Data Processing Agreement
Threada's standard Data Processing Agreement covering GDPR, CCPA, and other applicable data protection obligations.
Scope and applicability
This DPA applies to all processing of personal data performed by Threada on behalf of the customer in connection with the Threada platform. It supplements the Terms of Service and governs data handling, security measures, and breach notification procedures.
Roles and responsibilities
The customer acts as the data controller. Threada acts as a data processor, processing personal data only as instructed by the customer and as necessary to deliver the service.
Technical and organizational measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Tenant-scoped data isolation with no cross-tenant access
- Role-based access controls with audit logging
- Regular vulnerability assessments and penetration testing
- Incident response procedures with defined notification timelines
Subprocessors
Threada maintains a current list of subprocessors. Customers are notified of material changes. See the subprocessors page for the full list.
Data subject rights
Threada supports customers in responding to data subject access, rectification, deletion, and portability requests through platform tooling and operational processes.
Data retention and deletion
Data retention policies are configurable per workspace. Upon contract termination, customer data is deleted within 90 days unless a longer retention period is required by law.