Data Processing Agreement (DPA)

"Personal data": any information relating to an identified or identifiable natural person within the meaning of Article 4(1) of the GDPR.

"Client Data": personal data processed by TrustData on behalf of the Client in connection with the provision of the Service, including data relating to visitors of the Client's websites and applications.

"Processing": any operation or set of operations performed on personal data within the meaning of Article 4(2) of the GDPR.

"Data breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, within the meaning of Article 4(12) of the GDPR.

"Sub-processor": any sub-contractor engaged by TrustData to process Client Data on the Client's behalf.

"Service": the TrustData SaaS platform accessible at https://app.trustdata.tech.

This DPA sets out the conditions under which TrustData, acting as a data processor within the meaning of Article 28 of the GDPR, processes personal data on behalf of the Client, acting as a data controller.

The Client determines the purposes and means of processing the personal data of visitors to its websites and applications.

TrustData processes Client Data solely on documented instructions from the Client, in the context of providing the Service and in accordance with this DPA.

Nature and purpose

Collection, storage, statistical analysis and presentation of navigation and conversion data of visitors to the Client's websites and applications, for the purposes of marketing observability, performance measurement and multi-touch attribution.

Categories of personal data processed

Data subjects: visitors and users of the Client's websites and applications.

Duration of processing: the entire duration of the contract. Upon termination, Article 12 of this DPA applies.

The Client undertakes to:

• Have a valid legal basis (Article 6 of the GDPR) for the collection of data via the Service
• Inform data subjects via a privacy policy compliant with Articles 13 and 14 of the GDPR, including reference to TrustData as a data processor
• Obtain, where required, the prior consent of data subjects before cookies or trackers are placed by the Service
• Carry out, where necessary, a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the GDPR
• Respond to requests from data subjects exercising their rights (Articles 15 to 22 of the GDPR)
• Ensure that any instruction given to TrustData complies with applicable law

5.1 Processing on instruction

TrustData processes Client Data solely on the basis of documented instructions from the Client. TrustData does not process Client Data for its own purposes. If TrustData considers that an instruction constitutes a breach of applicable law, it shall inform the Client without delay.

5.2 Confidentiality

TrustData ensures that persons authorised to process Client Data are subject to a contractual obligation of confidentiality and have received appropriate data protection training.

5.3 Security of processing (Article 32 GDPR)

TrustData implements appropriate technical and organisational measures, including:

• Encryption of data in transit (TLS 1.2 minimum) and at rest
• Role-based access control (RBAC) with strong authentication
• Access logging and monitoring
• Regular, tested backups
• Network segmentation and firewall protection
• Periodic security testing

5.4 Assistance to the Client

TrustData assists the Client in fulfilling its obligations regarding data subject rights and Articles 32 to 36 of the GDPR (security, breach notification, DPIA). If TrustData receives a data subject rights request directly, it shall forward it to the Client without delay.

6.1 General authorisation

The Client authorises TrustData to engage the sub-processors listed in Annex 2 of this DPA. TrustData ensures that each sub-processor is bound by data protection obligations at least as protective as those in this DPA (Article 28(4) of the GDPR).

6.2 Change notification

TrustData shall notify the Client of any addition or replacement of a sub-processor at least thirty (30) days before the change takes effect.

6.3 Right to object

The Client has thirty (30) days in which to object by written, reasoned notification. If the disagreement persists, the Client may cancel its subscription without penalty.

6.4 Liability

TrustData remains fully liable to the Client for the performance of its sub-processors' obligations.

7.1 Primary hosting within the EU

Client Data is hosted on servers located in Helsinki, Finland (European Union), operated by Hetzner Online GmbH. TrustData undertakes to maintain the primary hosting of Client Data within the EEA.

7.2 Governed transfers

Certain sub-processors are located in the United States (Cloudflare, Stripe, Resend). Data transfers are governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission (implementing decision 2021/914/EU of 4 June 2021), in accordance with Article 46(2)(c) of the GDPR.

7.3 Transfer Impact Assessments (TIA)

TrustData has carried out a Transfer Impact Assessment for each sub-processor located outside the EEA. A summary of these assessments is available on request at [email protected].

