ThinkTank

Legal

ThinkTank Data Processing Agreement (DPA)

Version: 1.1 Effective date: 1 March 2026

1. General

1.1. This Data Processing Agreement ("DPA") forms an integral part of the agreement(s) between Think-Tank BV, with registered office at Mezenstraat 80, 3061 Leefdaal, Belgium, company number 1031.720.902 (RLE Leuven) ("ThinkTank" or "Processor"), and the customer identified in the subscription or applicable order form ("Customer" or "Controller") (the "Subscription" and, together with its general terms and conditions and this DPA, the "Agreement").

1.2. This DPA governs ThinkTank's Processing of Personal Data on behalf of Customer in the context of the provision of the Services under the Agreement.

1.3. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data. In the event of any conflict between this DPA (or the Agreement) and applicable Standard Contractual Clauses, the Standard Contractual Clauses prevail.

1.4. Capitalised terms used but not defined in this DPA shall have the meaning given in the Agreement or in the GDPR.

2. Definitions

2.1. For the purposes of this DPA:

  • "Data Protection Legislation" means all applicable laws and regulations relating to the processing of Personal Data and privacy, including the GDPR, national implementing and supplemental legislation (including Belgian data protection law), the EU Directive on privacy and electronic communications and any successor e-privacy regulation, and any binding guidance, decisions and codes of practice issued by competent Supervisory Authorities.

  • "Documented Instructions" include the Subscription, this DPA, Customer's configuration of the Services (including user roles, settings, selected features, tools, models, integrations), and all prompts, inputs, uploads, files, documents, datasets, messages, or API calls submitted by the Customer through the Services.

  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR, which is processed by ThinkTank on behalf of Customer under the Agreement.

  • "Processing", "Controller", "Processor", "Supervisory Authority", "Personal Data Breach" and other terms each have the meanings given in the GDPR.

  • "Standard Contractual Clauses" means:
    a) the standard contractual clauses for international transfers adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 (as amended or replaced); and/or
    b) the standard contractual clauses between controllers and processors adopted under Commission Implementing Decision (EU) 2021/915 (as amended or replaced), to the extent expressly incorporated by the Parties.

  • "Services" means the cloud-based AI platform and related software, APIs, tools, models, functionalities and features made available by ThinkTank under the Agreement, including hosting, storage, processing, analysis, generation of outputs, maintenance, support, updates, upgrades, security, monitoring and any related ancillary services expressly agreed.

  • "Subprocessor" means any processor engaged by ThinkTank to process Personal Data on behalf of Customer.

  • "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party.

2.2. The details of the Processing, in particular subject-matter, duration, nature and purpose of Processing, categories of Data Subjects and types of Personal Data, are set out in Annex 1.

3. Roles of the Parties

3.1. For the Processing of Personal Data under the Agreement, Customer acts as Controller and ThinkTank acts as Processor within the meaning of the GDPR.

3.2. Where Customer processes Personal Data as a processor for its own customers, ThinkTank acts as Customer's sub-processor, and Customer warrants that it is authorised by its own controller(s) to appoint ThinkTank and to provide relevant instructions.

3.3. Customer's Affiliates may accede to this DPA under the conditions set out in the Agreement. Upon accession, the relevant Affiliate shall be deemed a "Customer" for the purposes of this DPA in relation to the Services it uses.

4. Customer Responsibilities

4.1. Customer shall comply with all Data Protection Legislation, including by:

  • determining the purposes and means of the Processing;
  • ensuring that it has a valid legal basis for the Processing;
  • providing all required information and notices to Data Subjects;
  • ensuring that all prompts, inputs, uploads, API calls and any other data submitted to the Services are lawful; and
  • ensuring that Personal Data is adequate, relevant and limited to what is necessary for the use of the Services.

4.2. The Customer shall not submit to the Services any special categories of Personal Data within the meaning of Article 9 GDPR (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for identification, health data, or data concerning a person's sex life or sexual orientation), nor any data relating to criminal convictions and offences within the meaning of Article 10 GDPR, unless the Parties have expressly agreed in writing and appropriate additional safeguards have been implemented.

4.3. The Customer is responsible for its use of the Services, including all prompts, uploads, inputs, files, instructions, API calls, and other data it submits to the Services, as well as for managing access controls, user permissions, account security, and for the secure use of APIs, integrations, and other functionalities.

