Legal
Data Processing Agreement
Effective Date: [01 October 2025]
This Data Processing Agreement (the “DPA”) forms part of and is incorporated into the applicable Order and Terms between Trusteed Inc. (“Trusteed”, “Processor”, “we/us”) and the Customer identified in the Order (“Customer”, “Controller”, “you”) (together, the “Agreement”).
If there is a conflict between this DPA and the Agreement, this DPA will control to the extent of the conflict with respect to the Processing of Customer Personal Data.
1. Parties and Roles
- Controller: Customer, for Personal Data contained in Customer Data that Customer submits to or generates in the Services.
- Processor: Trusteed Inc., 2880 Zanker Road, Suite 203, San Jose, CA, USA, a Delaware corporation licensed to do business in California.
- Sub‑processors: Third parties engaged by Trusteed as set out in Annex II (as updated from time to time).
Scope. This DPA applies only to Trusteed’s Processing of Customer Personal Data as a Processor in providing the Services (e.g., continuous discovery, vulnerability scanning, cloud/configuration checks, compliance automation, reporting, APIs). This DPA does not apply to Personal Data that Trusteed Processes as an independent Controller (e.g., website analytics, ads/remarketing cookies, sales/marketing leads, billing contacts), which are governed by Trusteed’s Privacy Policy.
2. Definitions
Customer Data means all data submitted to, stored on, or generated by the Services on Customer’s behalf, including Customer Personal Data.
Customer Personal Data (or Personal Data) means Personal Data contained within Customer Data that is subject to Data Protection Laws.
Data Protection Laws means all laws applicable to a Party’s Processing of Personal Data under the Agreement, including where applicable: EU/EEA and UK data protection laws (GDPR and UK GDPR), the ePrivacy rules, CCPA/CPRA (California), and other U.S. state privacy laws, the Australian Privacy Act, and the Singapore PDPA, each as amended.
European Data means Personal Data subject to EU/EEA or UK data protection laws.
Instructions means documented instructions issued by Customer to Trusteed that direct Processing of Customer Personal Data.
Security Incident means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by Trusteed. Unsuccessful attempts (e.g., blocked scans, pings, port scans, DDoS without impact) are not Security Incidents.
Services means Trusteed’s cloud services at trusteed.io and app.trusteed.io, including related APIs and support.
Standard Contractual Clauses or SCCs means the EU Commission’s 2021 standard contractual clauses for transfers to third countries (Module Two: Controller‑to‑Processor), and the UK ICO’s International Data Transfer Addendum, as applicable.
Other capitalized terms have the meanings in the Agreement.
3. Details of Processing (Article 28(3))
Subject matter: Provision, maintenance and improvement of the Services.
Duration: The Term of the Agreement plus the Data Return/Deletion period.
Nature & purpose: Hosting, storage, discovery, scanning, monitoring, logging, analysis, ticketing/integration routing, evidence collection for compliance automation, reporting, notifications, and support.
Types of Personal Data: Business contact details (names, work emails, roles); user account data (auth identifiers, role/permissions, usage logs); limited metadata related to Target Systems (may include IP addresses, hostnames, domain contacts where provided); support content. Trusteed does not require special categories of data.
Data subjects: Customer Users; Customer’s personnel/contractors; (where configured by Customer) End‑Customer personnel relevant to the use of the Services.
4. Controller Responsibilities
Customer will (a) ensure it has a lawful basis and appropriate transparency for Processing and providing Customer Personal Data to Trusteed; (b) issue Instructions that comply with Data Protection Laws; (c) configure and use the Services securely; and (d) not introduce special categories or other sensitive data unless permitted and appropriately safeguarded.
The Agreement and this DPA constitute Customer’s Instructions to Trusteed to Process Customer Personal Data as necessary to provide the Services. Additional reasonable instructions may be provided via the Services or written notice.
5. Processor Obligations
5.1 Processing on Instructions. Trusteed will Process Customer Personal Data only on Customer’s Instructions and as required by law. If we are required by law to Process contrary to an Instruction, we will notify Customer (unless prohibited) and limit Processing to what is legally required.
5.2 Confidentiality. Trusteed ensures personnel authorized to Process Customer Personal Data are subject to confidentiality obligations.
