Data Processing Addendum (DPA)
Effective Date: 17/07/2026
Last Updated: 17/07/2026
This Data Processing Addendum (“DPA”) forms part of the agreement between Thrive Theory Ltd, a company incorporated in England and Wales (Company No. 15782970) trading as Steddi (“Processor”, “Steddi”, “we”, “us” or “our”), and the customer using the Services (“Controller”, “Customer”, “you” or “your”).
This DPA applies whenever Thrive Theory Ltd processes Personal Data on behalf of a Customer in connection with the Services.
This DPA supplements the Terms of Service and is intended to satisfy the requirements of Article 28 UK GDPR and, where applicable, the EU GDPR.
If there is any conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA prevails to the extent of that conflict.
1. Definitions
Unless otherwise defined in the Terms of Service: Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing, Subprocessor, Supervisory Authority and Special Category Data have the meanings given by applicable Data Protection Laws.
Data Protection Laws means all applicable legislation relating to privacy and the processing of Personal Data, including the UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR.
Services means the Steddi platform together with any implementation, consultancy or support services provided under the Agreement.
2. Scope
This DPA applies only where Thrive Theory Ltd processes Personal Data on behalf of the Customer as a Processor.
Nothing in this DPA applies where Thrive Theory Ltd processes Personal Data as an independent Controller, including processing relating to: its own employees; prospective customers; website visitors; marketing activities; supplier relationships; or internal business administration.
Those activities are described in the Privacy Policy.
3. Roles of the Parties
For Customer Personal Data processed through the Services: the Customer acts as the Controller; Thrive Theory Ltd acts as the Processor.
The Customer remains responsible for determining: the purposes of Processing; the lawful basis for Processing; compliance with applicable Data Protection Laws.
Thrive Theory Ltd will Process Personal Data only: on the Customer’s documented instructions; as necessary to provide the Services; to comply with applicable law.
4. Processing Instructions
The Customer instructs Thrive Theory Ltd to Process Personal Data as necessary to: provide the Platform; host Customer Data; deliver implementation services; provide customer support; perform agreed consultancy; provide AI functionality requested by the Customer; maintain, secure and improve the Services; comply with legal obligations.
If Thrive Theory Ltd believes an instruction breaches applicable Data Protection Laws, we will notify the Customer unless prohibited by law.
5. Nature of the Processing
Processing may include: collection; recording; organisation; storage; retrieval; consultation; analysis; transmission; hosting; structuring; automation; reporting; deletion; destruction.
Processing occurs solely for the purpose of providing the Services requested by the Customer.
6. Customer Responsibilities
The Customer warrants that: it has all necessary rights to provide Personal Data to Thrive Theory Ltd; it has identified an appropriate lawful basis for Processing; it has provided any required privacy notices; it has obtained any required consents; its use of the Services complies with applicable law.
The Customer remains responsible for: the accuracy of Personal Data; determining retention periods; responding to Data Subject requests; compliance with electronic marketing laws.
7. Thrive Theory Ltd Obligations
Thrive Theory Ltd will: Process Personal Data only on documented instructions unless otherwise required by law; ensure persons authorised to Process Personal Data are subject to appropriate confidentiality obligations; implement appropriate technical and organisational measures; notify the Customer where legally required following a Personal Data Breach; assist the Customer where reasonably required under applicable Data Protection Laws; delete or return Personal Data in accordance with this DPA following termination of the Services.
8. Confidentiality
Anyone authorised by Thrive Theory Ltd to Process Personal Data is subject to contractual or statutory confidentiality obligations.
Access to Personal Data is limited to personnel who require access to provide the Services.
9. Security
Taking into account the nature of the Processing, the risks involved and available technology, Thrive Theory Ltd implements appropriate technical and organisational measures designed to protect Personal Data.
These measures include organisational controls together with security capabilities provided by the underlying platform infrastructure.
Security measures may include: encrypted communications; encryption at rest where supported by infrastructure providers; role-based access controls; user authentication; audit logging; access management; vendor risk management; security monitoring; incident response procedures; regular software updates.
Security measures evolve over time to reflect changing risks and technology. Nothing in this DPA guarantees that any system can be completely secure.
Because the Platform operates on shared cloud infrastructure, security is a shared responsibility between Thrive Theory Ltd and the Customer.
The Customer remains responsible for: managing Authorised Users; protecting credentials; enabling available security features where appropriate; securing connected third-party accounts.
10. Artificial Intelligence Processing
Certain Services use artificial intelligence supplied by approved third-party providers.
Where AI functionality is used: Customer Data may be processed solely to generate the requested output; Thrive Theory Ltd does not use Customer Data to train its own artificial intelligence models; AI providers may Process Customer Data only to deliver the requested AI functionality in accordance with their contractual obligations.
Use of AI Features forms part of the Customer’s documented instructions under this DPA.
