Data Processing Addendum (DPA)

Last Updated: February 6, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Threadline CX LLC ("Processor") and the customer entity ("Customer" or "Controller").

This DPA applies where Threadline processes Personal Data on behalf of the Customer in the course of providing the Services.

1. Roles of the Parties

  • Customer is the Data Controller
  • Threadline CX LLC is the Data Processor

Threadline processes Personal Data only on documented instructions from the Customer, including as described in the Terms, Privacy Policy, and this DPA.

2. Scope of Processing

Categories of Data Subjects

  • Customer employees and authorized users
  • End customers whose feedback or survey responses are submitted by the Customer

Categories of Personal Data

  • Account identifiers (name, email)
  • Organization and role metadata
  • Customer survey responses and free-text survey feedback uploaded by the Customer
  • Customer feedback text from other sources
  • Technical and session metadata

Purpose of Processing

  • Providing customer experience analysis and reporting
  • Analyzing uploaded surveys and feedback to generate insights
  • Generating anonymized, aggregated benchmarks
  • Operating, securing, and improving the platform

3. Duration of Processing

Personal Data is processed:

  • For the duration of the Customer's account
  • Until deletion or anonymization upon termination
  • In accordance with documented retention practices

4. Processor Obligations

Threadline shall:

  • Process Personal Data only on documented instructions
  • Ensure personnel are bound by confidentiality
  • Implement appropriate technical and organizational safeguards
  • Assist with data subject rights requests where applicable
  • Notify the Customer of a Personal Data breach without undue delay

5. Sub-Processors

Customer authorizes Threadline to engage sub-processors necessary to provide the Services, including:

  • OpenAI
  • Google (Gemini, Vertex AI)
  • Anthropic
  • Stripe
  • Neon (PostgreSQL)
  • Replit
  • RunPod

Threadline remains responsible for sub-processor compliance.

6. International Data Transfers

Where Personal Data is transferred outside the EEA or UK, Threadline relies on appropriate safeguards, including contractual protections and standard data protection clauses where applicable.

7. Security Measures

Threadline implements safeguards including:

  • Encryption in transit
  • Role-based access controls
  • Tenant-level data isolation
  • Password hashing
  • Audit logging for sensitive operations

8. Data Subject Rights Assistance

Threadline will reasonably assist the Customer in fulfilling requests related to access, correction, deletion, portability, restriction, or objection, as required by law.

9. Data Deletion & Return

Upon termination:

  • Account data is deleted
  • Analyses and outputs are anonymized
  • Aggregated benchmark data remains non-identifiable
  • Feedback Vault entries remain organization-scoped unless deleted per policy

10. Audits

Threadline will provide reasonable information necessary to demonstrate compliance with this DPA, subject to confidentiality and security constraints.

11. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Service.

12. Governing Law

This DPA is governed by the same law specified in the Terms of Service.

Back to Home