Data Processing Agreement
Effective Date: March 9, 2026
Document version: 1.0 · Published at threadlock.ai/dpa
This Data Processing Agreement ("DPA") is entered into between ThreadLock ("Processor"), a legal technology platform operated at 16200 SW Pacific Hwy, Suite H PMB 1046, Tigard, OR 97224, USA, and the Customer ("Controller") who has entered into the ThreadLock Terms of Service or a Master Services Agreement. This DPA is incorporated by reference into those agreements and governs all Processing of Customer Personal Data by ThreadLock in connection with the Services.
1. Subject Matter and Scope
This DPA applies to the Processing of Customer Personal Data by ThreadLock in the course of providing its case management, evidence organization, and AI-assisted documentation services (the "Services"). The terms of this DPA supplement and do not replace any data protection or confidentiality provisions already agreed between the parties.
2. Definitions
- "Customer Personal Data": Any personal data processed by ThreadLock on behalf of the Customer in the provision of the Services.
- "Data Protection Laws": All applicable data protection and privacy laws, including without limitation the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) made thereunder, in each case as amended or superseded from time to time.
- "Processing": Any operation performed on personal data, whether or not by automated means, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
- "Subprocessor": Any third-party data processor engaged by ThreadLock to assist in providing the Services where such engagement involves Processing Customer Personal Data.
- "Personal Data Breach": A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
3. Roles and Processing Instructions
3.1 Roles: The Customer is the Data Controller and ThreadLock is the Data Processor with respect to Customer Personal Data. Each party shall comply with its respective obligations under applicable Data Protection Laws.
3.2 Documented Instructions: ThreadLock shall process Customer Personal Data only on documented instructions from the Customer, including: (a) as set out in this DPA; (b) as required to deliver the Services described in the Agreement and any applicable Order Forms; and (c) as otherwise directed in writing by the Customer. If ThreadLock is required by applicable law to process Customer Personal Data for another purpose, ThreadLock shall notify the Customer of that requirement before such processing, unless prohibited by law.
4. Obligations of ThreadLock
4.1 Confidentiality: ThreadLock shall ensure that all personnel authorized to process Customer Personal Data are subject to binding confidentiality obligations, whether by contract or statutory duty, and process such data only as necessary to perform the Services.
4.2 Security: ThreadLock shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. The minimum security standards maintained by ThreadLock are described in Annex II below.
4.3 Data Subject Rights: ThreadLock shall provide reasonable assistance to the Customer to fulfil the Customer's obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
4.4 Data Protection Impact Assessments: ThreadLock shall provide reasonable assistance to the Customer in carrying out data protection impact assessments and prior consultations with supervisory authorities where required by applicable Data Protection Laws.
4.5 Personal Data Breach Notification: ThreadLock shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification shall include, to the extent available: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects and records affected; (c) the likely consequences of the breach; and (d) measures taken or proposed to address the breach. ThreadLock shall cooperate fully with the Customer in investigating and remediating any breach. Where the breach may constitute an eligible data breach under Australia's Notifiable Data Breaches scheme (Part IIIC, Privacy Act 1988 (Cth)), ThreadLock shall provide the Customer with sufficient information to enable the Customer to assess its own notification obligations to the Office of the Australian Information Commissioner (OAIC) and affected individuals, and shall provide reasonable assistance in meeting those obligations.
4.6 Audit Rights: ThreadLock shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and permit the Customer or its appointed auditor to conduct audits of ThreadLock's data processing activities upon reasonable prior written notice and no more than once per calendar year, except where a Personal Data Breach has occurred.
5. Subprocessing
The Customer provides general authorisation for ThreadLock to engage the Subprocessors listed in Annex III. ThreadLock shall: (a) impose data protection obligations on each Subprocessor that are no less protective than those set out in this DPA; (b) maintain an up-to-date list of Subprocessors at threadlock.ai/dpa; and (c) notify the Customer at least 14 days in advance of adding or replacing any Subprocessor, giving the Customer the opportunity to object on reasonable grounds related to data protection. ThreadLock remains fully liable to the Customer for the performance of each Subprocessor's obligations under this DPA.
6. International Transfers
Where the Services involve the transfer of Customer Personal Data from the European Economic Area, Switzerland, or the United Kingdom to a country not recognized as providing an adequate level of data protection, the parties agree to be bound by the Standard Contractual Clauses (Module 2: Controller to Processor) adopted by the European Commission by Decision 2021/914, which are incorporated into this DPA by reference. In the event of a conflict between the SCCs and the other provisions of this DPA, the SCCs shall prevail.
Where the Services involve the transfer of personal information originating in Australia, ThreadLock contractually commits to handling that information in a manner consistent with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). This commitment is intended to satisfy the Customer's obligations under APP 8.1 with respect to disclosures to ThreadLock as an overseas recipient. The Customer acknowledges that, absent this contractual commitment, APP 8 would otherwise make the Customer directly accountable for ThreadLock's handling of that information.
7. Retention and Deletion
Upon termination or expiry of the Agreement, or upon the Customer's written request, ThreadLock shall, at the Customer's election, securely delete or return all Customer Personal Data within 30 days, and delete all copies unless applicable law requires continued storage. ThreadLock shall provide the Customer with written confirmation of deletion upon request. In all cases, Customer Personal Data shall not be retained by ThreadLock for longer than 90 days following account deletion unless otherwise required by law.