5.3 Security Measures. Trusteed will implement and maintain appropriate technical and organizational measures (TOMs) as described in Annex I.
5.4 Sub‑processors. Trusteed may engage Sub‑processors to Process Customer Personal Data. Trusteed will (a) impose data protection terms providing no less protection than this DPA; (b) remain responsible for Sub‑processors’ performance; and (c) maintain an up‑to‑date list as in Annex II. Trusteed will notify Customer at least 30 days before adding, replacing, or materially changing Sub‑processors (via email or the Trusteed website). Customer may object on reasonable data‑protection grounds; the Parties will work in good faith toward a resolution. If none is possible, Customer may suspend the affected feature or terminate the impacted portion of the Services without penalty.
5.5 Assistance. Taking into account the nature of Processing, Trusteed will reasonably assist Customer with: (a) responding to data subject requests (by providing functionality and/or information available to Trusteed); (b) security, breach notifications, DPIAs and consultations with supervisory authorities, as required by law.
5.6 Security Incidents. Trusteed will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data and provide information as it becomes available. Trusteed will promptly take reasonable steps to contain, investigate, and remediate the Security Incident.
5.7 Data Return and Deletion. Upon termination/expiry of the Services, Customer may export Customer Data. Upon Customer request or at the end of the Data Retention Window (default 30 days after termination unless otherwise agreed), Trusteed will delete Customer Personal Data, unless retention is required by law. Aggregated/anonymous Platform Data may be retained.
5.8 Audit. Trusteed will make available information necessary to demonstrate compliance with this DPA (e.g., audit reports, security summaries, certifications) and allow for audits by Customer or an independent auditor mandated by Customer no more than once in any 12‑month period, on 30 days’ prior written notice, during normal business hours, and subject to confidentiality and reasonable time/materials fees (unless the audit reveals a material non‑compliance attributable to Trusteed).
6. International Data Transfers
6.1 Hosting & Locations. Trusteed hosts its Services on Microsoft Azure in the United States and the European Union regions. Processing may occur in those regions and in other countries where Trusteed or its Sub‑processors operate.
6.2 Transfers of European Data. Where Customer transfers European Data to Trusteed in a non‑adequate country, the Parties incorporate the SCCs (Module Two, C→P) by reference, with the following selections: (i) Clause 9(a) — general authorization with 30‑day notice; (ii) Clause 11 — not applicable; (iii) Clause 17 — governing law of [choose an EU Member State, e.g., Ireland]; (iv) Clause 18 — courts of [same EU Member State]; (v) Annexes populated by this DPA (Annex I–III). For UK transfers, the UK Addendum applies with the same selections. If the SCCs are replaced or updated, the Parties will cooperate in good faith to adopt the successor mechanism.
6.3 Transfer Impact & Supplementary Measures. Trusteed has assessed the ability to comply with the SCCs, and implements supplementary measures described in Annex I (encryption, access controls, policies) to protect European Data against disproportionate access by public authorities.
7. U.S. State Privacy Laws (including CPRA)
Where Trusteed Processes Customer Personal Data that is Personal Information under CPRA (and similar state laws) as a Service Provider/Processor:
- Trusteed will Process solely to provide the Services and for no other Business Purpose; will not sell or share Personal Information (as defined by CPRA), nor combine it with other data except as permitted for service provision, debugging, security or legal compliance; and will not use Personal Information for cross‑context behavioral advertising.
- Trusteed will comply with applicable obligations and provide assistance to enable Customer to honor consumer rights requests and GPC/opt‑out signals to the extent applicable to Customer Personal Data in the Services.
- Trusteed will require Sub‑processors to provide the same level of privacy protection as required by CPRA.
- Trusteed will notify Customer if it determines it can no longer meet its obligations under CPRA.
8. Liability and Remedies
Each Party’s aggregate liability arising out of or related to this DPA is subject to the limitations of liability set out in the Agreement, except that liabilities which cannot be limited by law (e.g., willful misconduct) are unaffected. During any Free Trial, Trusteed’s aggregate liability relating to the Trial Processing is capped as set out in the Agreement (if applicable) or USD/GBP 100, whichever is lower.
9. Miscellaneous
- Order of precedence: SCCs (where applicable) prevail over this DPA; this DPA prevails over the Agreement for Processing matters.
