ThriveThrive← Back to home

Data Processing Agreement

Last updated: 13 June 2026 · Version: 1.1

This Data Processing Agreement ("DPA") is incorporated by reference into the Master Services Agreement between the customer ("Controller") and Thrive UK Limited ("Processor"). It satisfies Article 28 of the UK GDPR.

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller solely to deliver Thrive Data Connect and Thrive Engine for the duration of the MSA.

2. Nature and purpose of processing

Configurable extraction of operational data from the Controller's nursery management system, normalisation into the Thrive canonical data model, storage, and provision to the Thrive Engine assessment workflow.

3. Categories of data subjects

  • Customer admin users and practitioners (account holders).
  • Setting staff (pseudonymised, role-and-qualification only).

Children are not data subjects of this processing. The system is structurally designed to exclude child-identifiable data.

4. Categories of personal data

Account credentials, setting profile, aggregated attendance, pseudonymised staff records, aggregated observation summaries, audit-log entries.

5. Processor obligations

  • Process only on documented instructions from the Controller.
  • Ensure persons authorised to process are bound by confidentiality.
  • Implement Article 32 technical and organisational measures (see §8).
  • Assist with data-subject rights, DPIA and breach reporting.
  • Delete or return personal data at the end of the engagement.
  • Make available all information necessary to demonstrate compliance and allow audits.

6. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed below. Thrive will give 30 days' notice of additions; the Controller may object on reasonable data-protection grounds.

  • Amazon Web Services EMEA SARL — hosting, UK & Ireland regions.
  • Supabase (Lovable Cloud) — managed PostgreSQL, authentication.
  • Sentry — error monitoring (EU region).
  • Resend — transactional email (EU region).

7. International transfers

Processing takes place in the UK (eu-west-2) with EEA backup (eu-west-1). No transfers outside the UK/EEA are made under this DPA.

8. Security measures (Article 32)

  • Encryption in transit (TLS 1.2+) and at rest (AES-256, AWS KMS).
  • JWT authentication with 24-hour rolling expiry; MFA mandatory for Thrive admin.
  • Role-based access control; least-privilege IAM; quarterly access review.
  • Full audit trail of data-access events.
  • Automated daily backups with 30-day retention; tested restoration.
  • Vulnerability scanning, dependency monitoring, Cyber Essentials target end of Year 1.

9. Personal data breach

The Processor notifies the Controller without undue delay and at the latest within 48 hours of becoming aware of a personal data breach, with information sufficient to meet the Controller's Article 33 reporting obligations.

10. Audit

The Controller may audit on 30 days' notice, up to once per year, at the Controller's cost, subject to confidentiality.

11. Liability and governing law

Liability is governed by the MSA. This DPA is governed by the laws of England and Wales.

12. Signing

This DPA is electronically accepted when the Controller's authorised representative signs the MSA or creates a Thrive account and confirms acceptance.