Overview and acceptance
This DPA forms part of the agreement between you (“Customer”) and TrustReply (“TrustReply,” “we”) for the provision of the TrustReply service (the “Agreement”).
By using the TrustReply service in connection with the processing of Personal Data subject to data protection law, Customer accepts this DPA on behalf of itself and, to the extent required, its Affiliates whose Personal Data is processed.
If your organization requires a counter-signed copy of this DPA, email privacy@trustreply.app with the signatory's details.
Definitions
Capitalized terms not defined here have the meanings given in the Agreement or, where applicable, in the GDPR/CCPA.
- “Applicable Data Protection Law” means the EU GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, the CCPA/CPRA, and any other data protection or privacy law applicable to the processing of Personal Data under the Agreement.
- “Personal Data” means information that relates to an identified or identifiable natural person within Customer Content, processed by TrustReply on Customer's behalf.
- “Controller,” “Processor,” “Data Subject,” “Processing,” “Personal Data Breach” have the meanings given in the GDPR (or equivalent terms under other Applicable Data Protection Law, e.g., “Business” and “Service Provider” under the CCPA).
- “Sub-processor” means any third party engaged by TrustReply to process Personal Data on its behalf.
- “SCCs” means the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), as may be amended or superseded.
Roles of the parties
- For Personal Data within Customer Content, Customer is the Controller (or Processor for its own customers) and TrustReply is the Processor (or Sub-processor).
- Under the CCPA, TrustReply acts as a Service Provider. TrustReply shall not (i) sell or share Personal Data, (ii) retain, use, or disclose it for any purpose other than to provide the Service or as permitted by the CCPA, or (iii) combine Personal Data received from Customer with Personal Data received from another source, except as permitted by the CCPA.
- Each party will comply with its respective obligations under Applicable Data Protection Law.
Details of processing
The subject matter, duration, nature and purpose of processing, categories of Data Subjects, and categories of Personal Data are described in Annex A.
Customer instructions and lawfulness
TrustReply will process Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do so by law. The Agreement, this DPA, and Customer's use of the configurable features of the Service constitute Customer's complete and final documented instructions.
If TrustReply is required by law to process Personal Data beyond Customer's instructions, it will inform Customer of that legal requirement before processing, unless that law prohibits such notice on important grounds of public interest.
Customer warrants that (a) Customer Content and the processing instructions comply with Applicable Data Protection Law, (b) Customer has a valid lawful basis for the processing, and (c) Customer has provided required notices and obtained required consents from Data Subjects.
TrustReply obligations
TrustReply will:
- Process Personal Data only as set out in this DPA and on Customer's documented instructions.
- Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organizational measures described in Annex B.
- Engage Sub-processors only as permitted under Section 7.
- Assist Customer with Data Subject requests, security, breach notification, Data Protection Impact Assessments (“DPIAs”), and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to TrustReply.
- Make available to Customer the information reasonably necessary to demonstrate compliance with Article 28 GDPR.
- Promptly inform Customer if, in TrustReply's opinion, an instruction infringes Applicable Data Protection Law.
- Not use Customer's Personal Data to train any AI or machine-learning model.
Sub-processors
Customer provides a general authorization for TrustReply to engage Sub-processors to process Personal Data. The current list of Sub-processors is set out in Annex C and is also available on our public sub-processor list at /privacy#subprocessors.
TrustReply will:
- Provide at least 30 days' prior notice of any new Sub-processor or replacement Sub-processor that processes Personal Data, via email to the address on Customer's account and/or via in-product notice.
- Impose data protection terms on each Sub-processor that are no less protective than those in this DPA.
- Remain liable to Customer for any failure by a Sub-processor to fulfill its data-protection obligations.
Objection process. Customer may object in writing to a proposed new or replacement Sub-processor on reasonable, documented data-protection grounds within 30 days of TrustReply's notice. If TrustReply cannot make a commercially reasonable accommodation, Customer's sole remedy is to terminate the affected portion of the Service for convenience and receive a pro-rata refund of prepaid fees for the unused portion of the term.
International data transfers and SCCs
To the extent TrustReply's processing of Personal Data involves a transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country not benefitting from an adequacy decision, the parties agree that such transfer is subject to the SCCs, which are incorporated into this DPA by reference and completed as follows:
- Module Two (Controller to Processor) applies where Customer is a Controller.
- Module Three (Processor to Sub-processor) applies where Customer is a Processor.
- In Clause 7 (Docking Clause), the option does apply.
- In Clause 9 (Use of Sub-processors), Option 2 (general written authorization) applies; the notice period is 30 days as set out in Section 7.
- In Clause 11 (Redress), the optional Data Subject independent dispute resolution mechanism does not apply.
- In Clause 17 (Governing Law), the laws of the Republic of Ireland apply.
- In Clause 18 (Forum and Jurisdiction), disputes shall be resolved by the courts of Ireland.
- Annexes I, II, and III of the SCCs are populated by Annexes A, B, and C of this DPA respectively.
UK transfers. The UK International Data Transfer Addendum to the SCCs (issued by the UK Information Commissioner) applies and is incorporated by reference.
Swiss transfers. The SCCs apply with the modifications set out in the Swiss FDPIC guidance.
Security measures
TrustReply implements and maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (a “Personal Data Breach”). A description of the measures is set out in Annex B.
TrustReply may update the measures from time to time to reflect technical and operational developments, provided the overall level of security is not reduced.
