<img src="https://ws.zoominfo.com/pixel/6EC09GHJWFArkdyUrk0R" width="1" height="1" style="display: none;">

Getting Started

  • Overview


  • Terms of use
  • ABBYY license


  • Privacy & security policy
  • Acceptable use policy
  • Backup policy

Data Protection

  • Data Processing Addendum
  • Third Party Processors
  • The New SCCs and UK Addendum at ThoughtRiver
  • Click to see terms & policies
    • Overview
  • Terms
    • Terms of use
    • ABBYY license
  • Policies
    • Privacy & security policy
    • Acceptable use policy
    • Backup policy
  • Data Protection
    • Data Processing Addendum
    • Third Party Processors
    • The New SCCs and UK Addendum at ThoughtRiver

Terms of use

This explains your rights and obligations when using our platform.

Read more

Privacy policy

This explains how we will look after your data.

Read more

Use policy

This explains what we expect from users in terms of reasonable usage of the platform.

Read more

Backup policy

This explains our backup policy to keep data safe.

Read more



Acceptable Use Policy means ThoughtRiver’s acceptable use policy as amended from time to time here.  

Account means the Customer’s account on the Platform. 

Agreement means the Order together with these Terms. 

Associated Company means a corporate body controlling, controlled by or under common control with the Customer. 

Authorised Users means the employees, agents and independent contractors of (i) the Customer; and (ii) the Customer’s Associated Companies, who are authorised by the Customer to use the Platform (and as limited to the permitted number set out in the Order). 

Back up Policy means ThoughtRiver’s back-up policy as amended from time to time here. 

Business Day means any day which is not a Saturday, Sunday or public holiday in the Support Timezone. 

Confidential Information means information that is proprietary or confidential and is either clearly labelled as such, identified as such or by its nature can reasonably be considered to be confidential information. 

Contract means terms that are executed or intended to be executed together as a discrete contract including versions thereof. The following are separate contracts: variations, waivers, change notes, statements of work, related agreements such as side letters and other contracts which taken together document a transaction. 

Core Contract Description Framework means all properties, related machine learning interpretation and risk models provided as part of the Platform together with any Training Data used to generate such items. 

Customer means the customer identified as such in the Order. 

Customer Data means the data (including but not limited to contracts, the Customer’s own risk policies) created by the Customer and inputted by Authorised Users into the Platform excluding the ThoughtRiver Processing Data, Labelled Training Data, Derivative Works and ThoughtRiver Out Of The Box (OOTB) Policies. 

Data Processing Addendum means the addendum setting out the way in which ThoughtRiver processes personal data, as amended from time to time here. 

Derivative Works means any and all software derivative work produced by ThoughtRiver and/or by the operation of the Platform. 

Documentation means any documentation supplied by ThoughtRiver to the Customer under this Agreement. 

Fees means the fees payable under clause 6 of these terms. 

Free Trial means the length of time for which the Customer can access and use the Platform free of charge as stated in the Order. 

Intellectual Property Rights means all intellectual property rights including, but not limited to, patents, trade secrets, trade marks, service marks, trade names, copyrights and other rights in works of authorship (including rights in computer software), moral and artists’ rights, design rights, domain names, know-how and database rights and whether any of the foregoing are registered or unregistered and all rights or forms of protection of a similar nature in any country. 

Labelled Training Data means Training Data manually labelled with the intent of training the Platform to improve the Output and whether labelled by ThoughtRiver and/or the Customer. 

Licensed Data means Training Data and anonymised contract text but shall not include any Customer risk policies. 

Order means the order form to which these terms are attached. 

Order Month means a calendar month, or part thereof, occurring during an Order Term. 

Order Term means the period identified as such in the Order. If no such period is given, the Order Term shall be deemed to be 12 months. 

Output means all data or information provided by the Platform in reports, screens, downloads, files, charts or other formats. 

Platform means the platform available at <region>.thoughtriver.review or any other address notified to the Customer by ThoughtRiver, including the Core Contract Description Framework, ThoughtRiver Out Of The Box (OOTB) Policies, Software and Documentation. 

