Data Processing Agreement
Document: Data Processing Agreement (DPA) Effective Date: 1 March 2026 Version: 1.0
Table of Contents
- Definitions and Interpretation
- Scope and Purpose
- Duration
- Details of Processing
- Obligations of the Processor
- Obligations of the Controller
- Personal Data Breach
- Sub-processors
- International Transfers
- Data Subject Rights
- DPIA and Prior Consultation
- Audit Rights
- Liability
- Term and Termination
- General Provisions
- Annex A — Sub-processor List
- Annex B — Technical and Organisational Measures
- Annex C — International Transfer Mechanisms
1. Definitions and Interpretation
1.1 In this Data Processing Agreement ("DPA"), the following terms have the meanings set out below. Where a term is not defined here, it has the meaning given to it in the Terms of Service or, where applicable, in Data Protection Laws.
"Client Data" — any Personal Data relating to the Controller's clients that the Controller enters into or generates through the TheraScript platform, including client aliases, survey responses, generated scripts, generated audio files, and plan snapshots.
"Controller" — the practitioner who holds a TheraScript account and determines the purposes and means of Processing Client Data. The Controller is a data controller as defined by Data Protection Laws.
"Data Protection Laws" — the UK General Data Protection Regulation (UK GDPR) as retained by the European Union (Withdrawal) Act 2018, the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations 2003 (PECR), and any legislation that amends, replaces, or supplements these enactments.
"Data Subject" — an identified or identifiable natural person to whom Client Data relates; in practice, the clients of the Controller who receive therapeutic or coaching services.
"International Transfer" — a transfer of Personal Data from the United Kingdom to a country or territory outside the United Kingdom that is not subject to a UK adequacy decision.
"Personal Data" — any information relating to an identified or identifiable natural person, as defined by Data Protection Laws.
"Processing" — any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Processor" — TheraScripts, a company registered in England & Wales (company number 16196583) with its registered address at 167-169 Great Portland Street, London, England, W1W 5PF, which Processes Client Data on behalf of the Controller.
"Special Category Data" — Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation, as defined by Article 9 of UK GDPR. In the context of this DPA, this primarily refers to health-adjacent survey responses such as stress patterns, recovery tools, content boundaries, and contraindications.
"Sub-processor" — any third party engaged by the Processor to Process Client Data on behalf of the Controller.
"Supervisory Authority" — the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.
"Terms of Service" or "ToS" — the Terms of Service governing the use of the TheraScript platform, as published at therascript.com/terms and updated from time to time.
1.2 References to Articles are to Articles of UK GDPR unless stated otherwise. References to Sections are to sections of this DPA unless the context indicates a reference to the Terms of Service.
1.3 In the event of any ambiguity, terms shall be interpreted consistently with Data Protection Laws.
2. Scope and Purpose
2.1 This DPA applies to all Processing of Client Data carried out by the Processor on behalf of the Controller in connection with the TheraScript platform.
2.2 The purpose of the Processing is to provide the TheraScript service as described in the Terms of Service, including the storage, retrieval, AI-assisted generation, export, and display of therapeutic session scripts and related content.
2.3 This DPA forms part of the Terms of Service and is legally binding on both parties. By creating a TheraScript account, the Controller accepts the terms of this DPA.
2.4 This DPA is entered into to comply with Article 28(3) of UK GDPR, which requires a written contract between a controller and a processor setting out the subject matter, duration, nature, and purpose of the Processing, the type of Personal Data, and the categories of Data Subjects.
3. Duration
3.1 This DPA takes effect on the date the Controller creates a TheraScript account.
3.2 This DPA continues in force until the Controller's account is terminated and all Client Data has been deleted in accordance with the retention and deletion provisions of this DPA and the Terms of Service.
