Data Processing Addendum
Data Processing Addendum.
This page is the procurement-facing summary of Thesmios Ltd data processing terms. A signed customer agreement or order form controls if it conflicts with this page.
Role and scope
For B2B customer workspaces, the customer is usually the controller or business for personal data it instructs Thesmios to process. Thesmios is usually the processor or service provider for that workspace. Thesmios may act as controller for its own website, security, billing, communications, and corporate compliance records.
The DPA is designed for UK GDPR, EU GDPR, and aligned privacy regimes. Customer-specific terms, modules, territories, retention, and data-residency commitments should be captured in the order form.
Processing details
| Subject matter | Reusable employee compliance passports, credential evidence, employer requests, verifier presentations, monitoring, and audit trails. |
|---|---|
| Duration | For the term of the customer agreement, plus any retention period required by the order form, law, audit obligations, or deletion workflow. |
| Data subjects | Employees, contractors, candidates, employer users, verifier users, customer administrators, and security or support contacts. |
| Data categories | Identity, employment, credential, evidence, contact, audit, account, billing status, device, security log, and support information. |
| Special category data | Only where the customer or data subject submits it for a lawful compliance purpose, such as right-to-work, occupational health, sanctions, DBS, regulated-role, or accessibility evidence. |
| Processing operations | Hosting, storing, validating, signing, sharing, monitoring, audit logging, support, security, backup, deletion, export, and processor management. |
Article 28 operating terms
Documented instructions
Thesmios processes customer personal data only on documented instructions in the agreement, order form, product configuration, support request, or legally required direction.
Confidentiality
Personnel and authorised contractors with access to customer personal data must be bound by confidentiality obligations and least-privilege access controls.
Security measures
Technical and organisational measures include encryption in transit and at rest, role-based access, audit logging, secret management, vulnerability handling, backup controls, and production access review.
Subprocessors
Thesmios maintains a public subprocessor register, reviews subprocessors before production processing, and will give notice of material subprocessor changes where required by the customer agreement.
International transfers
Transfers outside the UK or EEA use an adequacy decision, the UK International Data Transfer Agreement, the UK Addendum to EU standard contractual clauses, EU SCCs, or another lawful transfer mechanism.
Assistance
Thesmios will provide reasonable assistance for data subject requests, DPIAs, regulator enquiries, breach assessment, deletion, export, and audit evidence where the customer cannot self-serve through the product.
Deletion and return
At termination or expiry, Thesmios will delete or return customer personal data according to the order form, legal retention requirements, backup lifecycle, and any active audit hold.
Audit
Customers can review public trust materials, security pages, subprocessor disclosures, evidence APIs, and mutually agreed audit information subject to confidentiality and operational safety.
Technical and organisational measures
- TLS for data in transit and managed encryption at rest.
- Role-based access control with narrow admin roles.
- Credential, share, export, login, and admin events logged for audit review.
- Production secrets kept outside source code in managed secret stores.
- Public vulnerability disclosure and private bug-bounty scope.
- Data-residency and retention terms set in the enterprise order form.
- Service-role and operational endpoints protected by authentication or secrets.
- Rate limiting and body-size controls on public mutation endpoints.
Customer responsibilities
- Provide lawful instructions and a valid legal basis for employee compliance checks.
- Configure retention, residency, scopes, and access policies appropriate to the workforce.
- Avoid uploading evidence that is not needed for the selected compliance purpose.
- Notify Thesmios promptly of suspected account compromise or incorrect access grants.
- Handle local employment, immigration, screening, works council, and sector-specific notices.
Contact
Privacy and DPA questions can be sent to privacy@thesmios.com. Security questions can be sent to security@thesmios.com.