Privacy and Security Policy means ThoughtRiver’s policy for privacy and security as amended from time to time here. 

Service Level Agreement means the schedule detailing the technical support provided by ThoughtRiver to the Customer during the course of the Agreement as amended from time to time.

Software means the software applications provided by ThoughtRiver as part of the Platform under this Agreement. 

Start Date means the date identified as such in the Order. 

Support Timezone means the timezone identified as such in the Order. 

Term means the period commencing on the Start Date and ending on the last day of the final Order Term unless terminated earlier in accordance with clause 15. 

ThoughtRiver Out Of The Box (OOTB) Policies  means the risk policies created by ThoughtRiver and marked as such on the Platform including any Derivative Works thereof.  

ThoughtRiver Processing Data means statistical, textual correlative and activity-based data captured by the Platform in the course of usage by Authorised Users and all derivative data which is used by ThoughtRiver to improve the intuition, accuracy and sophistication of the Platform. 

Training Data means a set of data that is fed into an algorithm to produce a trained model to improve the quality of the Output. 


2.1 Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement.  


2.2 Unless the context otherwise requires, words in the singular shall include the plural and the plural shall include the singular  
2.3 Unless otherwise stated, references to clauses, schedules, and exhibits are to the clauses, schedules, and exhibits within these terms.  




3.1    Except where the Customer undertakes a Free Trial, this Agreement shall commence on the Start Date and shall continue until expiry of the Order Term. Where the Customer undertakes a Free Trial, the Agreement shall commence on the Start Date and end on the last day of the Free Trial or continue for the first Order Term as elected by the Customer under Clause 4.1. 

3.2 This Agreement applies in respect of the Customer’s usage of the Platform.




4.1 Where the Customer undertakes a Free Trial, this Agreement shall commence on the date the Order is signed and shall continue for the first Order Term unless:  
4.1.1 the Customer provides written notice of termination to ThoughtRiver on or before the last day of the Free Trial; or  
4.1.2either Party terminates the Agreement in accordance with clause 15. 


4.2 Where the Customer terminates the Agreement during the Free Trial in accordance with clause 4.1.1 or 4.1.2, all Customer Data uploaded to the Platform during the Free Trial shall be permanently deleted by ThoughtRiver at the end of the Free Trial. 





5.1 Subject to the Customer’s compliance with the terms of this Agreement, ThoughtRiver hereby grants to the Customer a non-exclusive, non-transferable right to permit the Authorised Users to access and use the Platform during the Term for internal business purposes and as an integrated component of managed services provided to the Customer’s legal services clients, subject always to the Acceptable Use Policy. 

5.2 The Customer shall ensure that the Authorised Users use the Platform in accordance with the terms of this Agreement (including, without limitation, the Acceptable Use Policy) and their permitted access on the Platform. The Customer shall be liable for any Authorised User's breach of this Agreement. 

5.3 The Customer is granted a non-exclusive and non- transferable right to use parts of the ABBYY SDK solely in conjunction with the Platform and in accordance with this Agreement (including the specification here). This licence may be time- or function-limited and protected from unauthorised copying by means of a hardware or software protection key which is an integral part of the ABBYY SDK. 


6. FEES 


6.1 Unless otherwise stated in the Order, the Customer shall pay all Fees in advance in respect of the Order Term and in any event no later than 15 days after the Start Date, but shall not be required to pay any Fees until the end of any Free Trial. 
6.2 The Customer shall pay any additional charges on a monthly basis following the Order Month in which they were incurred. 
6.3 ThoughtRiver reserves the right to review and update the Fees prior to any renewal of the Order Term. 




7.1 The Customer shall pay the Fees to ThoughtRiver in accordance with this clause 7. 

7.2 If ThoughtRiver has not received payment within 30 days after the due date, without prejudice to any other rights and remedies of ThoughtRiver: 

7.2.1 ThoughtRiver may, on notification to but without liability to the Customer, disable the Account until the outstanding fees are paid; and 


7.2.2 interest shall accrue on a daily basis on such due amounts at an annual rate equal to 2% over the then current base lending rate of Barclays Bank plc from time to time, commencing on the due date and continuing until fully paid, whether before or after judgment. 