3.3 Certain provisions of this DPA survive termination, as set out in Section 14.4.
4. Details of Processing
4.1 The following table sets out the details of Processing carried out under this DPA, as required by Article 28(3).
| Element | Description |
|---|---|
| Subject matter | Processing Client Data to generate personalised therapeutic session scripts and audio files via the TheraScript platform |
| Duration | Duration of the Controller's TheraScript account, plus any post-termination retention period described in this DPA |
| Nature and purpose | Storage and retrieval of Client Data; AI-assisted script generation (via LLM); text-to-speech audio generation (MP3) via OpenAI and Google Cloud TTS; PDF and DOCX export; display of Client Data and generated content within the platform UI |
| Types of Personal Data | Client alias (known-as name and optional phonetic spelling); survey responses (including health-adjacent data such as stress modes, recovery tools, content boundaries, engagement signals, representational system preferences, guidance preferences, metaphor preferences, and contraindications); generated scripts; generated audio files; plan snapshots |
| Categories of Data Subjects | Clients of the Controller — individuals who receive therapeutic or coaching services from the practitioner |
| Special Category Data | Survey responses relating to health, wellbeing, stress patterns, recovery strategies, content boundaries, and contraindications (e.g., epilepsy). Processed under Article 9(2)(a) (explicit consent obtained by the Controller) and Schedule 1, Condition 1 of DPA 2018 |
5. Obligations of the Processor
The Processor shall comply with the following obligations, which implement the requirements of Article 28(3)(a)–(h) of UK GDPR.
5.1 Documented Instructions — Art 28(3)(a)
5.1.1 The Processor shall Process Client Data only on documented instructions from the Controller. The Controller's use of the TheraScript platform (including feature selections, survey data entry, script generation requests, audio generation requests, and export actions) constitutes the Controller's documented instructions for Processing.
5.1.2 If the Processor reasonably believes that an instruction from the Controller infringes Data Protection Laws, the Processor shall promptly inform the Controller and shall not carry out that instruction until the Controller has confirmed or modified it.
5.1.3 The Processor shall not Process Client Data for any purpose other than providing the TheraScript service to the Controller, unless required to do so by applicable law. Where the Processor is required by law to Process Client Data for another purpose, it shall inform the Controller of that legal requirement before Processing, unless the law prohibits such notification.
5.2 Confidentiality — Art 28(3)(b)
5.2.1 The Processor shall ensure that all persons authorised to Process Client Data — including employees, contractors, and agents — are bound by appropriate confidentiality obligations, whether by contract or by statutory duty.
5.2.2 The Processor shall limit access to Client Data to those personnel who need access to perform their duties in connection with the TheraScript service.
5.3 Security — Art 28(3)(c)
5.3.1 The Processor shall implement and maintain appropriate technical and organisational measures to protect Client Data against unauthorised or unlawful Processing and against accidental loss, destruction, or damage, having regard to the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk to the rights and freedoms of Data Subjects.
5.3.2 The specific technical and organisational measures in place as at the date of this DPA are described in Annex B. The Processor may update these measures from time to time, provided that any changes maintain or improve the overall level of security.
5.3.3 Given that Client Data includes Special Category Data, the Processor shall apply measures appropriate to the sensitivity of that data, including encryption in transit and at rest, access controls based on the principle of least privilege, and logical segregation of each Controller's data.
5.4 Sub-processors — Art 28(3)(d)
5.4.1 The Processor shall only engage Sub-processors in compliance with Section 8 of this DPA.
5.4.2 The Processor shall impose data protection obligations on each Sub-processor by way of a written contract that are no less protective than those set out in this DPA.
5.5 Data Subject Rights Assistance — Art 28(3)(e)
5.5.1 Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).
5.5.2 The Processor shall comply with the data subject rights provisions set out in Section 10 of this DPA.
5.6 Security and Breach Assistance — Art 28(3)(f)
5.6.1 The Processor shall assist the Controller in ensuring compliance with the Controller's obligations under Articles 32 to 36 of UK GDPR, taking into account the nature of the Processing and the information available to the Processor. This includes assistance with:
- (a) Implementing appropriate security measures (Article 32);
- (b) Notifying the Supervisory Authority and Data Subjects of a personal data breach (Articles 33 and 34);
- (c) Carrying out data protection impact assessments (Article 35);
- (d) Prior consultation with the Supervisory Authority (Article 36).
5.6.2 The Processor shall comply with the breach notification provisions set out in Section 7 of this DPA.
5.7 Deletion or Return of Data — Art 28(3)(g)
5.7.1 On termination of this DPA, the Processor shall, at the Controller's choice, either delete or return all Client Data to the Controller, and delete existing copies, unless applicable law requires the Processor to retain some or all of the data.
5.7.2 The specific deletion timeline is set out in Section 14 of this DPA, consistent with Section 14 of the Terms of Service.
5.7.3 The Processor shall provide the Controller with a mechanism to export Client Data (scripts, audio files, and client records) via the platform's export tools during the post-termination export window.
