Data Processing Agreement
ThinkNEO AI Technology Co., Limited Last updated: 25 April 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between ThinkNEO AI Technology Co., Limited ("Processor", "ThinkNEO") and the entity agreeing to these terms ("Controller", "Customer").
This DPA is entered into in accordance with Article 28 of the EU General Data Protection Regulation (GDPR) and applies to all processing of personal data by ThinkNEO on behalf of the Customer.
1. Definitions
Terms not defined here have the meanings given in the GDPR or the Terms of Service.
- "Personal Data" — any information relating to an identified or identifiable natural person that the Customer transmits through the Service.
- "Processing" — any operation performed on Personal Data, including collection, storage, transmission, retrieval, and deletion.
- "Sub-processor" — a third party engaged by ThinkNEO to process Personal Data on behalf of the Customer.
- "Data Subject" — the identified or identifiable natural person to whom the Personal Data relates.
- "SCCs" — the Standard Contractual Clauses approved by the European Commission (Implementing Decision (EU) 2021/914).
2. Roles & Scope
2.1. Customer is the Controller. Customer determines the purposes and means of processing Personal Data.
2.2. ThinkNEO is the Processor. ThinkNEO processes Personal Data solely on Customer's documented instructions and only to the extent necessary to provide the Service.
2.3. Categories of Data Subjects: Customer's end users, employees, and any individuals whose data is transmitted through the Service.
2.4. Types of Personal Data: Account information (name, email), request metadata (timestamps, endpoints, response sizes), and — only if the Customer enables the Audit Log feature — prompt content and model outputs.
2.5. Duration: Processing continues for the duration of the Customer's subscription and the post-termination retention period specified in Section 10.
3. Customer Instructions
3.1. ThinkNEO shall process Personal Data only in accordance with the Customer's documented instructions, which are defined by:
- These Terms and this DPA;
- The Customer's Workspace configuration (e.g., enabling/disabling Audit Logs, selecting Providers);
- Any additional written instructions agreed by both parties.
3.2. If ThinkNEO believes an instruction infringes applicable data protection law, ThinkNEO will notify the Customer promptly.
4. Sub-processors
4.1. The Customer grants ThinkNEO general authorization to engage Sub-processors, subject to the conditions below.
4.2. Current Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA / EU |
| Resend | Transactional email | USA |
| DigitalOcean | Infrastructure hosting | USA |
| AWS | Encrypted backups | USA |
| Plausible Analytics | Privacy-first analytics | EU |
An up-to-date list is maintained in the Privacy Policy.
4.3. AI Providers (OpenAI, Anthropic, Google, NVIDIA, Meta, Mistral, DeepSeek, Alibaba, Cohere, xAI) process data only when directed by the Customer's routing configuration. These are Customer-directed transfers, not ThinkNEO Sub-processors.
4.4. Notification. ThinkNEO will notify the Customer at least 30 days before engaging a new Sub-processor. The Customer may object in writing within that period. If the objection cannot be resolved, the Customer may terminate the affected Service without penalty.
4.5. Sub-processor Obligations. ThinkNEO imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA.
5. Technical & Organizational Measures (TOMs)
ThinkNEO implements and maintains the following measures to protect Personal Data:
5.1 Encryption
- At rest: AES-256 encryption for all stored data, including backups.
- In transit: TLS 1.3 for all API and dashboard connections. No fallback to TLS 1.1 or below.
5.2 Access Control
- Role-Based Access Control (RBAC) across the Service and internal systems.
- Multi-Factor Authentication (MFA) required for all ThinkNEO administrators.
- Principle of least privilege enforced for all system access.
- API key authentication with scoped permissions for programmatic access.
5.3 Audit Logging
- Default retention: 90 days of access and change logs.
- Enterprise retention: Configurable up to 7 years.
- Logs include actor identity, action, timestamp, and affected resource.
- Logs are immutable during the retention period.
5.4 Application Security
- Static Application Security Testing (SAST) gates in CI pipeline:
- Bandit (Python): zero HIGH findings policy
- Semgrep: custom rulesets for secrets, injection, and auth patterns
- No hardcoded credentials; secrets managed via environment variables and vault.
- Dependency vulnerability scanning on every build.
5.5 Incident Response
- Documented incident response plan with defined severity levels.
