Legal · Data Processing Addendum

Data Processing Addendum.

Last updated: May 26, 2026 · Effective: May 26, 2026

This page is the standing version of our Data Processing Addendum. It's automatically incorporated into our Terms of Service for any customer who needs one. If your procurement team needs a counter-signed PDF, email legal@trussapp.co and we'll have one back to you the same day.

Preamble

This Data Processing Addendum (the "DPA") forms part of the agreement between Truss Platform LLC ("Truss," "Processor") and the customer identified on the applicable Order Form ("Customer," "Controller") for the provision of the Truss Service (the "Agreement"). It reflects the parties' agreement with respect to the Processing of Personal Data in accordance with applicable Data Protection Laws.

1.Definitions

"Applicable Law"
any law, regulation, or binding guidance applicable to a party's Processing of Personal Data, including the GDPR, UK GDPR, and the CCPA / CPRA.
"Customer Personal Data"
Personal Data that is part of the Customer Content Processed by Truss on Customer's behalf in the course of providing the Service.
"Data Protection Laws"
all laws and regulations applicable to a party's Processing of Personal Data under the Agreement.
"Data Subject"
an identified or identifiable natural person whose Personal Data is included in Customer Personal Data.
"Personal Data"
any information that relates to an identified or identifiable natural person, as further defined in Applicable Law.
"Processing"
any operation performed on Personal Data — collection, recording, storage, use, transmission, deletion, etc.
"Sub-processor"
any third party engaged by Truss to Process Personal Data on Customer's behalf in support of the Service.

Capitalized terms not defined here have the meaning given in the Agreement or in Applicable Law.

2.Scope and roles

This DPA applies to the Processing of Customer Personal Data by Truss in the course of providing the Service. For the purposes of Applicable Law:

  • Customer acts as the Controller (or, where Customer is itself a processor, as a processor acting on behalf of one or more controllers).
  • Truss acts as a Processor (or sub-processor, as applicable).

Truss will Process Customer Personal Data only on Customer's documented instructions (which include the Agreement, Customer's configuration of the Service, and any subsequent written instructions reasonably necessary to operate the Service). Truss will inform Customer if, in its opinion, an instruction infringes Applicable Law.

3.Details of processing

The details of Truss's Processing of Customer Personal Data are:

  • Subject matter: the provision of the Service as described in the Agreement.
  • Duration: the term of the Agreement, plus the retention period set out in Section 10.
  • Nature and purpose: to host, store, organize, transmit, and otherwise Process Customer Personal Data so that Customer can use the Service.
  • Categories of Data Subjects: typically Customer's employees, contractors, end-users, and the contacts who interact with them through the Service (for example, a Customer's own customers who send support requests to a Truss Desk inbox).
  • Categories of Personal Data: contact details (name, email, phone), account/identity information, professional information, content of communications, time records, billing-related information, and any other data Customer chooses to submit to the Service.
  • Special-category data: Customer agrees not to submit special-category data (e.g., health, biometric, racial or ethnic origin) without first signing an applicable addendum (e.g., a BAA for protected health information).

4.Truss's obligations as Processor

Truss will:

  • Process Customer Personal Data only on Customer's documented instructions.
  • Ensure that personnel authorized to Process Customer Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to protect Customer Personal Data, including the measures set out in Schedule 1.
  • Not use Customer Personal Data for any purpose other than to provide and improve the Service for Customer. Truss does not train any machine-learning or AI model on Customer Personal Data. Where the Service involves AI inference performed by a Sub-processor (currently Google LLC, for Google Gemini — see Section 5 and our Sub-processor list), Customer Personal Data is shared only at the moment an AI feature is invoked, solely to produce the response, and subject to the Sub-processor's contractual obligations.
  • Not sell or "share" (as defined under CCPA / CPRA) Customer Personal Data.

5.Sub-processors

Customer provides general written authorization for Truss to engage Sub-processors. Truss's current list of Sub-processors is at trussapp.co/subprocessors.

Before adding or replacing a Sub-processor, Truss will:

  • Provide at least 30 days' prior notice by updating the Sub-processor page and notifying customers via email or in-product notice.
  • Enter into a written agreement with the Sub-processor that imposes data-protection obligations at least as protective as those in this DPA.
  • Remain liable for the acts and omissions of its Sub-processors as if they were its own.

If Customer reasonably objects to a new Sub-processor on data-protection grounds within the 30-day notice period, Customer and Truss will work in good faith to find an alternative. If no resolution is reached, Customer may terminate the affected portion of the Service for cause and receive a prorated refund.