5.8 Audit and Compliance Demonstration — Art 28(3)(h)
5.8.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set out in Article 28 and this DPA.
5.8.2 The Processor shall allow and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, subject to the audit provisions set out in Section 12 of this DPA.
6. Obligations of the Controller
6.1 The Controller shall ensure that it has a valid lawful basis under Article 6 of UK GDPR for Processing Client Data, including for instructing the Processor to Process that data through the TheraScript platform.
6.2 Where Client Data includes Special Category Data (as described in Section 4.1), the Controller shall obtain explicit consent from each relevant Data Subject in accordance with Article 9(2)(a) of UK GDPR before entering that data into the platform.
6.3 The Controller shall provide clear and comprehensive privacy notices to its clients (the Data Subjects) that explain how their data will be processed, including the use of AI technology, text-to-speech audio generation, and third-party Sub-processors.
6.4 The Controller shall not instruct the Processor to carry out any Processing that would violate Data Protection Laws. If the Controller becomes aware that any of its instructions may infringe Data Protection Laws, it shall promptly notify the Processor and withdraw or amend the instruction.
6.5 The Controller shall comply with its obligations under Data Protection Laws, including responding to Data Subject requests within the timeframes required by UK GDPR.
7. Personal Data Breach
7.1 The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Client Data.
7.2 The Processor's notification shall include, to the extent reasonably available at the time of notification:
- (a) A description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects affected;
- (b) The name and contact details of the Processor's point of contact for further information;
- (c) A description of the likely consequences of the breach;
- (d) A description of the measures taken or proposed by the Processor to address the breach, including measures to mitigate its possible adverse effects.
7.3 Where the Processor is unable to provide all information required under clause 7.2 within the initial 72-hour notification, the Processor shall provide the information in phases without further undue delay.
7.4 The Processor shall cooperate fully with the Controller's breach investigation and response, and shall provide all information and assistance reasonably necessary for the Controller to:
- (a) Assess the risk to the rights and freedoms of Data Subjects;
- (b) Notify the Supervisory Authority under Article 33 of UK GDPR;
- (c) Communicate the breach to affected Data Subjects under Article 34 of UK GDPR, where required.
7.5 The Processor shall not notify Data Subjects directly about a breach affecting Client Data without the Controller's prior written consent, unless the Processor is required to do so by applicable law.
7.6 The Processor shall document all personal data breaches affecting Client Data, including the facts relating to the breach, its effects, and the remedial actions taken.
8. Sub-processors
8.1 General Authorisation
8.1.1 The Controller grants the Processor general written authorisation to engage the Sub-processors listed in Annex A for the purposes described in that Annex.
8.1.2 The current Sub-processor list as at the date of this DPA is set out in Annex A.
8.2 Notification of Changes
8.2.1 The Processor shall notify the Controller at least 30 days before adding a new Sub-processor or replacing an existing Sub-processor. Notification will be provided by email to the address associated with the Controller's TheraScript account.
8.2.2 The notification shall include the name of the proposed Sub-processor, the Processing it will perform, its location, and the transfer safeguards that will apply.
8.3 Objection Process
8.3.1 The Controller may object to a new or replacement Sub-processor by notifying the Processor in writing within the 30-day notice period, provided the objection is based on reasonable data protection grounds.
8.3.2 Where the Controller objects, the parties shall discuss the objection in good faith with the aim of reaching a commercially reasonable resolution. This may include the Processor offering an alternative Sub-processor or demonstrating that adequate safeguards are in place.
8.3.3 If the parties are unable to reach a resolution within 30 days of the Controller's objection, the Controller may terminate the Terms of Service (and this DPA) by giving written notice, without penalty.
8.4 Sub-processor Obligations
8.4.1 The Processor shall enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA, including obligations regarding security, confidentiality, breach notification, and data deletion.
8.4.2 The Processor shall carry out appropriate due diligence on each Sub-processor's data protection practices before engagement.
8.5 Processor Liability for Sub-processors
8.5.1 The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations in respect of Client Data. Where a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain responsible for the performance of that Sub-processor's obligations towards the Controller.
9. International Transfers
9.1 The Processor shall not transfer Client Data to any country or territory outside the United Kingdom unless appropriate safeguards are in place as required by Chapter V of UK GDPR.
