Legal · DPA

Data Processing Agreement

When Torbi processes personal data on your behalf, this DPA governs how. It is incorporated into our Terms of Service for any Customer whose use of Torbi involves personal data subject to the GDPR, UK GDPR, India DPDP Act, or analogous law.

Last updated: 15 May 2026Effective: 15 May 2026Version: 1.4
Request counter-signed copyView subprocessors →

1. Parties & scope

This Data Processing Agreement ("DPA") is entered into between:

  • Thinkerwave AITech Private Limited, operator of Torbi, acting as Processor ("Torbi"), and
  • The Customer identified on the applicable Order Form or account, acting as Controller.

It applies to Torbi's processing of Personal Data on behalf of Customer in connection with the Service. It is incorporated into, and forms part of, the Terms of Service between the parties.

To the extent of any conflict on data-protection matters, this DPA prevails. To the extent the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) or the UK International Data Transfer Addendum apply, they also prevail over conflicting terms.

2. Definitions

Capitalised terms not defined here have the meaning in the Terms of Service or in applicable Data Protection Law. In addition:

  • Data Protection Law — the GDPR (Regulation (EU) 2016/679), the UK GDPR, the EU ePrivacy Directive as implemented, the CCPA/CPRA, the DPDP Act, 2023 (India), and any other applicable privacy or data-protection law.
  • Personal Data — has the meaning given by Data Protection Law; here, Personal Data within Customer Data that Torbi Processes on Customer's behalf.
  • Processing, Controller, Processor, Data Subject, Personal Data Breach, Supervisory Authority, and Special Categories — as defined in the GDPR.
  • Subprocessor — a third party engaged by Torbi to Process Personal Data on its behalf.
  • SCCs — the European Commission's Standard Contractual Clauses (Decision 2021/914), Module Two (Controller-to-Processor).
  • UK Addendum — the International Data Transfer Addendum to the SCCs issued by the UK ICO.

3. Roles & instructions

For Personal Data within Customer Data, Customer is the Controller and Torbi is the Processor (or, as applicable, sub-processor of a Controller upstream of Customer).

Torbi will Process Personal Data only:

  • For the purposes described in Annex A;
  • In accordance with Customer's documented lawful instructions, which the Service itself, the Order Form, the Terms of Service, this DPA, and Customer's use of the Service collectively constitute;
  • As required by applicable law — in which case Torbi will, unless prohibited, notify Customer first.

If Torbi believes an instruction infringes Data Protection Law, it will inform Customer without undue delay.

4. Confidentiality

Torbi ensures that personnel authorised to Process Personal Data are bound by confidentiality obligations (contractual or statutory) and Process only on a need-to-know basis.

5. Security measures

Torbi implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including those described in Annex B. We review and update these measures periodically.

6. Subprocessors

6.1 General authorisation

Customer provides general authorisation for Torbi to engage Subprocessors, provided that Torbi:

  • Maintains an up-to-date list at torbi.ai/subprocessors;
  • Imposes written terms on each Subprocessor materially equivalent to the obligations on Torbi under this DPA;
  • Remains liable for the acts and omissions of its Subprocessors as for its own;
  • Gives Customer at least 30 days' prior notice of new or replacement Subprocessors via the Subprocessors page and (for customers on a Subprocessor-change mailing list) by email.

6.2 Objection

Customer may object to a new Subprocessor on reasonable data-protection grounds within 30 days. The parties will discuss in good faith. If no resolution is reached, Customer may terminate the affected portion of the Service with pro-rated refund for prepaid, unused fees.

7. Data-subject rights

Taking into account the nature of Processing, Torbi will provide reasonable assistance — through appropriate technical and organisational measures and, where possible, in-product self-serve — to help Customer respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. If Torbi receives a request directly, it will (unless legally prohibited) forward it to Customer without undue delay and not respond except on Customer's instruction or as required by law.

8. Personal-data breaches

Torbi will notify Customer of a Personal Data Breach affecting Customer's Personal Data without undue delay and in any event within 72 hours of becoming aware. Notification will include the information reasonably required to meet Customer's own notification duties (nature, categories and approximate number of Data Subjects and records, likely consequences, measures taken or proposed).

9. DPIA & prior consultation

Torbi provides reasonable assistance to Customer in carrying out Data Protection Impact Assessments and prior consultations with Supervisory Authorities, to the extent the information is available to Torbi and Customer cannot reasonably obtain it elsewhere.