7.3 The Fees shall be payable in pounds sterling unless otherwise set out in the Order and are exclusive of value-added tax, which where applicable shall be added to ThoughtRiver invoice(s) at the appropriate rate. 




8.1 The Customer agrees and acknowledges that: 
8.1.1 the Output does not constitute legal advice and the Customer shall not rely on the Output as if it were legal advice; 


8.1.2 machine training may result in a deterioration of accuracy of the Output especially where the training is incorrect; and 


8.1.3 the Platform uses predictive technology and user data input to identify provisions of contracts and generate risk assessments. The nature of this technology is that accuracy will improve over time but cannot be guaranteed and it is likely that mistakes will occur from time to time. ThoughtRiver does not provide any warranty or accept any liability of any kind in relation to such mistakes. 




9.1 The Platform is provided to the Customer on an "as is" basis. The Customer assumes sole responsibility for the results obtained from its selection and use of the Platform and Output, and for decisions taken (automated or not) and/or conclusions drawn from such results. 

9.2 ThoughtRiver warrants that it has all necessary licences, consents, and permissions necessary for the performance of its obligations under this Agreement. Save as set out in the preceding sentence, all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement. 

9.3 ThoughtRiver shall provide the support set out in the Service Level Agreement as notified to the Customer from time to time. In the event that ThoughtRiver breaches its obligations under this clause, the Customer’s sole remedy shall be for ThoughtRiver to use best endeavours to restore the Platform availability promptly. 

9.4 ThoughtRiver does not warrant that the Customer's use of the Platform will be uninterrupted or error-free or that the Platform and/or the Output will meet the Customer's requirements. 

9.5 ThoughtRiver is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet. 

9.6 The Customer shall comply with the Acceptable Use Policy. 

9.7 The Customer shall provide ThoughtRiver with all necessary co-operation in relation to this Agreement and all necessary access to such information as may be required by ThoughtRiver in order to provide the services, including but not limited to Customer Data, security access and configuration services. 




10.1 The Customer shall own all right, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 

10.2 ThoughtRiver shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy. In the event of any loss or damage to Customer Data caused by ThoughtRiver, the Customer's sole and exclusive remedy shall be for ThoughtRiver to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained under the Back-Up Policy. ThoughtRiver shall not be liable for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by ThoughtRiver to perform services related to Customer Data maintenance and back-up). 

10.3 ThoughtRiver shall comply with the Privacy and Security Policy. 

10.4 The processing of any personal data is governed by our Data Processing Addendum. 




11.1 The Customer acknowledges and agrees that ThoughtRiver and/or its licensors own all Intellectual Property Rights in the Platform, Labelled Training Data and the Derivative Works. Except as expressly stated herein, this Agreement does not grant the Customer or the Authorised Users any rights to, or in, patents, copyright, database right, trade secrets, trade names, trade marks (whether registered or unregistered), or any other rights or licences in respect of the Platform or the ThoughtRiver Processing Data. 

11.2 ThoughtRiver confirms that it has all the rights in relation to the Platform that are necessary to enable it to licence the use of the same to the Customer under, and in accordance with, the terms of this Agreement. 

11.3 Without prejudice to clause 11.1, the Customer shall own all intellectual property rights in the Customer Data. The Customer permits Licensed Data to be used as part of the Core Contract Description Framework and the Customer shall be deemed to have granted ThoughtRiver an irrevocable, perpetual, worldwide, royalty-free licence to store, display, use, copy, maintain, customise and provide such data as part of the Platform for use by ThoughtRiver and all customers and other users for any reasonable purpose associated with Platform usage, contract review, analysis, benchmarking and other such activities. 




12.1 In connection with the performance of this Agreement, each party may be given access to the other party’s Confidential Information. A party's Confidential Information shall not include information that: 

12.1.1 is or becomes publicly known other than through any act or omission of the receiving party; 


12.1.2 was in the other party's lawful possession before the disclosure; 


12.1.3 is lawfully disclosed to the receiving party by a third party without restriction on disclosure; 


12.1.4 is independently developed by the receiving party, which independent development can be shown by written evidence; or 

12.1.5 is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body. 


