Controller, Data Subject, Personal Data, Personal Data Breach and Processing shall have the same meaning as in the Data Protection Law, and their cognate terms shall be construed accordingly.
Data Protection Law means the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as applicable) and any other relevant local laws relating to the protection of Personal Data, the privacy of individuals and the privacy of electronic communications.
If ThoughtRiver processes any Personal Data on the Customer's behalf when performing its obligations under the Terms, the parties record their intention that the Customer shall be the Data Controller and ThoughtRiver shall be a Data Processor and in any such case:
2. ThoughtRiver may use sub-processors for hosting and storage, subject to equivalent safeguards. ThoughtRiver remains liable for their actions.
3. ThoughtRiver shall notify the Customer without undue delay of any Personal Data Breach affecting the Customer’s data.
4. ThoughtRiver will co-operate with the Customer in mitigating any breach and the Customer shall cover reasonable costs.
5. ThoughtRiver shall provide information to demonstrate compliance and allow for audits upon reasonable notice, at the Customer’s expense.
6. ThoughtRiver shall assist with Data Subject rights requests under Data Protection Law, at the Customer’s cost.
7. On termination, ThoughtRiver will delete or return all Personal Data unless backed up or required by law to retain it.
The Customer’s personal data may include any personal data uploaded via documents to the Platform. This may include names, customer lists, addresses, birth dates, and other attributes — but not typically sensitive personal data.
Processing includes contract risk review, data extraction, ML training, feature enhancement and customer support. For more details, see our Privacy and Security Policy.
Either party may amend Paragraphs 2 and 3 of this Annex by written notice to comply with applicable Data Protection Law.
Summary of sub-processors who may process Personal Data under the Agreement.
| Name | Location | Data Subjects | Framework | Categories of Personal Data | Processing Operations |
|---|---|---|---|---|---|
| Microsoft Azure | UK | Authorised Users | GDPR | Name, IP address, email, and any personal data in uploaded contracts | Infrastructure provision (buildings, security, servers, networks) |
| Twilio Inc. (“SendGrid”) | US | Authorised Users | GDPR, EU SCCs & UK Addendum | Name, email | Account activation and password reset services |
| Okta, Inc | EU | Authorised Users | UK GDPR, UK adequacy decision | Email, IP address | Authentication gateway (login, MFA) |
| Abbyy Vantage | EU | Authorised Users, Featured Individuals | UK GDPR, UK adequacy decision | Name, IP, email, and any personal data in uploaded contracts | Conversion of PDFs/scans to DOCX |
| Zoho Desk | EU | Authorised Users | GDPR, EU SCCs, DPA | Name, IP, email, and any personal data in uploaded contracts | Support helpdesk services |
ThoughtRiver may transfer personal data outside of the EU and UK where this is necessary to provide services (see our DPA for details).
Currently, we only use one sub-processor outside of the UK and EU: Twilio Inc. They provide the SendGrid service, used for password reset functionality. When a user requests a reset, their name and email are sent to Twilio.
While transfers from customers to ThoughtRiver are not restricted due to adequacy status, onward transfers from us to Twilio are considered restricted.
To protect this data, we have a data protection addendum in place with Twilio that incorporates the EU SCCs and UK Addendum. You can view these documents here.
We are confident in our safeguards, but if you have questions, please don’t hesitate to contact us.
AI-powered contract review, analysis and workflows since 2016.
ThoughtRiver
Platform
Follow Us
Copyright © Thoughtriver Ltd. 2016-2025. All rights reserved.