10. Audits

Torbi makes available all information reasonably necessary to demonstrate compliance with this DPA. Customer may exercise audit rights:

  • By reviewing Torbi's then-current SOC 2 Type II report, ISO 27001 certificate, and security whitepaper, which Torbi provides on request under NDA;
  • By submitting a written security questionnaire — Torbi will respond within 30 days;
  • Where the above are insufficient to meet Customer's regulatory obligation, by on-site audit at Torbi's premises during business hours, on at least 30 days' written notice, no more than once per 12 months (and on shorter notice in the case of a regulator-mandated audit or following a confirmed Personal Data Breach).

Audits are at Customer's expense and may not unreasonably interfere with operations or disclose other customers' confidential data.

11. International transfers

Where Torbi transfers Personal Data of EU/EEA Data Subjects outside the EEA to a country without an adequacy decision, the SCCs (Module Two) apply and are incorporated by reference, with this DPA serving as the appendices. Where transfers involve UK Data Subjects, the UK Addendum applies and is incorporated by reference. Where transfers involve Swiss Data Subjects, the SCCs apply with Swiss-specific modifications (FDPIC).

Module-Two clause selections: Clause 7 — docking clause does not apply; Clause 9 — Option 2 (general authorisation, 30 days' notice); Clause 11(a) — independent dispute resolution does not apply; Clause 17 — Option 1 (law of Ireland); Clause 18 — Irish courts.

12. Return & deletion

On termination or expiry of the Service, Customer may export Customer Data through in-product tools for 30 days. After 30 days (or earlier on Customer's written request), Torbi will delete Customer Data, including any copies, except where retention is required by applicable law (e.g. tax and accounting records).

13. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions in the Terms of Service, except where those limitations are not permitted under applicable law.

14. Term

This DPA takes effect on the Effective Date stated above and continues until termination of the Terms of Service, save for those provisions which by their nature survive (including those relating to confidentiality, audits, return and deletion, and international transfers).

Annex A — Description of processing

Subject matterProvision of the Torbi Service to Customer, including B2B prospect discovery, matching, outreach assistance, and pipeline management.
DurationFor the term of the Subscription, plus the limited retention periods set out in the Privacy Policy and Section 12.
Nature & purposeHosting Customer Data; running Torbi's matching and ranking models; generating outreach drafts; sending outreach via Customer-connected accounts; storing pipeline and tracking data; supporting Customer.
Types of Personal DataBusiness contact details (work email, work phone, job title, employer, business social profile), Customer end-user account data (name, work email, role), connected-account metadata, usage and log data. No Special Categories intended.
Categories of Data SubjectsCustomer's employees and authorised users; recipients of Customer outreach (B2B contacts at prospect organisations).
FrequencyContinuous, for the duration of the Subscription.
RecipientsTorbi personnel on a need-to-know basis; authorised Subprocessors listed in Annex C; Customer's connected third-party tools, at Customer's instruction.

Annex B — Technical & organisational measures

  • Encryption — TLS 1.2+ in transit; AES-256 at rest for application data and backups; customer-managed key option for Enterprise on request.
  • Access control — least-privilege role-based access; mandatory MFA for all production access; SSO/SAML for staff; quarterly access reviews.
  • Network security — private subnets; managed WAF; DDoS protection; least-privilege egress; private connectivity to data stores.
  • Logical separation — single-tenant logical isolation per workspace; row-level scoping enforced at the data-layer.
  • Vulnerability management — automated dependency scanning; SCA + SAST on every PR; quarterly internal pentests; annual external pentest; coordinated-disclosure programme at security@torbi.ai.
  • Personnel — background screening commensurate with role; security & privacy training on hire and annually; written confidentiality obligations.
  • Incident response — 24×7 on-call; documented IR playbook; tabletop exercises bi-annually; breach notification under Section 8.
  • Business continuity — multi-AZ architecture; daily encrypted backups with 30-day retention; tested restore procedures; documented RTO 4h / RPO 1h for production data stores.
  • Certifications — SOC 2 Type II (annual); ISO/IEC 27001 (in scope). Reports available under NDA.
  • Subprocessors — required to maintain equivalent measures and certifications; reviewed annually.

Annex C — Subprocessors

The current list of Subprocessors authorised under this DPA is maintained at torbi.ai/subprocessors. Customer may subscribe there to receive email notice of additions and replacements.

Want a counter-signed copy? Most customers can rely on this DPA as written without further signature, as it is incorporated by reference into the Terms of Service. If your procurement team requires a counter-signed copy for the file (or a custom edit), email legal@torbi.ai and we'll send a signable PDF.

Note for review. This DPA is provided as a working draft consistent with the SCCs Module Two and the UK Addendum, plus alignment with the DPDP Act, 2023. Before publishing publicly, please have it reviewed by qualified counsel, finalise the SCC clause-selection options to match how the business will operate, and confirm Annexes A–C reflect the live programme.