Data Processing Addendum
Last updated: 17 July 2026 · Version 2.0
This Data Processing Addendum (the "DPA") supplements the Master Subscription Agreement between TRUSECURE S.R.L. (the "Processor") and the customer identified in the order form (the "Controller"). It is incorporated into the Master Subscription Agreement.
1. Definitions
Terms not defined here have the meaning given in the GDPR and UK GDPR.
- "Customer Content" — personal data the Controller submits to or generates within Resilience Fabric.
- "Sub-processor" — any processor engaged by TruSecure to process Customer Content.
- "SCCs" — Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914.
- "UK IDTA" — the UK International Data Transfer Addendum to the SCCs, as in force.
2. Processing details
Subject matter, duration, nature, purpose, categories of data subjects, categories of personal data and processor obligations are set out in Schedule A.
3. Processor obligations
The Processor shall:
- (a) process Customer Content only on documented instructions from the Controller, including with regard to transfers, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- (b) ensure that persons authorised to process Customer Content have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- (c) implement appropriate technical and organisational measures as set out in the Security Statement and Schedule B;
- (d) not engage another processor without prior specific or general written authorisation of the Controller; in the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, giving the Controller the opportunity to object;
- (e) assist the Controller, taking into account the nature of processing, in fulfilling its obligations to respond to data-subject rights requests;
- (f) assist the Controller in ensuring compliance with Art. 32 to 36 GDPR and UK GDPR Art. 32 to 36;
- (g) at the choice of the Controller, delete or return all Customer Content after the end of the provision of services relating to processing, and delete existing copies, unless Union or Member State law requires storage;
- (h) make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and UK GDPR Art. 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
4. Sub-processors
The list of sub-processors is at trusecure.co/trust/sub-processors. The Processor will notify the Controller of any intended addition or replacement at least 30 days in advance. The Controller may object on reasonable grounds related to data protection; the procedure is described on the sub-processor page.
5. International transfers
- (a) EU ↔ EU: no transfer mechanism required.
- (b) EU ↔ UK: transfers are covered by the EU Commission's adequacy decision (Implementing Decision (EU) 2021/1772) and reciprocally by the UK adequacy regulations, as in force.
- (c) Transfers from EU/UK to a third country not covered by adequacy: governed by the SCCs and, where applicable, the UK IDTA, both incorporated by Schedule C.
6. Personal data breaches
The Processor shall notify the Controller of a personal data breach affecting Customer Content without undue delay and in any event within 72 hours, providing the information required by GDPR Art. 33(3) to the extent then available, with further information provided as it becomes available.
7. Audit
The Controller may, on at least 30 days' written notice, request an audit of the Processor's compliance with this DPA no more than once per calendar year, except where required by a competent supervisory authority or following a confirmed personal data breach.
8. Liability
Liability under this DPA is subject to the limitation of liability in the Master Subscription Agreement, except where liability cannot be limited as a matter of mandatory law.
9. Order of precedence
In any conflict between this DPA and the Master Subscription Agreement, this DPA prevails in respect of personal-data processing.
10. Governing law and forum
- (a) Where the Controller is established in the EU/EEA, this DPA is governed by the laws of Romania, and the courts of Romania have exclusive jurisdiction, without prejudice to the data subject's right to bring proceedings in their habitual residence under GDPR Art. 79.
- (b) Where the Controller is established in the United Kingdom, this DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, without prejudice to the data subject's right to bring proceedings under UK GDPR Art. 79.
- (c) Where the Controller is established elsewhere, the law and forum in the Master Subscription Agreement apply, with the SCCs and UK IDTA (where applicable) taking precedence in respect of personal-data processing.
Schedule A — Processing Details
| Element | Detail |
|---|---|
| Subject matter | Provision of Resilience Fabric |
| Duration | Term of the Master Subscription Agreement |
| Nature | Storage, retrieval, AI-assisted analysis, evidence generation |
| Purpose | As documented in the customer's service description |
| Categories of data subjects | Customer's employees, contractors, third parties identified in Customer Content |
| Categories of personal data | As determined by the customer's upload; typically identity, role, technical logs, audit data |
| Processor obligations | As set out in section 3 of this DPA |
Schedule B — Technical and Organisational Measures
The TOMs described in the Security Statement apply in full. No additional customer-specific TOMs are agreed at signature.
Schedule C — Standard Contractual Clauses (Module Two and equivalent UK clauses)
(A) For transfers from the EU/EEA to a third country not covered by adequacy, the SCCs (Module Two: controller-to-processor) set out in the Annex to Commission Implementing Decision (EU) 2021/914 are incorporated by reference.
(B) For transfers from the United Kingdom to a third country not covered by adequacy, the UK IDTA is incorporated by reference.
The parties complete the relevant annexes as follows:
| Clause | Designation |
|---|---|
| SCCs Clause 7 (docking) | Both parties may dock |
| SCCs Clause 9 (sub-processors) | Option 2 — general authorisation with notification |
| SCCs Clause 11 (redress) | Mandatory |
| SCCs Clause 13(a) (supervisory authority) | The supervisory authority of the Controller's place of establishment; for Controllers established in Romania, the ANSPDCP; for Controllers established in the UK, the ICO |
| SCCs Clause 17 (governing law) | Romania, or England and Wales as applicable per section 10 of this DPA |
| SCCs Clause 18 (forum) | Romania, or England and Wales as applicable per section 10 of this DPA |
Schedule D — Transfer Impact Assessment (TIA)
TIA narrative:
The current Customer Content processing path is:
- Storage in OVH HOSTING LIMITED's French and German datacenters (CRO 468585, VAT IE9520632R, parent OVH Groupe SA, RCS Lille 537 407 926).
- Private inference compute operated by TruSecure SRL within the EEA.
- No current engagement of a sub-processor established outside the EEA.
On these facts, the Processor has assessed:
- (a) The substantive and procedural laws of the source and destination jurisdictions.
- (b) Whether any rule of the destination jurisdiction permits public-authority access to Customer Content in a manner incompatible with GDPR Art. 46 safeguards.
- (c) Effective practical remedies available to data subjects.
Outcome: TruSecure considers that no SCCs or UK IDTA instrument needs to be invoked for the current path because no transfer to a non-adequate country occurs. This TIA is revisited whenever:
- a sub-processor established outside the EEA is engaged; or
- a material change in the source/destination legal landscape is reasonably likely to affect the assessment.
The TIA document is available to Controllers on request under NDA at trust@trusecure.co.
