Data Processing Agreement

[DRAFT — not signable as-is; pending legal review.] A signable DPA is required before enterprise sales.

This DPA governs ThothOS’s processing of personal data on behalf of a client company (the controller) whose customers’ data ThothOS stores. Processor: [NEEDS MATTHEW: legal entity + address].

Roles

The client company is the data controller; ThothOS is the data processor.

Sub-processors

Current sub-processors are listed on our Sub-processor page. [NEEDS MATTHEW: change-notice period.]

AI & machine learning — your data does not train models

ThothOS does notuse Customer Data (your or your customers’ personal data) to train, fine-tune, or otherwise improve any machine-learning or AI model. ThothOS’s AI features are powered by third-party model providers (e.g. Anthropic) acting as sub-processors under agreements that prohibit training on data submitted through their API; prompts and generated outputs are processed transiently to serve your request and are not retained for model training. [NEEDS MATTHEW + counsel: confirm the provider list + retention terms match the executed provider agreements before this clause is relied upon.]

Security & breach notification

Security measures are described on our Security page. [NEEDS MATTHEW + counsel: breach-notification timeline, data-residency, SCCs for international transfer, sub-processor liability, audit rights.]