parties that help us run the service — hosting, AI inference, observability, etc. The current list is public at /subprocessors/. When we add or change a subprocessor, we give customers at least 30 days notice via email and an update to that page. If you object, you can terminate the affected portion of the service.

Email hola@thaliq.com with the following so we can send the right version: your company name, your country of incorporation, whether you are processing data of EU/UK residents, and your point of contact for signature.

We typically respond within one business day with the DPA as a PDF (or via DocuSign for the signed copy). Standard DPA terms are non-negotiable for Builder and Scale plans; Enterprise customers can negotiate specific clauses with our legal team.

Questions about our DPA, processing roles or specific clauses: hola@thaliq.com.