4.4. The Customer shall ensure that all Personal Data provided to ThinkTank does not infringe any intellectual property rights, privacy rights, or other rights of any third party, and is not unlawful, harmful, or otherwise in breach of the Agreement or applicable law.

4.5. The Customer shall promptly inform ThinkTank of any error or irregularity in the Processing, any suspected or actual Personal Data Breach, or any Data Subject request or instruction that may impact ThinkTank's Processing of Personal Data.

5. Instructions

5.1. ThinkTank shall Process Personal Data only on Customer's Documented Instructions, unless required to do so by Union or Member State law to which ThinkTank is subject. In such case, ThinkTank shall inform Customer of that legal requirement prior to Processing, unless prohibited by law.

5.2. Customer's instructions include: (i) the Agreement and this DPA; (ii) Customer's configuration of the Services; (iii) all prompts, inputs, uploads, files, API calls, and selections made through the Services; and (iv) any other documented instructions reasonably issued by the Customer. The Customer is responsible for ensuring that all such instructions comply with Data Protection Legislation.

5.3. ThinkTank may suspend the execution of any instruction if, in its reasonable opinion, the instruction infringes or is likely to infringe Data Protection Legislation. ThinkTank shall notify the Customer of the issue without undue delay and will resume Processing only once the Customer has confirmed or modified the instruction to ensure its lawfulness.

6. Saving and Use of Prompts and Output

6.1. Customer expressly instructs and authorises ThinkTank to store, log and retain all prompts, inputs, uploads, API calls, generated outputs, and associated metadata for:

  • compliance with this DPA and the Agreement;
  • auditability, logging, incident response and security;
  • operational continuity and troubleshooting;
  • quality assurance and service optimisation;
  • regulatory compliance;
  • fraud prevention and misuse detection.

6.2. Customer further instructs and authorises ThinkTank to use input prompts, uploaded content, and generated outputs for:

  • improving and developing the Services;
  • model tuning, testing, performance optimisation;
  • training proprietary models;
  • training or fine-tuning third-party models where contracts permit;
  • research and development related to the Services;
  • creation of aggregated, de-identified, or anonymised datasets.

6.3. ThinkTank shall ensure that any such use complies with Data Protection Legislation and does not identify the Customer or Data Subjects in aggregated or anonymised datasets.

6.4. Nothing in this DPA restricts ThinkTank from independently improving its models or Services using data from other customers or publicly available data.

7. Obligations of ThinkTank as Processor

7.1. ThinkTank shall:

  • Process Personal Data only on behalf of Customer and in accordance with this DPA and Customer's documented instructions.
  • Ensure that authorised persons authorised to Process Personal Data are subject to appropriate confidentiality obligations.
  • Implement and maintain appropriate technical and organisational measures ("TOMs") to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. The main measures are described in Annex 2, which ThinkTank may update from time to time, provided such updates do not materially reduce the level of protection.
  • Make available to Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA, subject to confidentiality and security requirements.

7.2. ThinkTank shall assist the Customer, insofar as reasonably possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects to exercise their rights under Chapter III GDPR.

7.3. Taking into account the nature of the Processing and the information available to it, ThinkTank shall assist the Customer, where reasonably required and appropriate, in complying with the Customer's obligations under Articles 32 to 36 GDPR. Such assistance may include support with the Customer's security assessments, data protection impact assessments and, where relevant, any required prior consultations with Supervisory Authorities.

7.4. Upon termination or expiry of the Agreement, ThinkTank shall, at the Customer's choice and within a commercially reasonable period, either return the Personal Data to the Customer or delete it from active systems. ThinkTank may, however, retain limited copies of Personal Data where required by Union or Member State law, or where such retention is necessary for legitimate operational reasons, including secure backup retention, disaster recovery, fraud detection, debugging, or the establishment, exercise or defence of legal claims. Any retained Personal Data shall remain subject to the protections of this DPA and shall be deleted in accordance with ThinkTank's standard retention and deletion schedules.

8. Subprocessors

8.1. Customer grants ThinkTank a general written authorisation to engage Subprocessors for the Processing of Personal Data.

8.2. ThinkTank shall impose on each Subprocessor data protection obligations substantially equivalent to those set out in this DPA, in accordance with Article 28(4) GDPR.