8. Governing Law and Dispute Resolution
This DPA shall be governed by the laws of the State of Oregon, USA, without regard to conflict-of-law principles, except to the extent that applicable Data Protection Laws of the European Union, United Kingdom, or other jurisdictions require otherwise. Any dispute arising from this DPA shall be subject to the dispute resolution provisions of the Agreement.
Annex I — Details of Processing
A. List of Parties
| Data Exporter (Controller) | Data Importer (Processor) | |
|---|---|---|
| Entity | The Customer using ThreadLock for case and evidence management. | ThreadLock, 16200 SW Pacific Hwy, Suite H PMB 1046, Tigard, OR 97224, USA. |
| Role | Controller — determines the purposes and means of processing. | Processor — processes data on the Controller's behalf. |
| Contact | As provided in the Customer's account or Order Form. | legal@threadlock.ai |
B. Description of Processing
Categories of Data Subjects: Individuals involved in family law, tribal court, employment, or other civil legal matters; the Customer's authorized platform users (attorneys, paralegals, and self-represented litigants).
Categories of Personal Data: Names, contact information, personally authored journal entries, legal evidence (documents, images, videos, audio recordings), timestamps, metadata, and AI-assisted classification tags.
Special Categories: The Services may incidentally process special category data (e.g., health information in personal injury or family law matters) where uploaded by the Customer. Under the Australian Privacy Act 1988 (Cth), such data constitutes 'sensitive information' and is subject to the heightened protections of APPs 3 and 6. ThreadLock will handle any such information consistently with those requirements. The Customer is responsible for ensuring that any upload of sensitive or special category data is supported by a lawful basis.
Nature of Processing: Storing, organising, and tagging legal evidence; generating chronological timelines; applying AI models for evidence classification; facilitating access by authorized users under the Customer's role-based permissions.
Purpose of Processing: Delivery of the Services as described in the Agreement.
Duration of Processing: The term of the Agreement plus 90 days following account deletion, after which all Customer Personal Data is deleted unless law requires otherwise.
Annex II — Technical and Organizational Measures
ThreadLock maintains the following minimum security standards as of the Effective Date. These measures are reviewed and updated on a regular basis to reflect changes in risk.
| Encryption in Transit | All data transmitted between clients and ThreadLock infrastructure is encrypted using TLS 1.2 or higher. Connections below TLS 1.2 are rejected. |
| Encryption at Rest | All Customer Personal Data stored in ThreadLock's cloud infrastructure is encrypted at rest using AES-256 via Google Cloud/Firebase native encryption. |
| Access Control | Access to Customer Personal Data is enforced through strict role-based access control (RBAC). Administrative access requires multi-factor authentication (MFA). Access is granted on a least-privilege basis and reviewed periodically. |
| Authentication | Customer accounts are protected by password policies and support MFA. Sessions are time-limited and protected against common web vulnerabilities (OWASP Top 10). |
| Audit Logging | Access to and operations on Customer Personal Data are logged. Logs are retained for a minimum of 90 days and are protected against unauthorized modification. |
| Vulnerability Management | ThreadLock performs regular internal security reviews and automated vulnerability scanning of application code and infrastructure dependencies. |
| Backups and Resilience | Customer Personal Data is backed up automatically on a daily basis. Backups are geo-redundant and stored in secure cloud infrastructure with verified restore capability. |
| Incident Response | ThreadLock maintains an incident response procedure that includes detection, containment, notification, and post-incident review. Customer notification of a Personal Data Breach occurs within 48 hours of confirmation. |
| Subprocessor Security | All Subprocessors are required to maintain security standards materially equivalent to those described in this Annex as a condition of engagement. |
Annex III — Authorized Subprocessors
The following third-party entities are authorized by the Customer to process Customer Personal Data as Subprocessors of ThreadLock as of the Effective Date. ThreadLock will publish updates to this list at threadlock.ai/dpa and provide advance notice of changes as described in Section 5.
| Subprocessor | Headquarters | Processing Activity | Data Protection Framework |
|---|---|---|---|
| Google LLC (Firebase / GCP) | USA | Cloud infrastructure, application hosting, Firestore database, and Firebase Analytics. | Google Cloud Data Processing Addendum; EU SCCs where applicable. |
| Stripe, Inc. | USA | Payment processing and billing. Stripe receives only payment instrument data; no case or evidence data is shared. | Stripe Data Processing Agreement; EU SCCs where applicable. |
| Google LLC (Gemini API) | USA | AI-assisted writing support and research assistance. Processing is strictly scoped; no Customer Personal Data is used for model training. | Google Cloud Data Processing Addendum; EU SCCs where applicable. |
Note: ThreadLock does not share Customer Personal Data with OpenAI or any other AI provider not listed above. No Customer Personal Data is used to train AI models.
Download This DPA
Download a copy of this Data Processing Agreement for your records or to meet compliance requirements. To execute the agreement, complete the signature fields and return the signed copy to legal@threadlock.ai for countersignature.
After downloading, complete the signature fields with your organization's information, sign the document, and return it to legal@threadlock.ai for countersignature.
Contact Information
For questions about this DPA or data processing:
Email: legal@threadlock.ai
Address: 16200 SW Pacific Hwy, Suite H PMB 1046, Tigard, OR 97224, USA