Language
Book a demo

Legal Notice, Security
and Privacy Policy

Digital assets and products always available, protected and intact.

Privacy Policy

Privacy Notice pursuant to Article 13 of EU Regulation 679/2016

THRON SPA, registered office at Via dei Contarini 5/A, 35016 Piazzola sul Brenta (PD), VAT No. 03586990289, email privacy@thron.com, tel +390495599777, as the data controller (hereinafter, the “Controller”), pursuant to Article 13 of EU Regulation 679/2016 (hereinafter, the “GDPR”), as subsequently amended and supplemented, provides the following information to the data subjects (hereinafter, the “Data Subject”) regarding the processing of personal data collected and processed.

Types of Data, Purpose of Processing and Retention

The following types of data are collected in relation to the regular business activities pursued in the legitimate interest of the Controller.

  1. Anonymous browsing data: no personal data is intentionally collected, although incidental collection cannot be ruled out. Browsing information is derived from automatic processing of technical cookies and no further processing is performed. Any additional data is removed.

  2. Data provided for information requests: only the contact data provided to respond to the request is collected and removed from the systems within one year after the request is closed.

  3. Authenticated browsing data: browsing data is matched with user account data to improve the user experience and ensure accountability for performed operations. The data is stored in the systems for one year, then either anonymized for statistical purposes or permanently deleted, unless required by law for different purposes.

  4. CVs: are managed by the HR department for recruitment purposes and processed only for the period stated in the CV itself. If no duration is indicated, the CV is deleted.

  5. Supplier data: collected for fulfilling contractual obligations and may include personal contact details. In such cases, processing is specific to that purpose and data is retained for one additional year after the contract ends, unless legally required to retain it for other purposes.

The information referred to in Article 13 of the Regulation, in cases of unsolicited CVs sent by candidates for employment purposes, is provided at the first useful contact following receipt of the CV. For the purposes referred to in Article 6, paragraph 1, letter b) of the Regulation, consent to process personal data in the CV is not required (Article 111-bis of Legislative Decree 196/03).

In relation to recruitment activities, the Controller may process personal data, including so-called “special categories of data” as defined by the Regulation, strictly to the extent necessary for legitimate and defined purposes.

Disclosure of the Data Subject’s Personal Data

For the purposes of processing outlined above, and within the scope strictly relevant to them, personal data will or may be disclosed to:

  1. parties involved in recruitment activities aimed at entering into an employment or service contract;

  2. external consultants engaged in activities related to the processing, appointed as external data processors.

  3. parties who are entitled by law to access the personal data.

Personal data will never be disseminated or transferred to third countries outside the European Union.

Security Measures

All processing is carried out through the adoption of appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with the principles and modalities set out in Articles 5 et seq. and 32 et seq. of the Regulation, as well as the related measures issued by the Privacy Authority. Security measures are part of a broader information protection system for which the Controller has adopted and certified international standards ISO/IEC 27001:2022 and ISO/IEC 27018/2019.

Data Subject’s Rights

The Data Subject may exercise the rights provided under Articles 15 to 22 of the Regulation as set out in Article 12 of the Regulation, which specifically include the right to:

  • obtain confirmation from the Controller as to whether or not personal data concerning them is being processed, and if so, access the personal data and the information referred to in Article 15 of the Regulation;

  • have inaccurate personal data rectified and incomplete data completed, including by providing a supplementary statement, pursuant to Article 16 of the Regulation;

  • obtain from the Controller the erasure of personal data without undue delay, where one of the grounds in Article 17 of the Regulation applies;

  • obtain restriction of processing from the Controller when one of the conditions set out in Article 18 of the Regulation is met.

Data Subjects who believe that the processing of their personal data violates the Regulation have the right to lodge a complaint with the Data Protection Authority (www.garanteprivacy.it), pursuant to Article 77 of the Regulation, or to seek judicial remedy (Article 79 of the Regulation).

To obtain a detailed and constantly updated list of the parties to whom the Data Subject’s personal data may be disclosed and/or to exercise the rights referred to in Articles 15 to 22 of the Regulation, the Data Subject may contact the Controller using the contact details provided above.

Notice updated in April 2025

Security Measures

THRON Security Measures

Security is deeply embedded in THRON’s identity. The platform, designed from the outset as cloud-native, is built on the robust infrastructure of Amazon Web Services (AWS) and integrates Akamai’s global content delivery network. This ensures high performance and continuous protection of REST APIs through an active Web Application Firewall. Thanks to this structured setup, THRON offers a safe, high-performing, resilient environment that complies with the most rigorous data protection standards.