8.3. ThinkTank shall remain fully liable to Customer for the performance of its Subprocessors' obligations.

8.4. The current list of Subprocessors is set out in Annex 3. ThinkTank may update this list from time to time.

8.5. ThinkTank shall notify Customer (for example by email or via the Services) of any intended addition or replacement of Subprocessors at least 30 days before such change. Customer may object to the change on reasonable, objective, data-protection-related grounds by notifying ThinkTank in writing within that period.

8.6. In the event of a justified objection that cannot be resolved, ThinkTank may (i) propose an alternative Subprocessor, (ii) allow Customer to suspend the affected portion of the Services, or (iii) terminate the relevant Services or the Agreement (in whole or in part) upon written notice. Such termination shall be without fault and without any liability for termination fees, except for the refund of any prepaid unused fees relating to the terminated Services.

9. Data Subject Rights

9.1. If a Data Subject makes a request directly to ThinkTank to exercise rights under the GDPR, ThinkTank shall not respond directly, unless legally required, and shall forward the request to Customer without undue delay.

9.2. ThinkTank shall provide reasonable cooperation to Customer to allow Customer to respond to such requests. Where such assistance requires significant time or resources, ThinkTank may charge reasonable fees, unless the request arises from ThinkTank's proven breach of this DPA.

10. Personal Data Breaches

10.1. ThinkTank shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of Customer. Where feasible, ThinkTank shall provide such notification within 72 hours.

10.2. The notification may be provided in phases and shall include at least:

  • a description of the nature of the Personal Data Breach;
  • the categories and approximate number of affected Data Subjects and data records;
  • the likely consequences of the Personal Data Breach; and
  • the measures taken or proposed to be taken to address the Personal Data Breach and mitigate its adverse effects.

10.3. The Processor shall document all Personal Data Breaches, including those for which no notification to the Controller is required, and provide the Controller with reasonable assistance to document and notify the Personal Data Breach to the relevant Supervisory Authority and/or Data Subjects.

10.4. Customer is responsible for determining whether and how to notify Supervisory Authorities and Data Subjects of the Personal Data Breach, unless such notification is required directly from ThinkTank by law.

11. International Data Transfers

11.1. The Customer acknowledges that the use of a cloud-based AI service may involve the international transfer of Personal Data and expressly authorises ThinkTank to transfer Personal Data outside the European Economic Area, including through the use of Subprocessors, provided that all such transfers comply with Chapter V of the GDPR.

11.2. Compliance may be achieved through reliance on an adequacy decision of the European Commission, through the use of appropriate safeguards such as the Standard Contractual Clauses, or through any other valid transfer mechanism permitted under the applicable Data Protection Legislation.

11.3. Where ThinkTank relies on the Standard Contractual Clauses, it is authorised to enter into those clauses with the relevant Subprocessors on the Customer's behalf. In such cases, ThinkTank shall, where required, take into account the nature of the transfer, perform any necessary transfer impact assessment and implement supplementary measures to ensure an essentially equivalent level of protection to that guaranteed within the EEA.

11.4. Upon reasonable request, ThinkTank may provide the Customer with high-level information regarding the transfer mechanisms and supplementary measures it has implemented, subject to confidentiality and security constraints. ThinkTank shall not be required to disclose full transfer impact assessments or other confidential internal assessments.

12. Audits and Inspections

12.1. The Processor shall make available to the Controller the information reasonably necessary to demonstrate compliance with this DPA, which may include relevant third-party audit reports or certifications. If such information does not reasonably satisfy the Controller's audit requirements, the Controller may request an audit of the Processor's data-processing practices. Any such audit shall be conducted with reasonable prior written notice, no more than once in any twelve-month period unless required by a Supervisory Authority, and in a manner that avoids undue disruption to the Processor's business operations.

12.2. The Controller shall bear all costs and expenses associated with any audit, including the Processor's reasonable internal and external costs incurred in supporting or facilitating the audit, unless a material breach of this DPA is identified.

12.3. The Processor may object to the use of a particular auditor on reasonable grounds, including conflict of interest or security concerns. In such case, the Controller shall appoint an alternative independent auditor.

13. Ownership, Aggregated and Anonymised Data

13.1. The Customer retains all rights, title and interest in its Personal Data.

13.2. ThinkTank retains all rights in its Services, models, algorithms and all other intellectual property.

13.3. ThinkTank may generate and use aggregated, de-identified or anonymised data derived from Customer inputs and outputs for any lawful purpose, including improving the Services, provided such data does not identify the Customer or any Data Subject.

