Legal

Data Processing Agreement.

Last updated: May 3, 2026

This Data Processing Agreement ("DPA") supplements the Thorgate Terms of Service (the "Agreement") between Holiander, Inc., a California S corporation, doing business as Thorgate ("Holiander," "we," "us"), and the customer identified in the Agreement ("Customer," "you"). This DPA applies to our processing of personal data on your behalf in connection with the Service.

This DPA is automatically incorporated into your Agreement when you subscribe. If your organization requires a counter-signed copy on letterhead, email support@thorgate.com and we will provide one.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement. The terms "controller," "processor," "data subject," "personal data," "processing," "supervisory authority," and "personal data breach" have the meanings set out in the EU General Data Protection Regulation ("GDPR"). "Subprocessor" means any third party engaged by Holiander to process personal data on Customer's behalf. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Roles and scope

Customer is the controller of personal data. Holiander is the processor. Each party will comply with the laws applicable to it in its respective role.

This DPA applies to the extent Holiander processes personal data on Customer's behalf as part of providing the Service. Personal data Holiander processes for its own purposes (e.g., billing contact information, account administration) is governed by the Thorgate Privacy Policy and not this DPA.

3. Subject matter and duration of processing

Subject matter. The processing necessary to provide vendor privacy document monitoring, change detection, severity classification, AI summarization, and audit-evidence exports as described in the Agreement.

Duration. For the term of the Agreement plus any post-termination retention period (60-day grace period unless Customer requests immediate deletion; see Section 12 below).

4. Nature, purpose, and categories

Nature and purpose. Hosting, monitoring, change detection, classification, indexing, and reporting on vendor documents on Customer's behalf, plus communication with Customer's authorized users.

Categories of personal data. The categories of personal data Customer submits to the Service, which are limited to:

  • Identification data of Customer's users (name, email address, password hash, role)
  • Billing contact information (name, email address, billing address, last 4 digits of card; full payment method data is held by our payment processor)
  • Free-text content Customer chooses to enter (vendor notes, internal annotations, review comments)
  • Authentication and session metadata (timestamps, IP addresses, user agents)

The Service is not intended to receive special-category personal data (Article 9 GDPR), criminal-conviction data (Article 10 GDPR), or data of children under 16. Customer agrees not to submit such data.

Categories of data subjects. Customer's authorized users (employees, contractors, or agents of Customer who have been granted access to the Service).

5. Customer's instructions

Holiander will process personal data only on documented instructions from Customer, including the instructions set out in the Agreement and this DPA, and will not process personal data for any other purpose, except as required by applicable law (in which case Holiander will notify Customer before processing, unless that law prohibits notification).

Customer's use of the Service constitutes its instructions to process personal data. Additional instructions outside the scope of the Service may require an amendment and/or additional fees.

6. Confidentiality

Holiander will ensure that personnel authorized to process personal data are bound by confidentiality obligations and have received appropriate training on data protection.

7. Security measures

Holiander will implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

Current security measures are described at https://www.thorgate.com/security, including: encryption in transit (TLS 1.2+) and at rest, access controls and least-privilege principles, password hashing (bcrypt), session security, audit logging of administrative actions, and incident response procedures. We may update these measures from time to time provided that the level of protection is not materially reduced.

8. Subprocessors

Customer authorizes Holiander to engage subprocessors for the processing of personal data, subject to the terms of this Section.

Holiander's current subprocessors are listed at https://www.thorgate.com/security and include the cloud hosting provider, transactional email provider, payment processor (Stripe), and AI inference provider (Anthropic) used to summarize public vendor documents.

Holiander will impose data protection obligations on each subprocessor that are at least equivalent to those in this DPA, in particular by way of a written contract.

Holiander will notify Customer of any intended addition or replacement of a subprocessor at least 30 days in advance, by email to the workspace owner(s) and by updating the public list at https://www.thorgate.com/security. Customer may object on reasonable data-protection grounds within 14 days of such notification. If the parties cannot agree on a resolution, Customer's sole remedy is to terminate the affected portion of the Service for cause and receive a prorated refund of any prepaid fees for the unused period.

Holiander remains responsible to Customer for the acts and omissions of its subprocessors as if they were its own.

9. Data subject rights

Holiander will provide reasonable assistance, taking into account the nature of the processing, to enable Customer to fulfill its obligations to respond to data subject requests under applicable law (including rights of access, rectification, erasure, restriction, portability, and objection).

If Holiander receives a data subject request directly, Holiander will, where the request relates to Customer's data, promptly forward it to Customer and not respond directly except to confirm receipt and direct the data subject to Customer (unless Customer instructs otherwise or applicable law requires otherwise).

10. Personal data breach

Holiander will notify Customer without undue delay, and where feasible within 72 hours, after becoming aware of a personal data breach affecting personal data processed under this DPA. The notification will include, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

Holiander will provide Customer with reasonable cooperation and information necessary for Customer to meet its own breach-notification obligations to supervisory authorities and affected data subjects.

11. Data protection impact assessments

To the extent required by Article 35 GDPR and taking into account the nature of the processing and information available to Holiander, Holiander will provide Customer with reasonable assistance in conducting data protection impact assessments and prior consultations with supervisory authorities.