6.International data transfers

Truss is established in the United States and Processes Customer Personal Data primarily in the United States. Where the transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not deemed adequate by the relevant authority is required, the parties agree that the EU Standard Contractual Clauses ("SCCs") are incorporated into this DPA by reference and apply as follows:

  • Module Two (Controller to Processor) applies where Customer is a Controller.
  • Module Three (Processor to Sub-processor) applies where Customer is itself a Processor acting on behalf of one or more Controllers.
  • For UK transfers, the UK Addendum to the SCCs (issued by the Information Commissioner's Office) applies.
  • For Swiss transfers, the SCCs apply with references to the GDPR construed as references to the Swiss FADP.

7.Data-subject rights

Where a Data Subject submits a request to Truss directly (for example, a request to access or delete their Personal Data), Truss will redirect the Data Subject to Customer.

Truss will provide reasonable assistance to Customer to enable Customer to respond to Data-Subject requests, including by providing the tools necessary to access, export, correct, or delete Customer Personal Data through the Service.

8.Personal data breach

Truss will notify Customer without undue delay and in any event within 24 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will:

  • Describe the nature of the breach and, where possible, the categories and approximate number of Data Subjects and records affected.
  • Provide the name and contact details of a Truss point of contact.
  • Describe the likely consequences of the breach.
  • Describe the measures Truss has taken or proposes to take to address the breach, including measures to mitigate possible adverse effects.

Truss will cooperate with Customer's reasonable requests for information about a Personal Data Breach.

9.Audit rights

Truss will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA. This typically includes:

  • Truss's most recent SOC 2 Type II report (under NDA, once issued).
  • Truss's summary penetration-test report (under NDA).
  • Truss's pre-filled responses to common security questionnaires (SIG Lite, CAIQ).

Where the above is not sufficient, Customer may request, no more than once per year and with at least 30 days' prior written notice, an audit limited to verifying Truss's compliance with this DPA. Audits will be conducted during business hours, will not interfere with Truss's operations, and will be at Customer's expense.

10.Deletion or return of data

Upon termination of the Agreement, Truss will retain Customer Personal Data for 30 days to allow Customer to export it. Thereafter, Truss will delete Customer Personal Data from production systems, and encrypted backups will roll off within 60 additional days, except to the extent retention is required by Applicable Law.

Customer may request earlier deletion at any time, and Truss will complete the deletion within 30 days of the request, subject to the same legal-retention exception.

11.Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations of liability set out in the Agreement.

12.Term

This DPA takes effect on the date Customer accepts the Agreement and continues for as long as Truss Processes Customer Personal Data on Customer's behalf. The obligations set out in Sections 4, 8, 9, and 10 survive termination of the Agreement for as long as is necessary to give effect to them.

Schedule 1 — Technical and organizational measures

Truss maintains the technical and organizational measures described below to protect Customer Personal Data. A more detailed description, including current certifications and frameworks, is published at trussapp.co/security.

Encryption

  • AES-256 encryption at rest for production data stores and backups.
  • TLS 1.2 or higher in transit, with modern cipher suites and HSTS.
  • Per-tenant encryption keys for sensitive Customer records.

Access controls

  • Least-privilege access enforced through role-based access control (RBAC).
  • Multi-factor authentication required for all Truss personnel with access to production systems.
  • Hardware-key authentication required for the small set of personnel with elevated production access.
  • All production access logged and reviewed.

Network and infrastructure security

  • Production environments segregated from corporate and non-production environments.
  • Hosted with Railway, a US-based hosting platform, with high-availability deployment.
  • Web Application Firewall, DDoS mitigation, and rate limiting at the edge.

Application security

  • Secure development lifecycle including peer code review and automated security testing.
  • Third-party penetration test performed at least annually.
  • Vulnerability management with defined remediation SLAs by severity.
  • Responsible disclosure policy at trussapp.co/security#disclosure.

Operational resilience

  • Encrypted daily backups, retained for 30 days; multi-region replication of the primary database.
  • Disaster-recovery procedures, with periodic restoration testing.

Personnel

  • Background checks for all employees and contractors with access to Customer Personal Data, where permitted by Applicable Law.
  • Annual security and privacy training.
  • Confidentiality obligations in employment and contractor agreements.

Incident response

  • Documented incident-response plan covering detection, triage, containment, eradication, recovery, and post-incident review.
  • 24-hour customer notification for Personal Data Breaches.

Sub-processor management

  • Security and privacy due diligence prior to engagement.
  • Contractual obligations imposing data-protection obligations at least as protective as this DPA.
  • Public list of Sub-processors at trussapp.co/subprocessors with 30-day advance notice of changes.

Questions about this DPA? Email legal@trussapp.co or security@trussapp.co.