14. Liability and Indemnification

14.1. The liability of the Processor under this DPA shall be subject to the limitations set forth in the Agreement.

14.2. The Customer shall indemnify ThinkTank for any loss, damage or claim arising from the Customer's breach of this DPA or Data Protection Legislation, or from unlawful instructions or misuse of the Services.

15. Term and Termination

15.1. This DPA remains in force for as long as ThinkTank Processes Personal Data on behalf of the Customer.

15.2. Obligations that by their nature survive termination, including those concerning confidentiality, deletion, liability and international transfers, shall remain in effect.

16. Governing Law and Jurisdiction

This DPA shall be governed by Belgian law, excluding its conflict-of-law rules. Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Antwerp, Belgium.

This DPA is effective as of the Effective Date of the Agreement and supersedes any prior data processing terms.

Annexes:

  • Annex 1: Processing Details
  • Annex 2: Technical and Organisational Measures
  • Annex 3: List of Subprocessors
  • Annex 4: Data Retention and Deletion Schedule
  • Annex 5: Customer Configuration and Security Responsibilities

Annex 1: Processing Details

Item Description
Subject-matter of the Processing Processing of Personal Data as necessary to provide the Services, including hosting, storage, analysis, generation of outputs and related functions.
Duration of the Processing For the duration of the Agreement and any legally required retention period.
Nature/Scope of the Processing Hosting, storage, transformation, AI processing, prompt analysis, output generation, monitoring, security logging, model training (as authorised), and other activities necessary to deliver and improve the Services. The Services may process unstructured data submitted through prompts, file uploads, or API inputs.
Types of Personal Data Identification data and contact details, prompt content and uploaded files (as determined by Customer, incl. business information, financial data, legal documents), AI outputs, metadata, account data and log data. Personal Data may include structured or unstructured data submitted through prompts, file uploads, or API inputs.
Categories of Data Subjects Customer personnel, Customer clients or business contacts, or any individual whose Personal Data appears in prompts, inputs or uploads.
Obligations/Purposes of the Controller Provision of professional services using the Services; internal business operations.

Annex 2: Technical and Organisational Measures

The Processor implements the following security measures:

Control Area Measures
1. Access Control ThinkTank implements logical access controls designed to ensure that Personal Data is accessible only to authorised personnel and systems. Measures include:

multi-factor authentication for privileged accounts;
- limiting access to personnel with a justified operational need;
- logging and monitoring of access to systems handling Personal Data;
- periodic reviews of access rights and timely removal of unused accounts.
2. Physical Security ThinkTank does not operate its own data centres. All Personal Data is stored and processed exclusively on third-party cloud platforms that maintain industry-standard physical security controls, including:

- 24/7 monitored facilities;
- controlled access with biometric or card-based authentication;
- surveillance, intrusion detection and environmental protections;
- independent certifications such as ISO 27001, SOC 1/2, or equivalent.

ThinkTank reviews these providers' certifications and security documentation to ensure appropriate safeguards remain in place.
3. Encryption ThinkTank uses secure communication protocols to protect Personal Data in transit and relies on the security measures implemented by its cloud infrastructure providers for the protection of Personal Data stored within their environments. These providers maintain industry-standard safeguards, which may include encryption and key-management controls.
4. Incident Detection and Response ThinkTank maintains an incident response process that includes:

ongoing security monitoring and log analysis;
- detection and internal escalation procedures for potential security events;
- investigation, containment and remediation workflows;
- documentation of incidents;
- notification to the Customer without undue delay and, where feasible, within 72 hours after becoming aware of a Personal Data Breach.
5. Monitoring and Vulnerability Management ThinkTank undertakes reasonable measures to monitor the security of its systems and address vulnerabilities as part of its ongoing operational practices. These measures include:

- applying security updates and patches made available by its cloud infrastructure providers;
- monitoring for relevant security advisories affecting the technologies it uses;
- taking reasonable steps to identify and address potential vulnerabilities in its environment.
6. Backup, Continuity and Recovery ThinkTank ensures service resilience and data recoverability primarily through the capabilities of its cloud infrastructure providers. Measures include:

- periodic backups stored in secure cloud environments;
- reliance on the cloud provider's disaster recovery and business continuity mechanisms;
- the use of cloud-native availability and reliability features where supported by the provider.
7. Personnel Security and Training ThinkTank ensures that all personnel with access to Personal Data:

