Sign up

Data Processing Addendum

Last updated: June 9, 2026

This Data Processing Addendum (“DPA”) forms part of the Agreement between This and That Technologies, Inc., a Delaware corporation (“this+that”, “Processor”) and the entity that has entered into the Agreement (“Customer”, “Controller”). It applies to the extent this+that processes Personal Data on Customer’s behalf in connection with the Service.

If you and this+that have signed a separate written agreement that references this DPA, that signed agreement controls in the event of conflict. Otherwise, this DPA is incorporated into the Terms of Service and takes effect on the date you accept the Terms of Service or sign an Order Form. A counter-signed PDF of this DPA is available on request from legal@thisandthat.chat.

1. Definitions

Capitalized terms used and not defined in this DPA have the meanings given in the Terms of Service. For clarity, the terms “Customer,” “Customer’s account,” and “Authorized Users” used throughout this DPA map to the in-product names “Team Owner,” “Team,” and “Members” respectively; the mapping is set out in Section 1.6 of the Terms of Service and does not change the substance of any provision in this DPA. The following additional definitions apply:

  • Applicable Data Protection Law means all data protection and privacy laws applicable to a party’s processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 (“EU GDPR”), the UK Data Protection Act 2018 and the UK GDPR (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and any equivalent law of any other jurisdiction.
  • Personal Data, Controller, Processor, Data Subject, Processing, Personal Data Breach, and Supervisory Authority have the meanings given in the EU GDPR (and the equivalent meanings under the UK GDPR and FADP).
  • Standard Contractual Clauses or SCCs means the Standard Contractual Clauses for the transfer of Personal Data to third countries approved by the European Commission in Decision 2021/914 of 4 June 2021, including the updates issued by the Commission, as may be amended from time to time.
  • UK Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018, as may be amended from time to time.
  • Sub-processor means any third party engaged by this+that to process Personal Data on Customer’s behalf in connection with the Service.

2. Roles and Scope

2.1 Roles

For Personal Data within Customer Data, Customer is the Controller and this+that is the Processor. Where Customer acts as a Processor for a third-party controller, this+that acts as a Sub-processor and the terms of this DPA flow down to that third-party controller as if it were the Customer.

2.2 Scope of Processing

The subject matter, duration, nature, and purpose of processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex I (Details of Processing) below. this+that will process Personal Data only for the purposes set out in the Agreement and Customer’s documented instructions, which include this DPA and the configuration choices Customer makes in the Service. this+that will inform Customer if, in this+that’s opinion, an instruction infringes Applicable Data Protection Law.

2.3 Customer Obligations

Customer represents and warrants that (a) it has a lawful basis under Applicable Data Protection Law for the processing of Personal Data that it instructs this+that to carry out; (b) it has provided all required notices and obtained all required consents from Data Subjects; and (c) its instructions to this+that comply with Applicable Data Protection Law.

3. No Training

this+that will not use Customer Data, including any Personal Data within it, to train, fine-tune, or otherwise improve any machine learning or generative AI model, whether our own or that of any third party. This restriction applies regardless of whether the data is in identifiable, pseudonymised, anonymised, or aggregated form. this+that contractually requires its Sub-processors that process Personal Data on its behalf, including AI model providers, to apply the same restriction. Aggregated operational telemetry that does not contain Personal Data (such as service uptime metrics and aggregate request volumes) is not Customer Data and is not subject to this restriction.

In-account personalization carve-out. Nothing in this Section 3 prevents this+that from using Customer’s own data and feedback (for example, signals from any Authorized User about whether an extracted task was correct) to personalize results within Customer’s account, including for Customer’s other Authorized Users on the same account. Personalization data is processed only on Customer’s behalf, is not made available to any other Customer, and is not used to train, fine-tune, or improve any shared or global model that serves other customers. Personalization data is deleted in accordance with Section 12 (Return and Deletion) on termination of the relevant Authorized User’s access or the Agreement, whichever applies.

4. Confidentiality

this+that ensures that personnel authorized to process Personal Data are subject to written confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who need access to provide the Service.

5. Security

5.1 Technical and Organizational Measures

this+that implements and maintains the technical and organizational measures set out in Annex II (Security Measures) to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. We may update these measures from time to time provided that updates do not materially reduce the level of protection.

5.2 Encryption

Customer Data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 keys managed in AWS Key Management Service (KMS). Credentials for third-party services (including MCP servers and Microsoft authentication tokens) are encrypted at rest with KMS.

5.3 Authentication

this+that supports multi-factor authentication, including time-based one-time password (TOTP) and inheritance of MFA from Customer’s Google or Microsoft identity provider.

6. Sub-processors

6.1 General Authorization

Customer provides general authorization for this+that to engage Sub-processors to assist in providing the Service, subject to the terms of this Section 6.

6.2 List

The current list of Sub-processors is published at thisandthat.chat/subprocessors. Customer may subscribe to email notifications of changes from that page.