12. Return or deletion of data

Upon termination or expiration of the Agreement, Holiander will, at Customer's option, return or delete all personal data processed on Customer's behalf, except to the extent applicable law requires further retention.

By default, Customer data is retained for a 60-day grace period after termination during which Customer may reactivate the account. After 60 days, Customer data is deleted, except for: (a) records Holiander is legally required to retain (such as billing records for tax purposes), and (b) standard backups, which age out under our normal backup-retention schedule.

Customer may request earlier deletion at any time by emailing support@thorgate.com.

13. Audits

Holiander will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. This includes our Security page, subprocessor list, and (when available) third-party attestations such as SOC 2 reports.

Customer may, at its own expense and no more than once per twelve-month period, conduct an audit of Holiander's compliance with this DPA, subject to: (a) at least 30 days' prior written notice, (b) execution of a mutually acceptable confidentiality agreement, (c) the audit being conducted during normal business hours and in a manner that does not unreasonably interfere with Holiander's business, and (d) Customer reimbursing Holiander's reasonable costs of facilitating the audit. Audits required by law or following a personal data breach are not subject to the once-per-year limit.

For most customers, our published security documentation and any third-party attestations will be sufficient evidence of compliance and an on-site audit will not be necessary.

14. International transfers

Holiander processes personal data in the United States. Where Customer's transfer of personal data to Holiander, or Holiander's processing of personal data, involves a transfer of personal data of data subjects in the European Economic Area, the United Kingdom, or Switzerland to a country that is not subject to an adequacy decision, the Standard Contractual Clauses are incorporated into this DPA by reference and apply as follows:

  • Module Two (controller to processor) applies where Customer is a controller and Holiander is a processor.
  • Module Three (processor to processor) applies where Customer is itself a processor on behalf of its own controller and Holiander is a sub-processor.
  • Clause 7 (docking clause) is included.
  • Clause 9 option 2 (general written authorization for subprocessors) applies, with the 30-day notice period set out in Section 8 above.
  • Clause 11(a) (independent dispute resolution) is not selected.
  • Clauses 17 and 18: The governing law and forum for the SCCs is the law of the Republic of Ireland and the courts of Ireland, respectively, where required by applicable law; otherwise the governing law and forum specified in the Agreement.
  • The Annexes to the SCCs are populated as set out in the Schedule to this DPA.

For transfers from the United Kingdom, the SCCs are deemed amended by the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office.

15. Liability

The liability provisions of the Agreement apply to this DPA. Nothing in this DPA limits or restricts the rights of any data subject or supervisory authority under applicable law.

16. Changes

We may update this DPA from time to time. Material changes will be communicated by email to workspace owners and noted at the top of this page with a revised "Last updated" date. Continued use of the Service after the effective date constitutes acceptance.

17. Conflict

In the event of any conflict between this DPA and the Agreement, this DPA controls with respect to the processing of personal data. The Standard Contractual Clauses, where they apply, prevail over this DPA.

Schedule — Annexes to the Standard Contractual Clauses

Annex I.A — List of parties

Data exporter (Customer): The Customer identified in the Agreement, acting as controller (Module 2) or processor (Module 3) as applicable.

Data importer (Holiander): Holiander, Inc. d/b/a Thorgate, a California S corporation, acting as processor (Module 2) or sub-processor (Module 3). Contact: support@thorgate.com.

Annex I.B — Description of transfer

Categories of data subjects: as described in Section 4 above.

Categories of personal data: as described in Section 4 above.

Sensitive data: not intended; Customer agrees not to submit special-category data.

Frequency of transfer: on a continuous basis for the duration of the Agreement.

Nature of processing: hosting, monitoring of public vendor documents on Customer's behalf, AI summarization of public vendor documents, change detection, classification, reporting, and communications with Customer's authorized users.

Purpose of processing: to provide the Service as described in the Agreement.

Duration / retention: for the term of the Agreement plus the post-termination retention described in Section 12.

Subject matter, nature, and duration of processing by sub-processors: as described in the subprocessor list at https://www.thorgate.com/security.

Annex I.C — Competent supervisory authority

The Irish Data Protection Commission, in respect of EEA transfers. The UK Information Commissioner's Office, in respect of UK transfers. The Swiss Federal Data Protection and Information Commissioner, in respect of transfers from Switzerland.

Annex II — Technical and organizational security measures

The technical and organizational measures Holiander has implemented to ensure an appropriate level of security are described at https://www.thorgate.com/security and include, at minimum:

  • Encryption in transit: TLS 1.2+ for all data flowing to and from the Service.
  • Encryption at rest: database storage encryption at the host level.
  • Access control: role-based access; least-privilege principles for production systems; passwords hashed with bcrypt; session expiry.
  • Logging: administrative actions are recorded in an audit log; uncaught application exceptions are captured.
  • Backup and recovery: daily database backups with point-in-time restore capability.
  • Incident response: documented breach-notification procedure with a 72-hour target window.
  • Vendor due diligence: subprocessors are bound by data protection obligations equivalent to those in this DPA.
  • Confidentiality: personnel with access to personal data are bound by confidentiality obligations.

Annex III — List of sub-processors

Maintained at https://www.thorgate.com/security. Notification of changes per Section 8 of this DPA.