- are bound by confidentiality obligations;
- receive mandatory data protection and security training;
- undergo role-appropriate onboarding and access restriction measures;
- follow internal security policies, acceptable-use rules and incident reporting protocols.
8. Subprocessor and Supplier Management ThinkTank maintains a supplier management process to ensure that Subprocessors engaged in the provision of the Services offer appropriate data protection and security safeguards. This includes:

- assessing whether Subprocessors implement security measures appropriate to the nature of the Services they provide;
- reviewing publicly available or provided documentation, such as security summaries or relevant certifications where available;
- ensuring Subprocessors are contractually bound to data protection obligations that are no less protective than those set out in this DPA.
9. Data Minimization and Separation ThinkTank applies data minimisation principles and ensures that Personal Data is handled in a manner that reduces unnecessary exposure. Measures include:

- maintaining logical separation of customer data within the cloud infrastructure;
- storing only the data necessary for providing, maintaining and improving the Services;
- applying anonymisation or aggregation techniques where appropriate for analytics, diagnostics or service improvement.
10. Logging and Auditability ThinkTank maintains logging practices appropriate to the operation and security of its Services. These practices include:

- recording relevant system events such as authentication activity, administrative actions and system errors;
- reviewing logs as part of routine operational and security processes;
- retaining logs to support troubleshooting, compliance verification and incident response.

Annex 3: List of Subprocessors

The Processor uses the following Subprocessors for the Processing of Personal Data:

Subprocessor Location Services Provided Data Protection Measures
Hetzner Online GmbH Germany (EEA) Cloud hosting and data storage infrastructure ISO/IEC 27001 certified; GDPR-compliant data processing agreement in place
Scaleway S.A.S. France (EEA) Cloud computing services and data storage ISO/IEC 27001 certified; GDPR-compliant data processing agreement in place
Requesty (subprocessor for API requests) United Kingdom API request management and processing services EU Standard Contractual Clauses; GDPR-compliant data processing agreement in place
Firecrawl (subprocessor for web scraping) United States (data transfers subject to EU SCCs) Web data extraction and crawling services EU Standard Contractual Clauses; internal security policies and regular security audits
BunnyWay, informacijske storitve d.o.o. Slovenia (EEA) Content delivery network (CDN) and edge caching services GDPR-compliant data processing agreement in place; appropriate technical and organizational security measures

The Processor shall notify the Controller of any changes to this list at least 30 days in advance. The Controller may object to the appointment of a new Subprocessor on reasonable grounds related to data protection.

Annex 4: Data Retention and Deletion Schedule

This Annex describes the general retention and deletion practices applicable to Personal Data processed by ThinkTank as Processor. These practices apply unless the Customer specifies different preferences within the Services (where such functionality is available) or unless a longer retention period is required by Union or Member State law.

1. General Retention Principles

ThinkTank retains Personal Data for no longer than is necessary to:

  • provide, maintain, secure and improve the Services;
  • comply with the Agreement and this DPA;
  • meet legal, regulatory, accounting or security obligations;
  • preserve evidence for the establishment, exercise or defence of legal claims;
  • ensure continuity of service and disaster recovery.

Retention periods may vary depending on the type of data, the purpose of processing and operational requirements.

2. Operational Data Retention

ThinkTank applies the following retention practices to operational data categories:

a) Customer Inputs and Outputs

Prompts, uploads, instructions, generated outputs and related metadata may be retained for the duration of the Agreement and for a limited period thereafter to support:

i. service provision and continuity;
ii. debugging and incident analysis;
iii. auditability and compliance with this DPA;
iv. model improvement and training.

Such data is deleted in accordance with ThinkTank's standard retention cycles or upon Customer request, where technically feasible.

b) Account Data and Configuration Data

Customer account information, settings and configuration-related data are retained for the duration of the Agreement and deleted following account closure, subject to legally required retention periods (e.g., invoicing, tax or corporate obligations).

c) System Logs and Security Logs

System logs, authentication logs, usage logs, and security monitoring records are retained for periods necessary to ensure security, detect misuse, support investigations, and demonstrate compliance. Log retention periods depend on operational and security needs and may vary across systems.

d) Backups

Backups created by ThinkTank or its cloud infrastructure providers are retained in accordance with standard backup schedules and are automatically deleted after their respective retention periods expire. Backups cannot be selectively altered or deleted on a per-Customer basis.