- 72-hour notification to the Customer and relevant supervisory authority for Personal Data breaches, in compliance with GDPR Article 33.
- Notification includes: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed.
5.6 Backup & Recovery
- Daily encrypted backups (AES-256).
- 30-day backup retention.
- Backup restoration tested quarterly.
5.7 Personnel
- All ThinkNEO personnel with access to Personal Data are bound by confidentiality obligations.
- Data protection awareness as part of onboarding.
6. Data Subject Requests
6.1. If ThinkNEO receives a request directly from a Data Subject, ThinkNEO will redirect the Data Subject to the Customer (unless legally prohibited from doing so).
6.2. ThinkNEO will assist the Customer in fulfilling Data Subject requests (access, rectification, erasure, portability, restriction, objection) within 30 calendar days of receiving the Customer's written instruction, in accordance with GDPR Article 12(3).
6.3. ThinkNEO provides self-service data export and deletion tools in the Workspace settings. For requests that cannot be fulfilled via self-service, email legal@thinkneo.ai.
7. International Data Transfers
7.1. To the extent that Personal Data originating in the EU/EEA or UK is transferred to a jurisdiction without an adequacy decision, the parties agree that such transfers are governed by the Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor), as annexed to this DPA.
7.2. For transfers from the UK, the UK International Data Transfer Agreement (IDTA) applies.
7.3. ThinkNEO will implement supplementary measures (e.g., encryption, pseudonymization) where required by applicable law or supervisory authority guidance.
8. Audit Rights
8.1. The Customer (or an independent third-party auditor appointed by the Customer) may audit ThinkNEO's compliance with this DPA once per calendar year.
8.2. The Customer must provide 30 days' written notice before conducting an audit.
8.3. Audits are conducted during normal business hours and shall not unreasonably interfere with ThinkNEO's operations.
8.4. The Customer bears the cost of the audit unless the audit reveals a material breach by ThinkNEO.
8.5. ThinkNEO will make available all information necessary to demonstrate compliance, including security documentation, audit log samples, and TOM evidence.
9. Data Protection Impact Assessment
ThinkNEO will provide reasonable assistance to the Customer in conducting a Data Protection Impact Assessment (DPIA) where required under GDPR Article 35, and in any prior consultation with supervisory authorities under Article 36.
10. Term & Termination
10.1. This DPA remains in effect for the duration of the Customer's use of the Service.
10.2. Upon termination or expiration of the Service:
- ThinkNEO will continue to protect any retained Personal Data in accordance with this DPA.
- Customer Data is retained for 30 days, during which the Customer may export it.
- After 30 days, all Customer Personal Data is permanently and irreversibly deleted, including from backups (within the next backup rotation cycle, not exceeding 30 additional days).
10.3. ThinkNEO will certify deletion in writing upon the Customer's request.
11. Liability
The liability of each party under this DPA is subject to the limitations set out in the Terms of Service, Section 10 (Limitation of Liability).
12. Conflict
In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
13. Acceptance
This DPA is accepted by:
- Self-serve Customers: Checking the "I agree to the Terms of Service and Data Processing Agreement" checkbox during account registration.
- Enterprise Customers: Executing a separate copy of this DPA via DocuSign or equivalent electronic signature as part of the Enterprise order form.
14. Contact
For questions about this DPA:
ThinkNEO AI Technology Co., Limited Data Protection Contact Hong Kong SAR Email: privacy@thinkneo.ai
Annex A — Standard Contractual Clauses
The Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by European Commission Implementing Decision (EU) 2021/914 are incorporated by reference and apply to all transfers of Personal Data from the EU/EEA to ThinkNEO.
The completed Appendices to the SCCs are:
Appendix I — List of Parties
- Data Exporter (Controller): The Customer, as identified in the account registration.
- Data Importer (Processor): ThinkNEO AI Technology Co., Limited, Hong Kong SAR.
Appendix II — Description of Transfer
- Data Subjects: Customer's end users and employees.
- Categories of Data: Account information, request metadata, and (if enabled) audit log content.
- Frequency: Continuous, for the duration of the Service.
- Nature of Processing: Routing, logging, monitoring, and governance of AI API requests.
- Retention: As described in Section 10 of this DPA.
Appendix III — Technical & Organizational Measures
As described in Section 5 of this DPA.