12.2 Each party shall hold the other's Confidential Information in confidence and, unless required by law, not make the other's Confidential Information available to any third party, or use the other's Confidential Information for any purpose other than the implementation of this Agreement. If either party is required to disclose Confidential Information to any employee, agent or sub- contractor then it shall ensure that such relationships are governed by contractual terms relating to confidentiality which are no less onerous than in this Agreement. 

12.3 Each party shall take all reasonable steps to ensure that the other's Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement. 

12.4 Neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third party. 

12.5 ThoughtRiver acknowledges that the Customer Data is the Confidential Information of the Customer. 

12.6 This clause 12 shall survive termination of this Agreement, however, arising. 




13.1 ThoughtRiver shall indemnify the Customer against any claim that the use or possession of the Platform in accordance with the provisions of this Agreement infringes the copyright of any third party provided that: 


13.1.1 ThoughtRiver is given prompt and complete control of such claim; 


13.1.2 the Customer does not (whether through action or inaction) prejudice ThoughtRiver's defence of such claim; 


13.1.3 the Customer (at ThoughtRiver's expense) gives  ThoughtRiver reasonable assistance with such claim; 


13.1.4 the claim does not arise as a result of the use of the Platform in combination with any material not supplied or approved in writing by ThoughtRiver; and 


13.1.5 The Customer immediately suspends use of the Platform after notice of any alleged infringement from ThoughtRiver or any appropriate authority 


13.2 ThoughtRiver shall have the right to replace or change all or part of the Platform in order to avoid any infringement or suspected infringement of the Intellectual Property Rights of any third party. 

13.3 The provisions of this clause 13 state the entire liability of ThoughtRiver to the Customer under this Agreement in respect of the infringement of the Intellectual Property Rights of any third party. 




14.1 This clause 14 sets out the entire liability of each party (including any liability for the acts or omissions of its employees, agents and sub-contractors) to the other party: 

14.1.1 arising under or in connection with this Agreement;

14.1.2 in relation to ThoughtRiver’s liability, in respect of any use made by the Customer and Authorised Users of the Platform or any part of them; and 


14.1.3 in respect of any representation, statement or tortious act or omission (including negligence) arising under or in connection with this Agreement. 


14.2 Nothing in this Agreement excludes the liability of a party: 

14.2.1 for death or personal injury caused by that party’s negligence, for fraud or fraudulent misrepresentation or for any other reason that cannot be lawfully limited or excluded; or


14.2.2 in relation to the Customer, the Customer’s liability to pay the Fees which shall be in addition to the amounts set out in clause 14.3 below. 


14.3 Subject to clauses 14.1 and 14.2: 

14.3.1 a party shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement; 


14.3.2 save in respect of liability arising under clause 13, a party’s total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with or under this Agreement shall be limited to £1000 during any Free Trial and the total Fees payable during the Order Term. 




15.1 Except where the Customer undertakes a Free Trial, this Agreement shall commence on the Start Date and continue for the first Order Term.  
15.2 At the end of the first Order Term and all successive Order Terms, this Agreement shall be automatically renewed for a further Order Term of the same length as the first Order Term, unless: 
15.2.1 either party notifies the other party of termination, in writing, at least 45 days before the end of an Order Term, in which case this Agreement shall terminate upon the expiry of the applicable Order Term; 
15.2.2 this Agreement is otherwise terminated in accordance with the provisions of this Agreement. 


15.3 Either party may terminate this Agreement with immediate effect by giving written notice to the other party if: 

15.3.1 the other party fails to pay any amount due under this Agreement on or by the due date for payment and remains in default 30 days after being notified in writing to make such payment; 


15.3.2 the other party commits a material breach of any other term of this Agreement which is irremediable or (if such breach is remediable) the other party fails to remedy within 30 days after being notified in writing to do so; or 


15.3.3 the other party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or is deemed unable to pay its debts, is declared insolvent, is wound up or has an administrator appointed. 


