Thuja Data Processing Agreement

1. Introduction and Parties

This Data Processing Agreement ("Agreement") is entered into between Thuja LLC ("Processor," "we," "us," or "our"), a company providing insight automation services, and the entity or person ("Controller," "you," or "your") using Thuja's services. This Agreement outlines the terms and conditions under which we process personal data on your behalf and forms an integral part of our service agreement

2. Definitions

Throughout this Agreement, we use specific terms that carry particular meanings in the context of data protection and privacy laws. "Personal Data" refers to any information relating to an identified or identifiable natural person. "Processing" encompasses any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates

3. Scope and Purpose of Processing

Thuja processes Personal Data solely for the purpose of providing our insight automation services. The processing activities include collecting responses through interactive forms, analyzing data using our AI-powered systems, generating automated insights, and storing relevant information for platform functionality. We process Personal Data only on your documented instructions, including those provided through our platform's interface and settings. Any processing outside these parameters requires your explicit written authorization.

4. Duration of Processing

The duration of data processing under this Agreement corresponds to the period of our service provision to you. We will continue to process Personal Data as necessary to provide our services until either the termination of our service agreement or upon receiving your written instruction to cease processing. Following the end of the processing relationship, we will handle any remaining Personal Data according to your documented instructions and our data retention policies.

5. Nature and Purpose of Processing Activities

The processing activities we undertake are strictly limited to those necessary for providing our insight automation platform services. These activities include collecting form responses, analyzing user input through our AI systems, generating insights based on collected data, and maintaining necessary platform functionality. We process data to help you make informed business decisions through automated insight generation while maintaining the highest standards of data protection and privacy.

6. Categories of Personal Data

7. Categories of Data Subjects

The Data Subjects whose Personal Data we process typically include your employees, customers, form respondents, and other individuals who interact with your forms and feedback collection tools. We process data only for those Data Subjects whose information you choose to collect through our platform, and we rely on you to ensure appropriate legal bases exist for collecting and processing their Personal Data

8. Processor's Obligations

8.1 Security Measures

We implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Our security measures include encryption of data in transit and at rest, access controls, authentication systems, regular security assessments, and employee training programs. We regularly review and update these measures to ensure continued effectiveness.

8.2 Confidentiality

We ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is strictly limited to those who need it to perform their duties in providing our services

8.3 Sub-processors

We may engage sub-processors only with your prior written authorization. When we engage sub-processors, we ensure they provide sufficient guarantees to implement appropriate technical and organizational measures that meet the requirements of this Agreement and applicable data protection laws. We remain fully responsible for our sub-processors' compliance with this Agreement.

8.4 Data Subject Rights

We will assist you in fulfilling your obligation to respond to Data Subjects' requests to exercise their rights under applicable data protection laws. This includes rights of access, rectification, erasure, restriction of processing, data portability, and objection to processing. We provide tools and support to help you respond to such requests promptly and effectively

8.5 Data Protection Impact Assessments

We will provide reasonable assistance with any data protection impact assessments and prior consultations with supervisory authorities that you are required to carry out under applicable data protection laws, taking into account the nature of processing and the information available to us.

9. Audit Rights

You have the right to audit our compliance with this Agreement. We will contribute to such audits by providing you with the information and evidence necessary to demonstrate our compliance with our obligations. We will immediately inform you if, in our opinion, an instruction infringes applicable data protection laws

10. Data Transfers

We will not transfer Personal Data to countries outside the European Economic Area (EEA) or other protected jurisdictions without ensuring appropriate safeguards are in place. Any such transfers will comply with applicable data protection laws and will be documented in writing.

11. Return or Deletion of Data

Upon the termination of services or upon your written request, we will either return all Personal Data to you or delete it, including existing copies, unless applicable law requires storage of the Personal Data. We will certify to you that we have fully complied with this obligation.

12. Liability and Indemnification

We will be liable for damages caused by our processing only where we have not complied with obligations specifically directed to processors under applicable data protection laws or where we have acted outside or contrary to your lawful instructions.

13. Governing Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of [Jurisdiction], without regard to its conflicts of law principles. Any disputes arising from or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of [Jurisdiction].

14. Amendments

Any amendments to this Agreement must be in writing and signed by authorized representatives of both parties. This requirement for written form can only be waived in writing.

16. Contact Information

For any questions regarding this Agreement or our data processing activities, please contact us at:

Thuja LLC Email:

hello@jointhuja.com