Data Processing Agreement

Last Updated: January 2024

This Data Processing Agreement (“DPA”) is incorporated into the Terms of Service and applies to all processing of personal data under GDPR.

1. Definitions

Controller: You (organization using TruthVouch)
Processor: TruthVouch Inc.
Personal Data: Any data relating to an identified or identifiable natural person
Processing: Any operation performed on personal data (collection, storage, use, deletion, etc.)
Sub-Processor: Third-party vendor processing data on TruthVouch’s behalf

2. Scope & Processing Details

2.1 Subject Matter & Duration

Subject Matter: AI hallucination monitoring, content certification, compliance management
Duration: While you are a TruthVouch customer plus 60 days
Nature & Purpose: Processing on Controller’s instructions for service provision
Personal Data Categories: Employee names/emails, user accounts, LLM monitoring data
Data Subject Categories: Your employees, customers, end-users

2.2 Processing Instructions

TruthVouch processes personal data only as instructed by you through:

Account configuration
Settings and preferences
Dashboard selections
API calls

TruthVouch will not use your data for any other purpose (except where required by law).

3. Security & Confidentiality

3.1 Technical Measures

TruthVouch implements:

Encryption at rest (AES-256) and in transit (TLS 1.3)
Access controls (role-based, MFA)
Network security (firewalls, DDoS protection)
Intrusion detection and prevention
Vulnerability scanning (monthly)
Penetration testing (annual, third-party)

3.2 Organizational Measures

Background checks for employees
Confidentiality agreements with all staff
Data minimization (access on need-to-know basis)
Incident response procedures
Annual security audits (SOC 2 Type II)

3.3 Subcontractor Confidentiality

All sub-processors are contractually bound by equivalent confidentiality and security obligations.

4. Sub-Processors

4.1 Authorized Sub-Processors

TruthVouch uses the following approved sub-processors:

AWS (Cloud Infrastructure)
Stripe (Payments)
SendGrid (Email)
DataDog (Monitoring)
Auth0 (Authentication)
See Sub-Processors for complete list

4.2 Adding Sub-Processors

If TruthVouch adds or replaces sub-processors, we will:

Notify you 30 days in advance
Provide details of new sub-processor
Allow 15 days to object

You may object in writing to legal@truthvouch.com.

4.3 Sub-Processor Agreements

Each sub-processor is bound by a Data Processing Agreement with equivalent protections.

5. Data Subject Rights

5.1 Right of Access

If a data subject (person) requests access to their personal data:

They contact you (Controller)
You contact legal@truthvouch.com with their request
TruthVouch compiles and delivers the data within 30 days

5.2 Right to Erasure (“Right to be Forgotten”)

If a data subject requests deletion:

You contact legal@truthvouch.com
TruthVouch deletes from live systems within 30 days
Deleted from backups within 90 days (retention period)

Exceptions: If deletion is not technically feasible or legally prohibited.

5.3 Right to Rectification

Data subjects can request corrections through your account. You update the data, TruthVouch processes accordingly.

5.4 Right to Restriction

Data subjects can request processing restrictions. You notify TruthVouch; we restrict processing to storage only.

5.5 Right to Portability

Data subjects can request their data in machine-readable format. You request from TruthVouch; we provide within 30 days.

6. International Data Transfers

6.1 Geographic Options

US Region (Default): Data stored in AWS us-east-1 (Virginia)
EU Region: Data stored in AWS eu-west-1 (Ireland) — GDPR-compliant
Custom Region: Custom AWS account or on-premises (Enterprise)

Data never leaves the selected region.

6.2 Transfer Mechanisms

Transfers are authorized through:

Standard Contractual Clauses (SCCs) — GDPR-approved
Your explicit choice of region

7. Data Breach Notification

7.1 TruthVouch’s Obligations

If TruthVouch discovers a personal data breach:

Notify you within 24 hours (faster than legal requirement)
Provide details of:
- Nature of breach
- Affected data and data subjects
- Likely consequences
- Protective measures taken

7.2 Your Obligations

You must:

Assess if breach involves high risk
Notify affected data subjects if high risk (if required by GDPR Article 34)
Report to your Data Protection Authority (DPA) within 72 hours if required

TruthVouch will cooperate with notification process.

8. Data Impact Assessments (DPIA)

If required by GDPR Article 35, you may request that TruthVouch:

Provide information about processing activities
Assist in conducting a Data Protection Impact Assessment (DPIA)
Respond within 15 days

TruthVouch will cooperate in good faith.

9. Audit & Compliance

9.1 Compliance Verification

TruthVouch maintains:

SOC 2 Type II certification (annual audit)
Penetration testing results (annual)
Security assessments

9.2 Audit Rights

You have the right to:

Request compliance evidence
Conduct audits of TruthVouch’s processing
Request audit results from third parties

Audit requests handled through legal@truthvouch.com.

9.3 Frequency Limits

We may reasonably limit audits to once per year unless:

You suspect non-compliance
Required by regulatory authority
Changes to processing activities

10. Deletion of Data Upon Termination

Upon termination of your account:

TruthVouch deletes your data from live systems within 30 days
Backups automatically purged within 90 days
Audit logs retained for 7 years (legal requirement)
You may request earlier deletion (some restrictions apply)

11. Conflict with Terms

If this DPA conflicts with the Terms of Service, this DPA controls regarding data processing.

12. Modification

TruthVouch may modify this DPA with 30 days’ notice. Continued use means acceptance.

13. Contact & Disputes

For DPA Questions:

Email: legal@truthvouch.com
Subject: “DPA Question”

For Disputes:

Attempt informal resolution first
If unresolved, disputes resolved under the Terms of Service governing law (California)

Effective Date: January 2024