15.4 On expiry or termination of this Agreement for any reason: 

15.4.1 the Customer’s right to use and access the Platform shall immediately terminate;


15.4.2 each party shall return all equipment, property and other items belonging to the other party; 


15.4.3 subject to any rights granted under clause 11.3 and without prejudice to clause 4.2, ThoughtRiver shall destroy the Customer Data, save where the Customer provides written notice to ThoughtRiver to return a copy of the Customer Data in its possession .The Customer shall pay reasonable expenses incurred by ThoughtRiver in returning Customer Data; and 


15.4.4 any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination shall not be affected or prejudiced. 




16.1 A party shall have no liability to the other party under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control provided that the affected party is notified of such an event and its expected duration. 

16.2 No variation of this Agreement shall be effective unless it is in writing and signed by the parties.

16.3 No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy.

16.4 If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.

16.5 Nothing in this Agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other.

16.6 The Customer shall not, without the prior written consent of ThoughtRiver, assign, transfer, charge or deal in any other manner with all or any of its rights or obligations under this Agreement.


16.7 The Customer hereby agrees that ThoughtRiver shall be entitled to make reference to the Customer’s usage of the Platform on its website, in its marketing materials, and in discussions. 


16.8 This Agreement does not confer any rights on any person or party (other than the parties to this Agreement and, where applicable, their successors and permitted assigns). 

16.9 In the event of a conflict between any provision in these terms and that of any Order Form, the terms in the Order Form shall prevail. 




17.1 This Agreement, and any documents referred to in it, constitute the whole agreement between the parties and supersede any previous arrangement, understanding or agreement between them, written or otherwise, relating to the subject matter they cover. 




18.1 Any notice required to be given under this Agreement shall be in writing and shall be delivered by email (with receipt notification enabled and a physical copy of the email sent by first class post). 

18.2 A notice delivered by email shall be deemed to have been received 24 hours after the relevant receipt notification has been received by the sender. A notice delivered by post shall be deemed received on the date of delivery or if delivered outside of business hours, on the next Business Day. 

18.3 For the purposes of this clause 18 the address of each party shall be: 


18.3.1 for ThoughtRiver: 


Chief Executive Officer at ThoughtRiver's registered office address


with a copy sent to: legal@thoughtriver.com   

for the Customer, the address and contact details set out in the Order. 


19.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales. 




20.1 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims). 

Details of ABBYY license

  1. The Platform contains ABBYY SDK which provides functionality to integrate certain optical character recognition (OCR) and/or intelligent character recognition (ICR) and may include the “Engine” or “ABBYY FineReader Engine”.
  2. The Customer may not perform or make it possible for other persons to perform any of the following activities, which may infringe the rights of the owner of the ABBYY SDK:

     2.1. Reverse engineer, disassemble or decompile (i.e. reproduce and transform the object code into source code) or otherwise attempt to derive the source code for the ABBYY SDK (applications, databases, and other the ABBYY SDK components), or any part, except, and only to the extent that, such activity is expressly permitted by applicable law notwithstanding this limitation. If applicable law prohibits the restriction of such activities, any information so discovered must not be disclosed to third parties with the exception that such disclosure is required by law and such information must be promptly disclosed to owner of the ABBYY SDK. All such information shall be deemed to be confidential and proprietary information of ABBYY.

    2.2. Modify the ABBYY SDK, including making changes to the object code of the applications and databases contained in the ABBYY SDK other than those changes that can be made by means of the ABBYY SDK as described in any applicable documentation

    2.3. Transfer the right to use the ABBYY SDK to third parties or make it possible to use the ABBYY SDK for persons who have no right to use the Platform

    2.4. Make it possible for any person not authorized to use the ABBYY SDK and working in the same multi-user system with the Customer to use the ABBYY SDK

    2.5. Provide public services, whether commercial or non-commercial, via the Internet without the prior written consent of ABBYY (other than as otherwise licensed under this Agreement
  3. The ABBYY SDK is supplied “as is.” ABBYY does not warrant that ABBYY SDK will contain no errors, nor will it be liable for any damages, including damages for loss of business profits or disclosure of confidential information.
  4. The Customer shall not export or re-export the ABBYY SDK in violation of any export provisions in force in the country in which you bought this licence, or in violation of any other applicable legislation.