7.4 Supplementary measures

In addition to the SCCs: encryption of data in transit and at rest, minimisation of transferred data, assessment of applicable local law.

8.1 Timeline

In the event of a data breach affecting Client Data, TrustData shall notify the Client without undue delay and no later than forty-eight (48) hours after becoming aware of it.

8.2 Content of the notification

The initial notification shall include, to the extent information is available:

• The nature of the breach, the categories and approximate number of data subjects affected
• The name and contact details of the DPO
• The likely consequences of the breach
• The measures taken or proposed to remediate the breach

8.3 Updates

TrustData shall provide regular updates as additional information becomes available.

9.1 Right to audit

The Client, or a mandated third-party auditor bound by confidentiality obligations, has the right to verify TrustData's compliance with its obligations under this DPA, in accordance with Article 28(3)(h) of the GDPR.

9.2 Audit conditions

• Written notice at least thirty (30) days in advance
• Conducted during business hours with minimal disruption
• The auditor is bound by confidentiality obligations
• Except where required by law, a maximum of one (1) audit per twelve (12) month period

9.3 Compliance evidence

TrustData makes available: security questionnaires, documentation of technical and organisational measures (Annex 1), certifications and third-party audit reports where applicable.

TrustData assists the Client in managing requests from data subjects exercising their rights (Articles 15 to 22 of the GDPR) through appropriate technical and organisational measures.

If a data subject addresses a rights request directly to TrustData, TrustData shall forward it to the Client without delay.

The Service provides the Client with features to respond to data subject requests, including data export and deletion.

The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Sale, unless otherwise required by the GDPR.

For external liability towards data subjects, Article 82 of the GDPR applies.

The Client shall indemnify TrustData against any claim arising from instructions given by the Client that are contrary to applicable law.

12.1 Duration

This DPA enters into force on the date of acceptance of the Terms of Sale and remains in force for as long as TrustData processes Client Data on behalf of the Client.

12.2 Fate of data at the end of the contract

Upon termination, the Client has thirty (30) days to export its Client Data. After this period, TrustData shall permanently and irreversibly delete all Client Data, unless required by law. Written confirmation of deletion is provided upon request.

Encrypted backups may be retained for up to sixty (60) days after termination, solely for integrity purposes, before deletion in the normal rotation cycle.

12.3 Survival

The obligations of confidentiality and data protection shall survive the termination of this DPA.

Article 13 — DPO

TrustData's Data Protection Officer may be contacted at: [email protected] — TRUSTDATA, 7 rue Cail, 75010 Paris.

Article 14 — Applicable law

This DPA is governed by French law. Any dispute shall be subject to the exclusive jurisdiction of the Paris Commercial Courts.

Article 15 — Miscellaneous

In the event of a conflict between this DPA and the Terms of Sale, the provisions of the DPA shall prevail in all matters relating to the processing of personal data. If any provision is declared void, the remaining provisions shall continue in force.

TrustData may amend this DPA to comply with changes in legislation, with thirty (30) days' notice. Continued use of the Service constitutes acceptance.

TrustData maintains the following security measures to protect Client Data:

Physical access control

Servers are hosted in Hetzner data centres in Helsinki, certified to ISO/IEC 27001, with badge-controlled access, CCTV surveillance and 24/7 security personnel.

Logical access control

Encryption

Network security

• Network segmentation by VPC
• Firewall and security groups configured on a least-access basis
• Network anomaly monitoring
• DDoS protection via Cloudflare

Availability and resilience

• Redundant architecture with no single point of failure
• Regular backups with restoration testing
• Documented disaster recovery plan (DRP)
• Continuous 24/7 system monitoring

Organisational measures

• Staff training on data protection and security
• Contractual confidentiality commitments for all staff
• Documented information security policy
• Periodic security measure reviews

Notes:

• Client Data (analytics) is stored exclusively within the EU (Hetzner, Helsinki).
• Cloudflare processes transit data (CDN) for the marketing website only. Analytics data does not transit through Cloudflare.
• Stripe processes Client payment data only. It does not process analytics Client Data.
• Resend processes email addresses for the delivery of transactional emails related to the Service.

The up-to-date list of sub-processors is available at: https://www.trustdata.tech/legal/dpa