11. Subprocessors
The Customer authorises Thrive Theory Ltd to appoint Subprocessors where reasonably necessary to provide the Services.
Current Subprocessors are listed at: [INSERT SUBPROCESSOR URL].
Current Subprocessors are expected to include providers such as: HighLevel; Stripe; OpenAI; Google; Twilio; Meta; Make.com.
Thrive Theory Ltd remains responsible for ensuring Subprocessors are subject to appropriate contractual obligations where required by applicable Data Protection Laws.
We may appoint or replace Subprocessors from time to time. Where changes materially affect Processing, we will update our published Subprocessor List.
12. International Transfers
The Customer acknowledges that certain Services rely upon infrastructure located outside the United Kingdom.
Where Personal Data is transferred internationally, Thrive Theory Ltd will implement appropriate safeguards required by applicable Data Protection Laws.
These safeguards may include: the UK International Data Transfer Agreement; the UK Addendum to the EU Standard Contractual Clauses; adequacy regulations; or other lawful transfer mechanisms. Further information is available upon reasonable request.
13. Data Subject Rights
Taking into account the nature of the Processing, Thrive Theory Ltd will provide reasonable assistance to enable the Customer to respond to requests from Data Subjects.
Where a Data Subject contacts Thrive Theory Ltd directly regarding Personal Data processed on behalf of a Customer, we will normally direct the request to the relevant Customer unless required by law to respond differently.
14. Personal Data Breaches
If Thrive Theory Ltd becomes aware of a Personal Data Breach affecting Customer Personal Data, we will notify the Customer without undue delay where required by applicable law.
Notification will include information reasonably available regarding: the nature of the breach; likely consequences; measures taken or proposed; recommended actions where appropriate.
The parties will cooperate in good faith in responding to the incident.
15. DPIAs and Regulatory Assistance
Where reasonably requested, Thrive Theory Ltd will provide information reasonably necessary to assist the Customer with: Data Protection Impact Assessments; consultations with Supervisory Authorities; demonstrating compliance with applicable Data Protection Laws.
Such assistance may be subject to reasonable charges where substantial work is required.
16. Audits
Upon reasonable written request, Thrive Theory Ltd will provide information reasonably necessary to demonstrate compliance with this DPA.
This may include: security documentation; compliance questionnaires; summaries of technical and organisational measures.
On-site audits will only be permitted where: required by applicable law; reasonably necessary; subject to appropriate confidentiality obligations; conducted during normal business hours; designed to minimise disruption.
Where equivalent independent certifications or audit reports are available, Thrive Theory Ltd may satisfy audit requests by providing those materials instead.
17. Return and Deletion of Personal Data
Following termination of the Services: Customer Data will ordinarily remain available for approximately ninety (90) days; Customers may export their data during that period where available; following expiry of the retention period, Personal Data may be permanently deleted.
Thrive Theory Ltd may retain limited information where required by law or reasonably necessary to establish, exercise or defend legal claims.
18. Liability
Liability arising under this DPA is subject to the limitations and exclusions contained within the Terms of Service except where prohibited by applicable law.
19. Governing Law
This DPA is governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction except where mandatory law requires otherwise.
Annex 1 – Details of Processing
Subject Matter
Provision of the Steddi Platform and related Professional Services.
Duration
For the duration of the Agreement together with any applicable post-termination retention period.
Nature of Processing
Collection; Storage; Organisation; Analysis; Hosting; Transmission; Retrieval; Automation; AI processing; Reporting; Deletion.
Purpose of Processing
CRM; Marketing automation; Sales management; Customer communications; Appointment booking; Reporting; AI-powered functionality; Implementation; Consultancy; Customer support.
Categories of Data Subjects
Customer employees; Customer users; Leads; Prospective customers; Existing customers; Suppliers; Contractors; Other contacts uploaded by the Customer.
Categories of Personal Data
Names; Email addresses; Telephone numbers; Company information; CRM records; Marketing preferences; Communications; Appointment information; Notes; Uploaded files; AI prompts; AI-generated outputs; Other information submitted by the Customer.
Special Category Data
Processing of Special Category Data is not intended as part of the standard Services. Customers should avoid uploading Special Category Data unless they have independently ensured appropriate safeguards and lawful processing.
Annex 2 – Technical and Organisational Measures
Measures implemented include, where appropriate: Cloud-hosted infrastructure; Encryption in transit; Encryption at rest (where supported); Access controls; Role-based permissions; Multi-factor authentication capabilities; Audit logging; Vendor management; Incident response procedures; Secure software updates; Employee confidentiality obligations; Security monitoring; Business continuity measures.
Security measures are reviewed periodically and may evolve over time.
Annex 3 – Approved Subprocessors
An up-to-date list of approved Subprocessors is maintained at: [INSERT SUBPROCESSOR URL].
Expected categories include: Cloud platform provider; Payment processor; AI provider; Messaging provider; Analytics provider; Automation platform; Infrastructure providers; Customer support providers.