3. Post-Termination Deletion

Upon termination or expiry of the Agreement:

  • Personal Data is deleted or returned in accordance with the DPA;
  • residual Personal Data in backups or logs will be deleted automatically in line with the applicable retention cycles;
  • any retained Personal Data remains subject to the protections and restrictions set out in this DPA until deletion.

4. Customer Requests for Deletion

Where technically feasible, ThinkTank will comply with Customer deletion requests during the term of the Agreement. Deletion of data in active systems does not affect data stored in backups or logs until such backups or logs naturally expire.

5. Changes to Retention Practices

ThinkTank may update its retention schedules to reflect changes in operational needs, security requirements or legal obligations. Any such changes shall not materially reduce the level of protection afforded to Personal Data under this DPA.

Annex 5 - Customer Configuration and Security Responsibilities

This Annex describes the responsibilities of the Customer in relation to the configuration, secure use and administration of the Services. These responsibilities apply in addition to any obligations set out in the Agreement and this DPA.

1. Secure Configuration of the Services

The Customer is solely responsible for:

  • configuring the Services in a secure manner appropriate for its internal policies and risk profile;
  • defining user roles, access rights and permission levels within its ThinkTank environment;
  • ensuring that only authorised individuals within its organisation have access to the Services;
  • managing identity, authentication and access policies for its users, including secure password practices and MFA (if used).

ThinkTank is not responsible for misconfigurations or inappropriate access settings chosen by the Customer.

2. User Management and Access Controls

The Customer shall:

  • maintain accurate and up-to-date user accounts;
  • promptly disable or remove access for users who no longer require it (e.g., departing employees);
  • ensure that authentication credentials, API keys, tokens and passwords are kept secure and not shared between users;
  • supervise user activity to ensure the Services are used in accordance with applicable laws and the Agreement.

The Customer is fully responsible for actions taken through its accounts.

3. Data Submitted to the Services

The Customer acknowledges and agrees that:

  • the Services process Personal Data, business data and unstructured data submitted by Customer through prompts, file uploads, messages or API calls;
  • the Customer determines what data is submitted and is therefore responsible for the lawfulness, accuracy and appropriateness of such data;
  • the Customer shall not submit prohibited, unlawful, harmful, or unauthorised data to the Services;
  • the Customer shall not knowingly submit Personal Data beyond what is necessary for its intended use of the Services.

ThinkTank has no obligation to monitor inputs for correctness, sensitivity or compliance.

4. API and Integration Security

Where the Customer uses API connections or integrates ThinkTank with third-party tools, the Customer is responsible for:

  • securing API keys, tokens and connection credentials;
  • restricting API access to authorised systems only;
  • validating the security of third-party systems integrated with the Services;
  • limiting the data transmitted via APIs to what is necessary.

ThinkTank is not responsible for vulnerabilities introduced by Customer's systems or integrations.

5. Internal Policies and Compliance

The Customer is responsible for ensuring that:

  • its use of the Services complies with internal policies, contractual obligations, and applicable laws;
  • Data Subjects are informed of the Customer's Processing activities as required under the GDPR;
  • appropriate organisational measures are in place to safeguard Personal Data on its own systems, networks and devices.

6. Monitoring and Misuse Prevention

The Customer is responsible for:

  • monitoring the actions of its users to prevent misuse;
  • ensuring users do not attempt to circumvent or compromise the security of the Services;
  • promptly notifying ThinkTank of any suspected misuse, data loss, compromise, or security incident related to its use of the Services.

7. Deletion and Export of Customer Data

Where the Services provide self-service controls for downloading, exporting, deleting or modifying data, the Customer is responsible for:

  • using such functionality appropriately;
  • performing exports before termination of the Agreement;
  • ensuring deletion operations are correct and authorised.

8. No Circumvention of Security Measures

The Customer shall not:

  • interfere with or attempt to bypass any security or usage controls implemented by ThinkTank;
  • reverse engineer, probe, or test the security or performance of the Services without ThinkTank's written consent;
  • upload malware, harmful content or code designed to disrupt the Services.

9. Consequences of Customer Misconfiguration or Misuse

ThinkTank shall have no liability arising from:

  • Customer misconfiguration of the Services;
  • inappropriate permission settings;
  • insecure credential management;
  • submission of excessive or sensitive Personal Data;
  • misuse or negligent use of the Services by Customer or its users.