Personal data breach notification
TrustReply will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will:
- Describe the nature of the breach including, where possible, the categories and approximate number of Data Subjects and records concerned;
- Communicate the name and contact details of the relevant point of contact at TrustReply;
- Describe the likely consequences of the breach; and
- Describe the measures taken or proposed to address the breach and mitigate possible adverse effects.
TrustReply's notification or response is not an acknowledgement of fault or liability.
Data subject rights and assistance
TrustReply provides in-product tools enabling Customer to access, correct, export, and delete Personal Data, which Customer can use to fulfill its obligations to respond to Data Subject requests.
If a Data Subject contacts TrustReply directly, TrustReply will (without responding substantively) inform Customer and refer the Data Subject to Customer, unless legally required to act otherwise.
Taking into account the nature of the processing, TrustReply will provide reasonable assistance to Customer in responding to Data Subject requests at no additional charge for typical, ad-hoc requests; for requests requiring substantial engineering effort, TrustReply may charge a reasonable fee.
Audits and information requests
TrustReply will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including summary information on its security program, sub-processor list, and breach notification procedures.
If applicable law requires Customer to conduct audits or inspections, TrustReply will permit such audits, subject to the following: (a) audits are conducted no more than once every 12 months, except for cause; (b) audits are conducted during regular business hours on at least 30 days' prior written notice; (c) auditors must sign a confidentiality agreement reasonably acceptable to TrustReply; (d) audits do not access TrustReply's confidential information unrelated to Customer; (e) Customer bears the cost of audits; and (f) where TrustReply makes available an attestation, report, or certification from an independent auditor (e.g., SOC 2 Type II), Customer will rely on that report rather than conducting an on-site audit.
Return and deletion of personal data
On termination or expiry of the Agreement, and at Customer's choice, TrustReply will delete or return all Personal Data within 30 days, and delete existing copies, unless storage is required by law. Customer can export its data via the in-product export tools before requesting deletion. Backups containing Personal Data will be purged on a rolling basis within 30 days.
Liability and order of precedence
Each party's liability arising out of or in connection with this DPA, including the SCCs, is subject to the limitations of liability set out in the Agreement.
If there is a conflict between this DPA, the Agreement, and the SCCs, the order of precedence is: (1) the SCCs (to the extent they apply to a particular transfer), (2) this DPA, (3) the Agreement.
Term and termination
This DPA is effective for the duration of the Agreement and for as long as TrustReply processes Personal Data on Customer's behalf. Provisions that by their nature should survive termination — including return/deletion and audit obligations — will survive.
Annex A — Details of processing
- Subject matter: Provision of the TrustReply service, including ingesting Customer's Knowledge Base, extracting questions from vendor questionnaires, drafting answers using LLM technology, and exporting results.
- Duration: The term of the Agreement plus the retention periods set out in the Privacy Policy and this DPA.
- Nature and purpose of processing: Hosting, storing, transmitting, indexing, embedding, retrieving, drafting, displaying, and (on Customer's instruction) deleting Personal Data, solely to deliver the Service to Customer.
- Categories of Data Subjects: Customer's employees, contractors, and authorized users; individuals identified in Customer Content (e.g., named security officers in policies); senders and recipients of questionnaires.
- Categories of Personal Data: Contact information (name, email, role, employer), account credentials (hashed passwords), and any Personal Data that Customer includes in Customer Content. TrustReply does not require, and Customer should avoid uploading, special categories of Personal Data.
- Frequency of processing: Continuous during the Subscription Term.
- Retention: As set out in the Privacy Policy and Section 13 of this DPA.
Annex B — Technical and organizational measures
TrustReply implements the following measures, which it may update to reflect technical and operational developments, provided the overall level of security is not reduced:
- Encryption. AES-256 at rest for Personal Data and credentials; TLS 1.2+ in transit.
- Tenant isolation. Row-level security in our primary database isolates each Customer's data from other Customers' data by default.
- Access control. Least-privilege access; production access restricted to personnel with a need-to-know and logged. Strong authentication required for administrative access.
- Credential handling. Passwords are stored using industry-standard slow, salted hashing. We never store plaintext passwords.
- Network security. Production environment is hosted with reputable providers offering DDoS protection, network segmentation, and intrusion detection.
- Vulnerability management. Continuous dependency scanning; prompt patching of high-severity vulnerabilities.
- Code security. Code review before deployment; secrets stored in a managed secrets store.
- Backups. Encrypted, geographically separated backups taken on a recurring schedule and retained for up to 30 days.
- Logging and monitoring. Application and infrastructure logs are retained for up to 90 days for security and operational purposes.
- Personnel. Confidentiality obligations imposed on all personnel; background checks performed where legally permitted.
- Incident response. Documented incident-response procedures, including 72-hour breach notification (Section 10).
- Business continuity. Backups and infrastructure are designed to support recovery from a regional outage.
- AI processing. LLM APIs are called in stateless mode; Customer Content is not used to train any model.
Annex C — Sub-processors
The Sub-processors below process Personal Data on behalf of TrustReply in connection with the Service. The current list is also published at /privacy#subprocessors.
| Sub-processor | Service provided | Processing location |
|---|---|---|
| Anthropic, PBC | LLM API (stateless drafting) | United States |
| Supabase, Inc. | Database, storage, authentication | United States / EU |
| Vercel, Inc. | Application hosting, CDN | United States / Global |
| Resend, Inc. | Transactional email | United States |
| Stripe, Inc. (when enabled) | Payment processing | United States / Global |
Each Sub-processor is bound by data protection terms no less protective than those in this DPA. Customer may object to a new Sub-processor as set out in Section 7.
Questions about this policy?
Email us at privacy@trustreply.app. We'll respond within 5 business days.