6.3 Notice and Objection

At least thirty (30) days before authorizing a new Sub-processor that processes Personal Data, this+that will provide notice through the Sub-processor List or by email to Customer’s notification address. If Customer has reasonable, good-faith concerns about the new Sub-processor (for example, the Sub-processor cannot provide a comparable level of data protection), Customer may object by giving written notice within thirty (30) days. The parties will work together in good faith to address the objection. If the parties cannot reach a resolution within thirty (30) days of the objection, Customer may terminate the affected portion of the Service for material breach without penalty and receive a refund of pre-paid Fees for the unused portion of the term.

6.4 Flow-down and Liability

this+that imposes data protection obligations on each Sub-processor that are at least as protective as those in this DPA. this+that remains liable to Customer for any breach of this DPA caused by its Sub-processors.

7. International Data Transfers

7.1 Transfer Mechanism for the EEA

To the extent this+that processes Personal Data subject to the EU GDPR outside the European Economic Area in a country that has not been the subject of an adequacy decision, the Standard Contractual Clauses are incorporated into this DPA by reference and apply as follows:

  • Module Two (Controller to Processor) applies where Customer is a Controller and this+that is a Processor.
  • Module Three (Processor to Sub-processor) applies where Customer is a Processor and this+that is a Sub-processor.
  • Docking Clause (Clause 7) applies.
  • Option 2 of Clause 9(a) applies; the time period is thirty (30) days.
  • Clause 11(a) independent dispute resolution option does not apply.
  • Clauses 17 and 18 the governing law is the law of Ireland and the courts of Ireland have jurisdiction.
  • Annex I.A is populated by the parties’ details in the Agreement.
  • Annex I.B is set out in Annex I of this DPA.
  • Annex I.C the competent supervisory authority is the Data Protection Commission of Ireland.
  • Annex II is set out in Annex II of this DPA.

7.2 Transfer Mechanism for the UK

To the extent this+that processes Personal Data subject to the UK GDPR outside the United Kingdom in a country that has not been the subject of a UK adequacy decision, the UK Addendum is incorporated into this DPA by reference. In Table 1, the parties’ details are as set out in the Agreement. In Table 2, the version of the Approved EU SCCs that the Addendum is appended to is the version referenced in Section 7.1 above. In Table 3, the Appendix Information is set out in Annexes I and II. In Table 4, neither party may end the Addendum on change of the Approved Addendum.

7.3 Transfer Mechanism for Switzerland

To the extent this+that processes Personal Data subject to the FADP outside Switzerland, the SCCs apply with the following modifications: references to GDPR are deemed to include FADP; the Federal Data Protection and Information Commissioner is the supervisory authority; the governing law of the SCCs is Swiss law; and references to EU member states do not preclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence.

7.4 Order of Precedence

In the event of conflict between this DPA and the SCCs or UK Addendum on a topic the SCCs or UK Addendum address, the SCCs or UK Addendum control.

8. Data Subject Rights

Taking into account the nature of the processing, this+that will assist Customer through appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection). If this+that receives a request from a Data Subject directly that relates to Customer Data, this+that will, where legally permitted, direct the Data Subject to Customer and notify Customer of the request without undue delay.

9. Personal Data Breach

9.1 Notification

this+that will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a confirmed Personal Data Breach affecting Customer’s Personal Data. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

9.2 Assistance

this+that will reasonably assist Customer in fulfilling Customer’s obligations to notify Supervisory Authorities and Data Subjects of a Personal Data Breach where required by Applicable Data Protection Law.

9.3 No Admission

this+that’s notification of, or response to, a Personal Data Breach is not an acknowledgment of fault or liability.

10. Data Protection Impact Assessments

On Customer’s reasonable request, this+that will provide information reasonably necessary to assist Customer in carrying out a data protection impact assessment or in consulting with Supervisory Authorities, in each case in relation to the processing of Personal Data by this+that under the Agreement.

11. Audits

11.1 Audit Reports

this+that will, on Customer’s written request and no more than once per calendar year (except where required by a Supervisory Authority or following a confirmed Personal Data Breach), make available a copy of its then-current third-party audit reports (such as SOC 2) and the security measures documentation referenced in Annex II, subject to Customer’s confidentiality obligations.

11.2 Additional Audits

Where the documentation in Section 11.1 is not sufficient to demonstrate compliance, Customer (or an independent auditor mandated by Customer that is not a competitor of this+that and that is subject to confidentiality obligations) may carry out an audit of this+that’s processing on at least sixty (60) days’ written notice, during normal business hours, in a manner that does not unreasonably disrupt this+that’s operations, and at Customer’s expense. The parties will agree on the scope and timing of the audit in advance.

12. Return and Deletion

On termination or expiration of the Agreement, this+that will, at Customer’s choice, return Customer Data to Customer or delete Customer Data from its production systems within thirty (30) days, except to the extent retention is required by Applicable Data Protection Law. Backup copies are deleted in the ordinary course within ninety (90) days. this+that will, on Customer’s request, certify the deletion in writing.

13. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions in the Agreement, including the Limitation of Liability section. Where Applicable Data Protection Law requires a different allocation of liability (for example, the joint liability provisions of Article 82(4) of the EU GDPR), nothing in this DPA limits a Data Subject’s rights under that law.

