Skip to content
TruthVouch Docs

GDPR Compliance

TruthVouch is fully GDPR compliant as a Data Processor. This guide covers our commitments and your rights.

Our Role

Data Controller (You): Organization using TruthVouch (owns and decides what to do with personal data)

Data Processor (TruthVouch): We process data on your instructions

Data Processing Agreement (DPA)

A standard DPA is available for all customers.

Coverage:

  • Processing terms (what we do with data)
  • Security measures (encryption, access controls)
  • Sub-processors (who else has access)
  • Data transfers (where data is stored)
  • Duration and termination (how long we keep data)

Request: Email legal@truthvouch.com to receive DPA.

Sub-Processors

TruthVouch uses the following sub-processors (vendors who can access your data):

Sub-ProcessorPurposeLocation
AWSCloud infrastructureUS, EU
StripeBillingUS
SendGridEmailUS
SentryError monitoringUS
DataDogLogging and monitoringUS
Auth0AuthenticationUS

Your Rights: You can object to specific sub-processors. We’ll work with you on alternatives.

Data Subject Rights

GDPR grants individuals rights over their personal data:

Right of Access (Article 15)

Individuals can request a copy of their data:

Request: "Give me all data you have about me"
Response: TruthVouch exports all personal data in 30 days
Format: Machine-readable format (JSON, CSV)

How to Handle: If data subject contacts you, forward to legal@truthvouch.com and we’ll fulfill the request.

Right to Erasure (Article 17, “Right to be Forgotten”)

Individuals can request deletion:

Request: "Delete all data about me"
Response: TruthVouch deletes within 30 days
Exceptions: If required by law or contract

Right to Rectification (Article 16)

Individuals can correct inaccurate data:

Request: "My email is wrong, correct it"
Response: TruthVouch updates within 30 days

Right to Data Portability (Article 20)

Individuals can get their data in a portable format:

Request: "Give me my data in a portable format"
Response: TruthVouch exports in standard format

Right to Restrict Processing (Article 18)

Individuals can limit how their data is used:

Request: "Don't use my data for recommendations"
Response: TruthVouch restricts processing

Breach Notification

If a breach occurs:

  1. TruthVouch Discovers: Within 72 hours, we notify you
  2. You Assess: Determine if data subjects must be notified
  3. Notify Authorities: You notify local authority (DPA)
  4. Notify Individuals: You notify affected individuals (if high risk)

Our Commitment: Breach notification <24 hours (faster than legal requirement).

Data Transfers (GDPR Article 45, 46)

Personal data transfer from EU to outside EU requires legal basis:

TruthVouch Approach:

  • Standard Contractual Clauses (SCCs): Approved legal mechanism included in DPA
  • Data Residency Option: Store data in AWS EU region (eu-west-1, Ireland)
  • Privacy Shield: Not used (invalidated by CJEU)

Your Choice: You decide where data resides (US or EU region).

DPA & Data Processing

When you use TruthVouch, you’re the Data Controller and we’re the Processor:

ActivityResponsibility
Deciding what personal data to collectYou (Controller)
Obtaining consentYou (Controller)
Lawful basis for processingYou (Controller)
Technical securityTruthVouch (Processor)
Breach notificationTruthVouch within 24h, You to authorities within 72h
Fulfilling data subject rightsTruthVouch (facilitated)

Lawful Basis

You must have a lawful basis to use TruthVouch. Common bases:

  • Consent: User agreed to use TruthVouch
  • Contract: Processing needed to deliver service
  • Legitimate Interest: Organization’s business need (balancing against individual rights)
  • Legal Obligation: Required by law
  • Vital Interests: Emergency situations

Document Your Basis: Record why you’re using TruthVouch for GDPR compliance.

Privacy by Design

TruthVouch is built with privacy-first principles:

  • Data Minimization: Only collect necessary data
  • Encryption: All data encrypted at rest and in transit
  • Access Controls: Strict employee access to data
  • Deletion: Automatic purging of old data
  • Auditing: Complete audit trail of who accessed what

GDPR Compliance Checklist

  • Have a DPA in place (request from legal@truthvouch.com)
  • Document lawful basis for processing
  • Identified applicable sub-processors
  • Updated privacy policy to mention TruthVouch
  • Train team on data subject rights
  • Know how to respond to data access requests
  • Have incident response plan for potential breaches

Next Steps

  • DPA: Request Data Processing Agreement
  • Breach Response: Learn about breach notification process
  • Sub-Processors: Review list and notify us of concerns