Privacy & Security Policy

Client Data

During implementation, clients are provided with their own private data stores.

  • All client data, including all uploaded contracts, will be stored on their dedicated data stores
  • ThoughtRiver may not access client data without permission (e.g. for a support request)
  • Client data is backed up continually to private data stores at a second site to facilitate disaster recovery and data restore
  • All client data is encrypted at rest and in transit; different client’s data stores employ different encryption keys

Contextual Interpretation Engines

ThoughtRiver’s AI or Contextual Interpretation Engines are housed in our distributed architecture as shared services. During contract analysis:

  • Contract data is sent to the AI Engines for predictions and training
  • All resultant information is recorded back to the client data stores
  • The AI Engines do not record any client-identifiable data

Clients may request that ThoughtRiver perform machine learning training on their contracts to extend the capabilities of the out-of-the-box predictions. Where this occurs, a copy of the customer data will be taken into a separate private data store accessible by ThoughtRiver staff which will be used to develop a new iteration of the out-of-the-box prediction models. No data is added to this store without explicit client consent and there is no obligation to agree to this process. None of this data is accessible by any of ThoughtRiver clients.


The following client data is collected and stored by third party analytics providers who provide product analytics services to ThoughtRiver to support iterative product feature enhancement and customer success support for clients. The usage data is collected via all of ThoughtRiver’s applications (including the Microsoft Word Plug-In, Negotiations Application and Flow email connector):

  • Domain name of the user's email address. For example, “thoughtriver” is recorded for a user with the email user@thoughtriver.com
  • The user’s universally unique identifier (UUID) which is generated automatically when a new user is created
  • The business role/s assigned to a user
  • The sub-account the user accesses
  • Each ‘event’/feature that a user interacts with within the applications including length of time interacting and frequency of the interaction. ThoughtRiver may track interaction with all features including, for example, uploads, resolution of issues, creation of issues, use of Advice Notes, use of Clause Suggestions.
  • The amount of time a user spends with any of the ThoughtRiver platform’s interfaces on a contract and how much time is spent remediating each version of a contract and how a user is interacting with the available content and application features in relation to a contract.

The analytics provider logs additional information automatically. This includes geographic location, first-party cookies, data related to the device/browser, IP address, etc.

Data Segregation and Destruction

  • All customer data is held on a dedicated database separate from the web application.
  • On completion of trial or paid subscription, then this data, including backup copies, will be fully deleted, unless it is requested to be maintained within the ThoughtRiver ecosystem.


ThoughtRiver employs a fully managed security operations centre, intrusion detection / prevention and escalation / remediation plans. This is managed on our behalf byCloudDirectLtd, a Microsoft Gold Partner.

Penetration testing and secure code reviews are performed periodically by independent qualified experts and ethical hackers.

ThoughtRiveris also security-tested against industry standards at the application level.

All relevant employees are screened against criminal record checks.

Changes to this policy

This privacy and security policy was published in September 2021 and last updated in September 2021. ThoughtRiver may change this policy from time to time and when we do we will inform you via the Platform.

Acceptable Use Policy

The terms used in this policy shall have the same meaning as defined in the ThoughtRiver Terms unless defined otherwise.

  • Acceptable use of the Platform by an Authorised User shall mean use which is not in excess of what would be reasonably expected by that Authorised User given the nature and responsibilities of their job and level of experience. 
  • The Customer shall ensure each Authorised User maintains a secure password for use of the Platform.
  • The Customer shall not access, store, distribute or transmit any Virus or any material during the course of its use of the Platform that is unlawful, inappropriate or illegal. ThoughtRiver reserves the right, without liability or prejudice to its other rights, to disable the Account in relation to any breach or suspected breach of this Policy. Virus means anything or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation, accessibility, performance or availability of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device.
  • The Customer shall not, except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties and except to the extent expressly permitted by ThoughtRiver:
    • attempt to copy, modify, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Platform (as applicable) in any form or media or by any means; or
    • attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Platform; or
    • access all or any part of the Platform in order to build a product or service which is similar to the Platform; or
    • use the Platform to provide services to third parties; or
    • license, sell, rent, lease, distribute, or otherwise commercially exploit the Platform; or
    • copy or clone any of the Premium Risk Policies.