9.2 As at the date of this DPA, Client Data is transferred to the following locations through the Processor's Sub-processors:
| Sub-processor | Location | Transfer Safeguard |
|---|---|---|
| Convex | United States | UK IDTA / UK Addendum to EU SCCs |
| Clerk | United States | UK IDTA / UK Addendum to EU SCCs |
| Google Cloud (TTS) | United States / EU | UK IDTA / UK Addendum to EU SCCs; UK adequacy decision (EU) |
| OpenAI | United States | UK IDTA / UK Addendum to EU SCCs |
| Polar | EU | UK adequacy decision (EU) |
| Vercel | Global (edge network) | UK IDTA / UK Addendum to EU SCCs |
9.3 The specific transfer mechanisms and supplementary measures are described in Annex C.
9.4 If the Processor becomes aware that an International Transfer safeguard has been invalidated by a court or regulatory authority, the Processor shall promptly notify the Controller and work with the Controller to implement alternative safeguards or, where no adequate safeguard is available, cease the relevant transfer.
10. Data Subject Rights
10.1 If the Processor receives a request directly from a Data Subject exercising their rights under UK GDPR in respect of Client Data, the Processor shall promptly notify the Controller and shall not respond to the request directly, unless instructed by the Controller or required by applicable law.
10.2 The Processor shall provide reasonable technical and organisational assistance to enable the Controller to respond to Data Subject requests within the timeframe required by UK GDPR (one calendar month from receipt, extendable by a further two months for complex or numerous requests).
10.3 The Processor shall make available platform features that enable the Controller to fulfil Data Subject rights directly where practicable, including the ability to view, export, and delete individual client records.
10.4 Where the Processor's assistance involves material cost or effort beyond what is provided through standard platform features, the Processor may charge a reasonable fee for such assistance, provided the fee is agreed with the Controller in advance.
11. DPIA and Prior Consultation
11.1 The Processor shall provide reasonable assistance to the Controller in carrying out any Data Protection Impact Assessment (DPIA) under Article 35 of UK GDPR that relates to the Processing carried out under this DPA, taking into account the nature of the Processing and the information available to the Processor.
11.2 The Processor shall provide reasonable assistance to the Controller in relation to any prior consultation with the Supervisory Authority under Article 36 of UK GDPR, where the Controller is required to consult the ICO before carrying out Processing.
11.3 The Processor's assistance under this Section may include providing information about the Processing activities, technical and organisational measures, and Sub-processors, as reasonably necessary for the Controller's DPIA or consultation.
12. Audit Rights
12.1 The Controller may audit the Processor's compliance with this DPA up to once per calendar year, upon at least 30 days written notice to the Processor.
12.2 Audits shall be conducted during normal business hours (Monday to Friday, 9:00–17:00 GMT/BST) and must not unreasonably disrupt the Processor's operations or the service provided to other controllers.
12.3 The Controller shall bear the costs of any audit, including travel, third-party auditor fees, and the Controller's own costs. However, if an audit reveals a material non-compliance with this DPA, the Processor shall bear the reasonable costs of that audit.
12.4 The Processor may satisfy audit requests by providing:
- (a) A summary of its most recent third-party security audit or certification (e.g., SOC 2 reports from its Sub-processors), together with a written statement of the Processor's own compliance measures; or
- (b) Written responses to a reasonable compliance questionnaire provided by the Controller.
12.5 If a third-party audit report or compliance questionnaire response reasonably addresses the Controller's concerns about the Processor's compliance, the Controller shall accept it in lieu of an on-site audit.
12.6 The Controller shall treat all information obtained through an audit as confidential and shall not disclose it to any third party (except the Controller's professional advisers, who must be bound by equivalent confidentiality obligations) without the Processor's prior written consent.
13. Liability
13.1 Each party's liability arising under or in connection with this DPA is subject to the limitations and exclusions set out in Section 12 of the Terms of Service (Limitation of Liability).
13.2 Nothing in this Section 13 or in the Terms of Service shall limit either party's liability for breaches of Data Protection Laws to the extent that such limitation is not permitted by applicable law.
13.3 Nothing in this DPA excludes or limits liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited under applicable law.
14. Term and Termination
14.1 This DPA takes effect on the date the Controller creates a TheraScript account and terminates automatically when the Controller's account is closed, subject to the post-termination obligations set out in this Section.
