Data Processing Agreement Template

Available for BUSINESS tier and above. Last updated: 7 April 2026.

This DPA template is available to customers on the BUSINESS, ENTERPRISE, and PLATFORM tiers.

To request a completed DPA with your organisation's details, contact legal@thornlayer.com with your account email and company name.

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

  • Data Controller: [Customer Organisation Name]
  • Data Processor: CoreSeed Ltd, Aylesbury, Buckinghamshire, United Kingdom

2. Scope of Processing

CoreSeed Ltd processes data on behalf of the Controller solely for the purpose of providing the Thorn Layer proxy service. Processing consists of in-memory analysis of API request content for security purposes. No request content is persisted to any storage layer.

3. Data Processed

  • API request content: processed in memory only, not stored
  • Usage metadata: request counts, timestamps, and outcomes (stored for billing)
  • Account data: email address, billing information (via Stripe)

4. Data Residency

Account data is stored in the EU region (Supabase EU). Edge processing occurs on Cloudflare's global network. No request content is stored in any region.

5. Sub-Processors

  • Cloudflare, Inc. — edge processing infrastructure
  • Supabase, Inc. — account data storage (EU region)
  • Stripe, Inc. — payment processing
  • Resend, Inc. — transactional email delivery
  • Functional Software, Inc. (Sentry) — error monitoring

6. Security Measures

CoreSeed Ltd implements the following security measures:

  • Encryption in transit (TLS) for all API communications
  • Encryption at rest for all stored account data
  • No persistence of request content — in-memory processing only
  • API key hashing before storage
  • Role-based access control
  • VPS hardening (firewall, intrusion detection, key-based SSH)

7. Data Subject Rights

CoreSeed Ltd will assist the Controller in responding to data subject requests under UK GDPR, including access, rectification, erasure, and portability requests.

8. Breach Notification

CoreSeed Ltd will notify the Controller of any personal data breach without undue delay and in any event within 72 hours of becoming aware of the breach.

9. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, CoreSeed Ltd will delete all personal data within 30 days unless retention is required by law.

10. Governing Law

This DPA is governed by the laws of England and Wales, subject to UK GDPR and the Data Protection Act 2018.