The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Platform and, in the event of any such actual or suspected unauthorised access or use, shall promptly notify ThoughtRiver.

Backup Policy

  1. All customer data is backed up and encrypted on a daily basis:
    1. Daily incremental backup
    2. Weekly full backup
  2. Data retention period is 2 weeks
  3. Backup facility is located in the same region as main data centre (UK, US or India for Singapore) at a second site.
  4. Backups are segregated. Each client’s virtual server (thus data) is on a separate backup*

Data Processing Addendum


"Controller", "Data Subject", "Personal Data", "Personal Data Breach" and "Processing" shall have the same meaning as in the Data Protection Law, and their cognate terms shall be construed accordingly.

Data Protection Law means the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as applicable) and any other relevant local laws relating to the protection of Personal Data, the privacy of individuals and the privacy of electronic communications.

EU Standard Contractual Clauses means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

UK International Data Transfer Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.


1.1 If ThoughtRiver processes any Personal Data on the Customer's behalf when performing its obligations under the Terms, the parties record their intention that the Customer shall be the Data Controller and ThoughtRiver shall be a Data Processor and in any such case:

1.1.1 the Customer agrees that the Personal Data may be transferred or stored outside the European Economic Area (EEA) or the country or countries where the Customer and the Authorised Users are located so long as there is an adequate safeguard in accordance with the Data Protection Law;


1.1.2 the Customer shall ensure that the Customer is entitled to transfer the relevant Personal Data to ThoughtRiver so that ThoughtRiver may lawfully use, Process and transfer the Personal Data in accordance with the Terms (including the specification at the Annex);


1.1.3 ThoughtRiver shall ensure any persons authorised by ThoughtRiver to Process the Personal Data have committed themselves to confidentiality;


1.1.4 ThoughtRiver shall Process the Personal Data only in accordance with the Terms, the Data Protection Law and any lawful instructions reasonably given by the Customer from time to time (including as set out in the Annex). In the event that ThoughtRiver believes such instructions to be contrary to Data Protection Law then it will immediately notify the Customer;


1.1.5 in the event Union or Member State law requires ThoughtRiver to Process Personal Data otherwise in accordance with the Customer’s instructions, ThoughtRiver shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest; and


1.1.6 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each party shall take appropriate technical and organisational measures against unauthorised or unlawful Processing of the Personal Data or its accidental loss, destruction or damage (including, as appropriate, the measures referred to in Article 32(1) of the GDPR).


1.2 ThoughtRiver may use sub-processors in connection with the Processing anticipated in the Terms. Provided that any sub-processor shall be required to adhere to equivalent obligations as set out in this addendum, in particular the sub-processor shall be required to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this addendum. ThoughtRiver shall be liable in accordance with this Terms for the acts and omissions of any such sub-processors.

1.3 ThoughtRiver shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors and shall give the Controller the opportunity to object to such changes. A list of our sub-processors as amended from time to time can be found here.


1.4 Where ThoughtRiver uses sub-processors based outside of the UK or EU, the transfer of Personal Data to such sub-processors will at all times be governed by an appropriate safeguard.


1.5 EU Standard Contractual Clauses. The EU Standard Contractual Clauses will apply to Personal Data that is transferred from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that is not recognized as providing an adequate level of protection for Personal Data.


1.6 UK Data Transfer Addendum. The UK International Data Transfer Addendum will apply to Personal Data that is transferred from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized as providing an adequate level of protection for Personal Data.

1.7 ThoughtRiver shall notify the Customer without undue delay upon ThoughtRiver or any sub-processor becoming aware of a Personal Data Breach affecting the Customer’s Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Law.

1.8 ThoughtRiver shall co-operate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach. The Customer shall pay ThoughtRiver’s reasonable costs.