Security and Compliance Certifications

THRON complies fully with the General Data Protection Regulation (GDPR) and holds internationally recognized certifications. The ISO 27001:2022 standard confirms the robustness of our information security management system, while ISO 9001:2015 certifies our commitment to process quality. For cloud-related security, THRON adheres to ISO 27017:2015 for cloud service controls and ISO 27018:2019 for personal data protection in virtualized environments. These certifications reflect our ongoing and tangible commitment to safeguarding privacy and ensuring the security of our solutions. For more, visit our official Trust Portal.

Data Protection and Secure Architecture

All data flowing through the platform is protected by advanced encryption based on the AES-256 algorithm, both in transit and at rest. Communication is safeguarded by TLS/SSL protocols to ensure privacy between users and the platform. Access to the production environment follows the principle of least privilege and is monitored with strict multi-factor authentication and administrative controls. The infrastructure relies on Amazon S3 for storage, offering 99.999999999% data durability and automated backups to ensure protection even in critical situations.

THRON is engineered for operational continuity even in the event of major failures. Its architecture is distributed across multiple AWS availability zones, keeping the platform running even during serious outages. The Recovery Time Objective (RTO) is set at 4 hours, while the Recovery Point Objective (RPO) is 1 hour, ensuring rapid restoration of services and user data.

All cloud resources are hosted in isolated Virtual Private Clouds (VPCs) equipped with control systems that prevent unauthorized access.

More details are available in our dedicated page: THRON architecture, security and data management

Proactive Protection and Monitoring

THRON’s approach to digital threat protection is multilayered. Defense against DDoS attacks combines Akamai’s perimeter infrastructure, AWS auto-scaling, and advanced mitigation tools integrated with our Web Application Firewall. A 24/7 in-house security team constantly monitors the system and is ready to act in case of anomalies or incidents. Vulnerabilities are identified through continuous automated scanning and annual penetration testing by independent experts.

Secure Development and Application Controls

Security is embedded in every stage of our development lifecycle. Developers follow internationally recognized best practices such as OWASP and CIS benchmarks, using modern frameworks built to resist the most common threats. Application-level access management relies on a role-based access control system (RBAC) that clearly separates permissions between administrators, editors, contributors, and viewers. All sensitive operations are logged and can be reviewed via audit logs accessible to administrators, with up to 90 days of activity tracking.

Integrations and Identity Management

THRON enables secure integration with enterprise systems through Single Sign-On (SSO) using SAML and OpenID with the OAuth 2.0 protocol. Platform access is protected by two-factor authentication (2FA), and credential management is governed by strict password complexity and update policies.

Data Governance and Privacy

Data handling in THRON follows a structured backup and retention policy that defines how long data is stored based on its classification. The platform ensures secure deletion and full data portability on customer request, fully aligned with GDPR principles. A formal procedure is in place to handle data subject requests such as access, export, or deletion, giving clients complete control and transparency.

Cookie Policy

Cookies are text files containing minimal information sent to the browser and stored on the user’s device each time a website is visited. With each connection, cookies send information back to the referring site. They are used to enhance site functionality, allow the user to navigate smoothly between pages, and ensure an optimal browsing experience at all times. Cookies can be installed:
  1. Directly by the website owner or operator (first-party cookies)
  2. By third parties not directly related to the visited website (third-party cookies). Unless otherwise specified, please note that these cookies are under the direct and exclusive responsibility of their respective operators. More information about their privacy practices and use can be found directly on the websites of those operators.
Cookies can be classified into the following categories:
  1. Technical cookies. These are cookies necessary to enable navigation or provide a service requested by the user. Without them, certain operations would be impossible or significantly more complex and less secure. Therefore, prior informed consent from the user is generally not required. This category also includes cookies used exclusively for statistical purposes, such as analyzing visits and access to the site through aggregated data collection.
  2. Non-technical cookies (profiling and marketing). These cookies are used to track users’ browsing behavior and build profiles based on their preferences, habits, choices, and more. The use of such cookies on users’ devices is prohibited unless they have been properly informed and have given valid consent. When cookies are installed based on consent, that consent can be freely withdrawn at any time.

Read the full Cookie Policy: https://www.iubenda.com/privacy-policy/7805610/cookie-policy

Copyright

THRON 2025 © THRON S.p.A. All rights reserved

All information, data, ideas, layouts, designs, diagrams, and any combination thereof found on www.thron.com are the property of THRON S.p.A. and may be protected under international copyright laws and other intellectual property rights. Full or partial reproduction, as well as any other use of the information presented here—including layouts, designs, and diagrams—is not permitted without the prior written consent of THRON S.p.A.