- Updates: Trusteed may update this DPA to reflect legal or operational changes. If updates materially degrade Customer’s rights, Trusteed will provide notice in advance where required by law or the Agreement.
- Severability & counterparts: As in the Agreement.
Annex I — Technical and Organizational Measures (TOMs)
Trusteed maintains a security program aligned with industry standards:
- Governance & Risk Management — documented security policies; roles and responsibilities; vendor risk management; employee security training and confidentiality agreements.
- Access Controls — unique user IDs; least privilege and role‑based access; SSO/MFA for administrative access; just‑in‑time elevation where feasible; quarterly access reviews; secure key and secret management.
- Encryption — TLS for data in transit; strong encryption for data at rest (e.g., disk/database encryption); centralized key management.
- Network & Infrastructure Security — segmented VNETs/VPCs; firewalls and security groups; WAF/CDN protection for public endpoints; DDoS protections provided by Azure; hardened images; configuration baselines; vulnerability management and timely patching.
- Application Security — secure SDLC with code reviews; dependency scanning; static/dynamic testing; secure secrets handling; environment separation; change management.
- Monitoring & Logging — centralized logging; audit trails for administrative actions; alerting on suspicious activity; time sync; retention consistent with legal and operational needs.
- Data Protection — data minimization; pseudonymization and aggregation for Platform Data; configurable data retention; customer export tools; secure deletion upon request or termination.
- Business Continuity & Disaster Recovery — backups with encryption; replication across availability zones/regions; restoration testing; DR plans.
- Incident Response — documented playbooks; 24×7 on‑call; breach notification without undue delay and cooperation with Customer.
- Physical Security — provided by Microsoft Azure data centers (SOC 2, ISO 27001 and similar certifications).
Annex II — Authorized Sub‑processors (Current List)
Note: The specific vendors used for your deployment may depend on region and selected features. Trusteed will maintain a current list and provide notice of changes as set out in Section 5.4.
| Vendor | Purpose | Processing Location(s) | Transfer Mechanism (if applicable) |
|---|---|---|---|
| Microsoft Azure | Cloud hosting, storage, networking, backups, security services | USA and EU regions | N/A for in-region; SCCs/UK Addendum for cross-border |
| Stripe, Inc. | Payment processing (billing) | USA/EU | Processor’s safeguards; SCCs/UK Addendum as applicable |
| GoCardless (if enabled) | Bank debit payment processing | EU/UK | Processor’s safeguards; SCCs/UK Addendum as applicable |
| Email delivery provider [●] | Transactional emails, notifications | [●] | SCCs/UK Addendum as applicable |
| Logging/Monitoring provider [●] | Application logs, metrics, alerting | [●] | SCCs/UK Addendum as applicable |
| Support/Ticketing provider [●] | Customer support and CRM | [●] | SCCs/UK Addendum as applicable |
| Analytics/BI provider [●] (optional) | Aggregated analytics/usage metrics | [●] | SCCs/UK Addendum as applicable |
Trusteed’s full and latest list of Sub‑processors is available upon request and may be posted at trusteed.io/subprocessors.
Annex III — Processing Details (SCC Annex I(A)/(B))
A. Parties
- Data exporter (Controller): Customer.
- Data importer (Processor): Trusteed Inc., 2880 Zanker Road, Suite 203, San Jose, CA, USA. Contact: privacy@trusteed.io.
B. Description of Transfer
- Categories of data subjects: as in Section 3.
- Categories of Personal Data: as in Section 3.
- Sensitive data: not intended; if provided by Customer, Customer is responsible for enabling appropriate safeguards and notifying Trusteed.
- Frequency of transfer: continuous and as initiated by Customer’s use of the Services.
- Nature & purpose of Processing: as in Section 3.
- Retention: as in Section 5.7.
- Subject access & deletion: facilitated via in‑app tools and support.
C. Competent Supervisory Authority
- For EU SCCs: the authority of [Member State chosen under Clause 17].
Annex IV — Customer Instructions
By executing the Agreement, Customer instructs Trusteed to Process Customer Personal Data to provide the Services, including to: host/store data; conduct discovery/scanning; generate reports; route alerts; provide support; implement security safeguards; and engage Sub‑processors as reasonably necessary.