14.2 On termination:
- (a) Voluntary termination or termination without cause: The Controller will have 30 days from the date of termination to export Client Data using the platform's export tools, consistent with Section 14 of the Terms of Service. After the 30-day export window, the Processor shall delete all Client Data within 30 days, except where retention is required by applicable law.
- (b) Termination for material breach: The Processor shall delete Client Data within a timeframe it determines is appropriate, taking into account data protection obligations. The Processor shall comply with any Data Subject requests regardless of the reason for termination.
14.3 Where the Processor is required by applicable law to retain any Client Data after termination, the Processor shall inform the Controller of the legal requirement and the specific data retained, and shall continue to protect that data in accordance with this DPA.
14.4 The following provisions survive termination of this DPA:
- (a) Confidentiality obligations (Section 5.2) — indefinitely;
- (b) Audit rights (Section 12) — for 12 months following termination;
- (c) Liability provisions (Section 13) — indefinitely;
- (d) Any provision necessary to give effect to the deletion or return of Client Data under this Section 14.
15. General Provisions
15.1 Governing Law. This DPA is governed by and construed in accordance with the laws of England & Wales, consistent with Section 17 of the Terms of Service.
15.2 Precedence. In the event of any conflict or inconsistency between this DPA and the Terms of Service, this DPA shall prevail in respect of data protection matters. In all other respects, the Terms of Service shall prevail.
15.3 Amendments. No amendment to this DPA shall be effective unless it is in writing and agreed by both parties. The Processor may update the Annexes to this DPA (including the Sub-processor list, technical measures, and transfer mechanisms) in accordance with the notification procedures set out in this DPA.
15.4 Notices. Any notice required under this DPA shall be sent to the address associated with the relevant party's account (for the Controller) or via our contact form selecting "Legal & Compliance" (for the Processor), unless otherwise specified.
15.5 Severability. If any provision of this DPA is found to be unenforceable or invalid by a court of competent jurisdiction, that provision shall be limited or removed to the minimum extent necessary, and the remaining provisions shall continue in full force and effect.
15.6 Third-Party Rights. A person who is not a party to this DPA has no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this DPA.
15.7 Entire DPA. This DPA, together with the Annexes and the Terms of Service, constitutes the complete data processing agreement between the Controller and the Processor with respect to the Processing of Client Data through the TheraScript platform.
Annex A — Sub-processor List
Last updated: 1 March 2026
The following Sub-processors are authorised by the Controller under Section 8.1 of this DPA.
| Sub-processor | Purpose | Data Processed | Location | Transfer Safeguard |
|---|---|---|---|---|
| Convex | Database and backend logic | All application data (client profiles, generated scripts, survey responses, plan snapshots) | United States | UK IDTA / UK Addendum to EU SCCs |
| Clerk | Authentication and identity management | Email address, name, profile picture, session tokens | United States | UK IDTA / UK Addendum to EU SCCs |
| Google Cloud (TTS) | Text-to-speech audio generation | Script text (including phonetic names and therapeutic content) | United States / EU | UK IDTA / UK Addendum to EU SCCs; UK adequacy decision (EU) |
| OpenAI | AI-assisted script generation and text-to-speech audio generation | Script generation prompts, anonymised client profile signals, client name (when personalised), module content; script text for TTS audio synthesis (including phonetic names) | United States | UK IDTA / UK Addendum to EU SCCs |
| Polar | Subscription billing | Email address, billing details, subscription status | EU | UK adequacy decision (EU) |
| Vercel | Web hosting and edge functions | Request metadata, session cookies | Global (edge network) | UK IDTA / UK Addendum to EU SCCs |
Notes:
- OpenAI processes data under a zero-retention API agreement — prompts, TTS inputs, and outputs are not stored by OpenAI for training or any purpose beyond fulfilling the immediate API request.
- Convex and Vercel maintain SOC 2 Type II certifications.
- The Processor will notify the Controller at least 30 days before adding or replacing any Sub-processor listed above, in accordance with Section 8.2.
Annex B — Technical and Organisational Measures
The Processor implements the following technical and organisational measures to protect Client Data, as required by Section 5.3 of this DPA and Article 32 of UK GDPR.
B.1 Encryption
- In transit: All data transmitted between the Controller's browser and the TheraScript platform is encrypted using TLS 1.2 or higher.
- At rest: Client Data stored in the database (Convex) and by Sub-processors is encrypted at rest using AES-256 or equivalent encryption standards provided by the infrastructure provider.
