LEGAL

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Master Service Agreement or Terms of Service between Thabit, Inc. (“Thabit”, “Processor”) and the customer (“Customer”, “Controller”) and applies to Thabit’s processing of Personal Data on behalf of the Customer.

LAST UPDATED · APRIL 17, 2026
Draft notice. An executed DPA is available on request to enterprise customers and any customer subject to GDPR, UK GDPR, Swiss FADP, or CCPA/CPRA. Email privacy@thabit.ai.

1. Definitions

Capitalized terms have the meanings set forth in the Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), as applicable. For the avoidance of doubt: Thabit is the “Processor” (GDPR) and “Service Provider” (CCPA/CPRA); Customer is the “Controller” (GDPR) and “Business” (CCPA/CPRA).

2. Scope and Roles

This DPA applies to Personal Data processed by Thabit on behalf of Customer in connection with the provision of the Services. Thabit processes such Personal Data solely for the purposes of providing the Services, in accordance with Customer’s documented instructions (including via configuration of the Services), and as required by applicable law.

3. Categories of Data Subjects and Personal Data

Personal Data processed under this DPA may include:

  • Categories of data subjects: Customer’s authorized end users (employees and contractors), individuals named in Customer Data (e.g., signatories on proposals, authors on engineering documents).
  • Categories of Personal Data: Names, work email addresses, job titles, organizational affiliation, IP addresses, and any Personal Data included in Customer Data uploaded to the Services.
  • Special categories: Thabit does not intend to process special categories of Personal Data (Article 9 GDPR). Customer agrees not to upload such data unless expressly agreed in writing.

4. Duration and Purpose

The duration of processing is the term of the Services plus the retention periods set forth in the Privacy Policy. The nature and purpose of processing is to provide the Services, including hosting, user authentication, generating and storing documents, providing support, and producing billing records.

5. Subprocessors

Customer authorizes Thabit to engage Subprocessors to process Personal Data on its behalf. A current list of Subprocessors is published at /legal/subprocessors. Thabit imposes contractual obligations on each Subprocessor that are at least as protective as those in this DPA.

Thabit will provide at least thirty (30) days’ notice of any intended addition or replacement of a Subprocessor (via update to the Subprocessors page and notification at the email address on file). If Customer has a reasonable objection, Customer may terminate the Services for the affected functionality and receive a pro-rated refund of prepaid fees.

6. Security

Thabit implements and maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, without limitation:

  • Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256);
  • Role-based access controls with multi-factor authentication required for all administrative access;
  • Regular security monitoring, vulnerability scanning, and penetration testing;
  • Backup and disaster recovery procedures with documented RTO/RPO targets;
  • Employee background checks and security awareness training;
  • A documented Incident Response Plan with defined notification procedures;
  • Subprocessor management including security review and contractual obligations;
  • Additional measures as set forth in our Security Overview.

7. Data Subject Rights

Thabit will, taking into account the nature of processing, assist Customer by appropriate technical and organizational measures in fulfilling Customer’s obligations to respond to data subject requests to exercise rights under GDPR/CCPA. If Thabit receives a data subject request directly, Thabit will instruct the data subject to contact Customer unless the request relates to Personal Data that Thabit processes in its own capacity.

8. Breach Notification

Thabit will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. The notification will include, to the extent known: (a) the nature of the breach; (b) categories and approximate number of data subjects and records affected; (c) likely consequences; and (d) measures taken or proposed to address the breach.

9. International Transfers

For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, the parties rely on the European Commission’s Standard Contractual Clauses (Module Two, Controller-to-Processor) as incorporated by reference into this DPA, plus the UK International Data Transfer Addendum where applicable. Additional technical and organizational supplementary measures are in place as described in our Security Overview.

10. Audit

Thabit will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including by providing:

  • Current third-party audit reports (e.g., SOC 2 Type II when available);
  • Responses to reasonable security questionnaires;
  • Penetration test summaries under NDA.

Enterprise-tier Customers may conduct a physical or logical audit no more than once every twelve (12) months, at their expense, subject to reasonable scope, 30 days advance notice, and confidentiality obligations.

11. Deletion or Return

Upon termination of the Services, at Customer’s choice, Thabit will delete or return all Personal Data to Customer, and delete existing copies unless retention is required by applicable law. Deletion from production systems is completed within thirty (30) days; deletion from backups is completed within ninety (90) days, during which time data remains subject to the protections of this DPA.

12. Order of Precedence

In the event of conflict between this DPA and the MSA or Terms, this DPA governs regarding the processing of Personal Data. In the event of conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses govern.

To execute this DPA as a binding agreement, email privacy@thabit.ai with your organization details.