1.9 ThoughtRiver shall provide all reasonable information necessary to demonstrate compliance with its obligations set out in this Addendum. In addition and at the expense of the Customer, ThoughtRiver shall allow for and contribute to reasonable audits, including inspections, conducted by the Customer or another auditor mandated by the Customer upon the Customer first providing reasonable notice.

1.10 At the cost of the Customer, ThoughtRiver shall provide reasonable assistance to the Customer in responding to requests from Data Subjects exercising their rights under Data Protection Law in relation to the Terms.

1.11 On termination of the Terms, ThoughtRiver shall, at the choice of the Customer, delete or return to the Customer all Personal Data provided to it by the Customer under the Terms and shall delete existing copies unless (i) it has been archived on back-up systems which ThoughtRiver will securely isolate and protect from further Processing; or (ii) ThoughtRiver is required to keep it under Union or Member State law.




  1. The Customer’s personal data may include any personal data that is included within any document that is uploaded by the Customer to the Platform. Depending on the document type, this may include individual names (e.g. contract signatories), customer lists (of the Customer or its clients/suppliers) including name, address, date of birth and customer attributes. The Customer does not intend to supply sensitive personal data within the documents it uploads to the Platform.


  1. The processing of personal data by ThoughtRiver (and any sub-processor) is in conjunction with the Customer’s use of the Platform including for the purpose of providing contract risk reviews, extraction of data points, training of properties created within the Platform and user functionality, product feature enhancement and customer success support. Further details on the way in which ThoughtRiver may use such data is set out in the Privacy and Security Policy.


  1. Either party may make reasonable amendments to paragraphs 2 and 3 of this Annex by written notice to the other party from time to time to meet its requirements under the applicable Data Protection Law (including the GDPR).



Summary of sub-processors who may process Personal Data for the purposes of the Agreement. 

Terms used in this list shall have the same meaning as those given in the Terms and/or Data Processing Addendum as defined otherwise. 

Name Location Data Subjects Framework Categories of Personal Data Processing Operations

Microsoft Azure


Authorised Users


Name, IP address, email address and any other personal data included in a contract uploaded to the Platform

The provision of data centre infrastructure (incl. buildings, physical security, hvac, servers, storage, networks) and associated maintenance.

On Direct Business Services Limited UK (“Cloud Direct”)


Authorised Users


Name, IP address, email address and any other personal data included in a contract uploaded to the Platform

1.The provision of technical operations for the Platform (incl. server builds, network configuration, availability and performance monitoring and remediation); and

2.The provision of a security operations centre for the Platform (incl. IDS setup and monitoring, escalation process and vulnerability scanning).

Twilio Inc.



Authorised Users


EU SCCs and UK Addendum


Email address

Occasionally transferring personal data in the provision of the SendGrid product (limited to the activation of the Customer’s account and password reset services for the Platform).



Authorised Users


Email address

IP address

Authentication gateway. This service validates the user is permitted to access the system using username (email) and password with optional MFA.


The new EU Standard Contractual Clauses and UK Addendum at ThoughtRiver

Personal Data Transfers

ThoughtRiver may transfer personal data outside of the EU and UK where this is necessary in order to provide the services to you (details of which can be found in our DPA).

ThoughtRiver currently instructs only one sub-processor outside of the UK and EU: Twilio Inc.

Twilio provide the SendGrid service which acts as the password reset function for users on the ThoughtRiver platform. When a user requests a password reset, the user’s name and email address will be sent to Twilio for the purposes of resetting the user’s password.

Adequate Safeguards

While transfers from customers to ThoughtRiver are covered by the adequacy rules (and are therefore not restricted transfers), we recognise that onward transfers of personal data from ThoughtRiver to Twilio are restricted transfers.

In order to provide an adequate safeguard for such onward transfers, we have entered into a data protection addendum with Twilio which incorporates both the EU SCCs (for EU data) and the UK Addendum (for UK data). You can view these here.

We are therefore confident that the personal data of your users will be protected under our DPA with Twilio; however, please do not hesitate to contact us with any questions you may have.

Book a demo

Request a demo to discover how ThoughtRiver’s Contract Acceleration Platform can supercharge your business.

Book now