B.2 Access Controls
- Role-based access: Access to Client Data within the Processor's organisation is restricted on a role-based, need-to-know basis.
- Principle of least privilege: Personnel are granted the minimum level of access necessary to perform their duties.
- Administrative access: Multi-factor authentication (MFA) is required for all administrative access to production systems and Sub-processor dashboards.
B.3 Authentication
- Practitioner authentication: Managed by Clerk, which provides secure password policies (minimum length, complexity requirements), optional multi-factor authentication for practitioners, and session management with automatic expiry.
- API authentication: All API calls between TheraScript and Sub-processors are authenticated using secure API keys or OAuth tokens, transmitted only over encrypted connections.
B.4 Infrastructure Security
- Hosting: The TheraScript platform is hosted on Vercel, which provides SOC 2 Type II certified edge infrastructure with DDoS protection and automatic scaling.
- Database: Client Data is stored in Convex, a managed database platform with SOC 2 Type II certification, automatic encryption, and network isolation.
- No direct database access: Client Data is accessed exclusively through Convex's query and mutation API — there is no direct database connection or SQL access.
B.5 Data Segregation
- Each Controller's Client Data is logically separated by workspace within the database. Controllers cannot access another Controller's data through the platform.
B.6 Backup and Recovery
- Automatic backups: Managed by Convex with automatic, continuous backups and point-in-time recovery capability.
- Recovery testing: The Processor periodically verifies that backup restoration procedures function correctly.
B.7 Incident Response
- The Processor maintains a documented incident response procedure covering detection, classification, containment, investigation, notification, and remediation.
- Personal data breaches are notified to the Controller within 72 hours, as described in Section 7 of this DPA.
B.8 Personnel
- All personnel with access to Client Data (employees, contractors, and agents) are bound by written confidentiality obligations.
- Personnel receive guidance on data protection responsibilities relevant to their role.
B.9 Logging and Monitoring
- Server logs: Retained for 90 days, including access logs, error logs, and authentication events.
- Access logging: Administrative access to production systems and Sub-processor dashboards is logged.
- Anomaly detection: Monitoring is in place to detect unusual access patterns or potential security incidents.
B.10 Deletion
- Client Data is deleted or anonymised at the end of the applicable retention period, as described in Section 14 of this DPA.
- Controllers can delete individual client records at any time through the platform's built-in delete functionality.
- Deletion requests are propagated to Sub-processors in accordance with their data processing agreements.
Annex C — International Transfer Mechanisms
C.1 Primary Transfer Mechanism
Where Client Data is transferred from the United Kingdom to a country or territory that is not subject to a UK adequacy decision, the Processor relies on one of the following approved transfer mechanisms:
- UK International Data Transfer Agreement (IDTA) — the standard data transfer contract approved by the ICO under Section 119A of the Data Protection Act 2018; or
- UK Addendum to EU Standard Contractual Clauses — the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as approved by the ICO.
The applicable mechanism for each Sub-processor is identified in Annex A.
C.2 Supplementary Measures
In addition to the contractual transfer mechanisms, the Processor implements the following supplementary measures to protect Client Data during International Transfers:
- Encryption in transit and at rest — all Client Data is encrypted during transfer and while stored by Sub-processors (see Annex B, Section B.1).
- Access controls — Sub-processor access to Client Data is limited to what is necessary for the specific processing purpose (see Annex B, Section B.2).
- Sub-processor security certifications — the Processor selects Sub-processors that maintain recognised security certifications (e.g., SOC 2 Type II) and that contractually commit to data protection standards consistent with UK GDPR.
- Zero-retention AI processing — OpenAI processes generation requests under a zero-retention agreement, meaning Client Data included in prompts is not stored beyond the immediate request.
C.3 Transfer Impact Assessment
The Processor maintains a transfer impact assessment (TIA) that evaluates the laws and practices of each destination country in relation to the protection of Client Data. The TIA considers:
- The legal framework of the destination country, including government access powers;
- The nature and sensitivity of the Client Data being transferred;
- The contractual, technical, and organisational safeguards in place;
- The Sub-processor's track record and security posture.
The TIA is reviewed annually and updated when there is a material change in circumstances. A summary of the TIA is available to the Controller on request.
TheraScripts 167-169 Great Portland Street London, England, W1W 5PF
Contact form: therascript.com/contact
This Data Processing Agreement was last updated on 1 March 2026.