TruSecure Logo
LEGAL

Data Processing Addendum

Last updated: 17 July 2026 · Version 2.0

This Data Processing Addendum (the "DPA") supplements the Master Subscription Agreement between TRUSECURE S.R.L. (the "Processor") and the customer identified in the order form (the "Controller"). It is incorporated into the Master Subscription Agreement.

1. Definitions

Terms not defined here have the meaning given in the GDPR and UK GDPR.

  • "Customer Content" — personal data the Controller submits to or generates within Resilience Fabric.
  • "Sub-processor" — any processor engaged by TruSecure to process Customer Content.
  • "SCCs" — Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914.
  • "UK IDTA" — the UK International Data Transfer Addendum to the SCCs, as in force.

2. Processing details

Subject matter, duration, nature, purpose, categories of data subjects, categories of personal data and processor obligations are set out in Schedule A.

3. Processor obligations

The Processor shall:

  • (a) process Customer Content only on documented instructions from the Controller, including with regard to transfers, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  • (b) ensure that persons authorised to process Customer Content have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • (c) implement appropriate technical and organisational measures as set out in the Security Statement and Schedule B;
  • (d) not engage another processor without prior specific or general written authorisation of the Controller; in the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, giving the Controller the opportunity to object;
  • (e) assist the Controller, taking into account the nature of processing, in fulfilling its obligations to respond to data-subject rights requests;
  • (f) assist the Controller in ensuring compliance with Art. 32 to 36 GDPR and UK GDPR Art. 32 to 36;
  • (g) at the choice of the Controller, delete or return all Customer Content after the end of the provision of services relating to processing, and delete existing copies, unless Union or Member State law requires storage;
  • (h) make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and UK GDPR Art. 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Sub-processors

The list of sub-processors is at trusecure.co/trust/sub-processors. The Processor will notify the Controller of any intended addition or replacement at least 30 days in advance. The Controller may object on reasonable grounds related to data protection; the procedure is described on the sub-processor page.

5. International transfers

  • (a) EU ↔ EU: no transfer mechanism required.
  • (b) EU ↔ UK: transfers are covered by the EU Commission's adequacy decision (Implementing Decision (EU) 2021/1772) and reciprocally by the UK adequacy regulations, as in force.
  • (c) Transfers from EU/UK to a third country not covered by adequacy: governed by the SCCs and, where applicable, the UK IDTA, both incorporated by Schedule C.

6. Personal data breaches

The Processor shall notify the Controller of a personal data breach affecting Customer Content without undue delay and in any event within 72 hours, providing the information required by GDPR Art. 33(3) to the extent then available, with further information provided as it becomes available.

7. Audit

The Controller may, on at least 30 days' written notice, request an audit of the Processor's compliance with this DPA no more than once per calendar year, except where required by a competent supervisory authority or following a confirmed personal data breach.

8. Liability

Liability under this DPA is subject to the limitation of liability in the Master Subscription Agreement, except where liability cannot be limited as a matter of mandatory law.

9. Order of precedence

In any conflict between this DPA and the Master Subscription Agreement, this DPA prevails in respect of personal-data processing.

10. Governing law and forum

  • (a) Where the Controller is established in the EU/EEA, this DPA is governed by the laws of Romania, and the courts of Romania have exclusive jurisdiction, without prejudice to the data subject's right to bring proceedings in their habitual residence under GDPR Art. 79.
  • (b) Where the Controller is established in the United Kingdom, this DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, without prejudice to the data subject's right to bring proceedings under UK GDPR Art. 79.
  • (c) Where the Controller is established elsewhere, the law and forum in the Master Subscription Agreement apply, with the SCCs and UK IDTA (where applicable) taking precedence in respect of personal-data processing.
Schedule A

Schedule A — Processing Details

ElementDetail
Subject matterProvision of Resilience Fabric
DurationTerm of the Master Subscription Agreement
NatureStorage, retrieval, AI-assisted analysis, evidence generation
PurposeAs documented in the customer's service description
Categories of data subjectsCustomer's employees, contractors, third parties identified in Customer Content
Categories of personal dataAs determined by the customer's upload; typically identity, role, technical logs, audit data
Processor obligationsAs set out in section 3 of this DPA
Schedule B

Schedule B — Technical and Organisational Measures

The TOMs described in the Security Statement apply in full. No additional customer-specific TOMs are agreed at signature.

Schedule C

Schedule C — Standard Contractual Clauses (Module Two and equivalent UK clauses)

(A) For transfers from the EU/EEA to a third country not covered by adequacy, the SCCs (Module Two: controller-to-processor) set out in the Annex to Commission Implementing Decision (EU) 2021/914 are incorporated by reference.

(B) For transfers from the United Kingdom to a third country not covered by adequacy, the UK IDTA is incorporated by reference.

The parties complete the relevant annexes as follows:

ClauseDesignation
SCCs Clause 7 (docking)Both parties may dock
SCCs Clause 9 (sub-processors)Option 2 — general authorisation with notification
SCCs Clause 11 (redress)Mandatory
SCCs Clause 13(a) (supervisory authority)The supervisory authority of the Controller's place of establishment; for Controllers established in Romania, the ANSPDCP; for Controllers established in the UK, the ICO
SCCs Clause 17 (governing law)Romania, or England and Wales as applicable per section 10 of this DPA
SCCs Clause 18 (forum)Romania, or England and Wales as applicable per section 10 of this DPA
Schedule D

Schedule D — Transfer Impact Assessment (TIA)

TIA narrative:

The current Customer Content processing path is:

  • Storage in OVH HOSTING LIMITED's French and German datacenters (CRO 468585, VAT IE9520632R, parent OVH Groupe SA, RCS Lille 537 407 926).
  • Private inference compute operated by TruSecure SRL within the EEA.
  • No current engagement of a sub-processor established outside the EEA.

On these facts, the Processor has assessed:

  • (a) The substantive and procedural laws of the source and destination jurisdictions.
  • (b) Whether any rule of the destination jurisdiction permits public-authority access to Customer Content in a manner incompatible with GDPR Art. 46 safeguards.
  • (c) Effective practical remedies available to data subjects.

Outcome: TruSecure considers that no SCCs or UK IDTA instrument needs to be invoked for the current path because no transfer to a non-adequate country occurs. This TIA is revisited whenever:

  • a sub-processor established outside the EEA is engaged; or
  • a material change in the source/destination legal landscape is reasonably likely to affect the assessment.

The TIA document is available to Controllers on request under NDA at trust@trusecure.co.