14. CCPA-Specific Terms

To the extent this+that processes Personal Data subject to the CCPA, this+that is a “service provider” as defined in the CCPA. this+that will not (a) sell or share Personal Data as those terms are defined in the CCPA; (b) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Service or as otherwise permitted by the CCPA; or (c) combine Personal Data with personal information received from other sources except as permitted by the CCPA.

15. Order of Precedence

In the event of conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of Personal Data. In the event of conflict between this DPA and the SCCs or UK Addendum, the SCCs or UK Addendum control.

16. Changes

We may update this DPA from time to time. For changes that materially reduce Customer’s rights under this DPA, we will provide at least thirty (30) days’ advance notice as described in the Terms of Service. The version in effect on the date a dispute arises governs that dispute.

Annex I — Details of Processing

A. List of Parties

Data Exporter (Controller): Customer, as identified in the Agreement. Contact: as set out in the Customer’s account.

Data Importer (Processor): This and That Technologies, Inc., a Delaware corporation. Contact: legal@thisandthat.chat. Activities relevant to the data transferred: providing the Service described in the Terms of Service.

B. Description of Transfer

  • Categories of Data Subjects: Customer’s employees, contractors, agents, customers, suppliers, prospects, and other individuals whose Personal Data appears in mailboxes, messaging accounts, calendars, files, or other systems Customer connects to the Service.
  • Categories of Personal Data: Identifiers (name, email address, phone number); business contact information; professional and employment information; the contents of communications and any attachments; calendar events and attendees; task, workflow, and brain content created or referenced by users; configuration data and account metadata. Customer determines whether to include special categories of Personal Data and is responsible for any consents required.
  • Special Categories of Personal Data: None expected, but may be present incidentally where Customer or its users include such data in connected systems. The Service does not specifically target special categories of Personal Data.
  • Frequency of Transfer: Continuous, for the duration of the Agreement.
  • Nature and Purpose of Processing: Hosting, storing, transmitting, analyzing, and acting on Customer Data to provide the Service, including task extraction, search, AI-assisted drafting, workflow execution, and the brain knowledge layer.
  • Duration of Processing: For the term of the Agreement, plus the retention and deletion period in Section 12.
  • For Sub-processors: The subject matter, nature, and duration of processing performed by each Sub-processor are as set out in the Sub-processor List.

C. Competent Supervisory Authority

The Data Protection Commission of Ireland for EU Personal Data; the UK Information Commissioner’s Office for UK Personal Data; the Federal Data Protection and Information Commissioner for Swiss Personal Data.

Annex II — Security Measures

this+that implements and maintains the following technical and organizational measures:

Access control

  • Role-based access control with least-privilege defaults.
  • Mandatory multi-factor authentication for all this+that personnel with access to production systems.
  • Authentication for the Service supports MFA via TOTP and backup codes, and inherits MFA from Customer’s Google or Microsoft identity provider.
  • Periodic review of personnel access.

Encryption

  • TLS 1.2 or higher for all data in transit.
  • AES-256 encryption at rest using AWS KMS (AWS-owned keys), including for Customer Data, MCP server credentials, and Microsoft authentication tokens.
  • Encryption key access logged and audited.

Network and infrastructure security

  • Production workloads hosted in AWS, primarily in the United States.
  • Network segmentation between production and non-production environments.
  • AWS security services for logging, monitoring, and threat detection.
  • Vulnerability scanning of dependencies and container images.

Application security

  • Code review and automated security testing in the development pipeline.
  • Secrets management through AWS Secrets Manager and AWS KMS.
  • Bug-fix and patching processes for security advisories.

Personnel

  • Background checks for personnel with access to production systems, where permitted by local law.
  • Confidentiality agreements for all personnel and contractors.
  • Security and privacy training on hire and annually.

Operations and incident response

  • Logging and monitoring of production systems.
  • Documented incident response procedures, including escalation, notification, and post-incident review.
  • Business continuity and backup procedures.

Sub-processor management

  • Written agreements with all Sub-processors that include data protection terms at least as protective as this DPA.
  • Sub-processor selection and review based on security and privacy criteria.
  • AI inference is performed through Amazon Bedrock; the provider terms applicable to Bedrock prohibit the use of customer inputs and outputs to train foundation models.

Certifications

  • SOC 2 Type I report submitted for examination in 2026. SOC 2 Type II observation period to follow.

Contact

For DPA-related questions or to request a counter-signed copy, email legal@thisandthat.chat.

Changelog

  • June 9, 2026. Initial publication of the DPA, incorporating GDPR Article 28 terms, the SCCs (Modules Two and Three), the UK Addendum, FADP-equivalent terms, CCPA service-provider terms, a contractual no-training clause, and a security measures annex reflecting the AWS KMS and MFA work completed in 2026. The no-training clause includes an in-account personalization carve-out, permitting use of Customer’s own data and feedback (including signals from any Authorized User) to personalize results within Customer’s account, including across Customer’s Authorized Users on the same account; cross-customer personalization and shared-model training remain prohibited. The Definitions section now points to the in-product vocabulary mapping in Section 1.6 of the Terms of Service (Customer = Team Owner, Customer’s account = Team, Authorized Users = Members).