[{"data":1,"prerenderedAt":68},["ShallowReactive",2],{"legal-dpa-en":3},{"id":4,"title":5,"body":6,"description":6,"extension":7,"meta":8,"navigation":60,"path":62,"seo":63,"stem":66,"__hash__":67},"content_en/legal/dpa.yml","Dpa",null,"yml",{"hero":9,"content":12},{"headline":10,"description":11},"Data Processing Agreement (DPA)","Last updated — March 11, 2026",{"intro":13,"sections":14},"This Data Processing Agreement (hereinafter \"DPA\") is entered into between the **Client** (data controller) and **TRUSTDATA**, a société à responsabilité limitée (private limited company) with a share capital of €1,000.00, registered with the Paris Trade and Companies Register under number 931 119 333, with its registered office at 7 rue Cail, 75010 Paris, France (hereinafter \"TrustData\" or \"the Processor\").\n\nThis DPA forms an integral part of the [Terms of Sale (CGV)](/legal/terms-of-sale) and is automatically accepted upon subscription to the Service. It is established in accordance with Article 28(3) of the GDPR. **No separate signature is required.** This document is public and may be shared with clients or supervisory authorities.\n",[15,18,21,24,27,30,33,36,39,42,45,48,51,54,57],{"title":16,"content":17},"Article 1 — Definitions","**\"Personal data\"**: any information relating to an identified or identifiable natural person within the meaning of Article 4(1) of the GDPR.\n\n**\"Client Data\"**: personal data processed by TrustData on behalf of the Client in connection with the provision of the Service, including data relating to visitors of the Client's websites and applications.\n\n**\"Processing\"**: any operation or set of operations performed on personal data within the meaning of Article 4(2) of the GDPR.\n\n**\"Data breach\"**: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, within the meaning of Article 4(12) of the GDPR.\n\n**\"Sub-processor\"**: any sub-contractor engaged by TrustData to process Client Data on the Client's behalf.\n\n**\"Service\"**: the TrustData SaaS platform accessible at https://app.trustdata.tech.\n",{"title":19,"content":20},"Article 2 — Subject Matter and Roles of the Parties","This DPA sets out the conditions under which TrustData, acting as a **data processor** within the meaning of Article 28 of the GDPR, processes personal data on behalf of the Client, acting as a **data controller**.\n\nThe Client determines the purposes and means of processing the personal data of visitors to its websites and applications.\n\nTrustData processes Client Data solely on documented instructions from the Client, in the context of providing the Service and in accordance with this DPA.\n",{"title":22,"content":23},"Article 3 — Description of Processing","**Nature and purpose**\n\nCollection, storage, statistical analysis and presentation of navigation and conversion data of visitors to the Client's websites and applications, for the purposes of marketing observability, performance measurement and multi-touch attribution.\n\n**Categories of personal data processed**\n\n| Category | Examples |\n|----------|----------|\n| Navigation data | Pages visited, date and time, session duration |\n| Technical data | IP address (anonymised or full depending on configuration), browser, OS, resolution |\n| Geolocation data | Country, region, city (derived from IP) |\n| Conversion data | Conversion events, transaction values, order identifiers |\n| Source data | Referrer, UTM campaign parameters |\n| Interaction data | Clicks, scroll, custom events |\n| Identifiers | First-party cookie identifiers, user identifiers (if configured) |\n\n**Data subjects**: visitors and users of the Client's websites and applications.\n\n**Duration of processing**: the entire duration of the contract. Upon termination, Article 12 of this DPA applies.\n",{"title":25,"content":26},"Article 4 — Obligations of the Client (Data Controller)","The Client undertakes to:\n\n- Have a valid legal basis (Article 6 of the GDPR) for the collection of data via the Service\n- Inform data subjects via a privacy policy compliant with Articles 13 and 14 of the GDPR, including reference to TrustData as a data processor\n- Obtain, where required, the prior consent of data subjects before cookies or trackers are placed by the Service\n- Carry out, where necessary, a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the GDPR\n- Respond to requests from data subjects exercising their rights (Articles 15 to 22 of the GDPR)\n- Ensure that any instruction given to TrustData complies with applicable law\n",{"title":28,"content":29},"Article 5 — Obligations of TrustData (Data Processor)","**5.1 Processing on instruction**\n\nTrustData processes Client Data solely on the basis of documented instructions from the Client. TrustData does not process Client Data for its own purposes. If TrustData considers that an instruction constitutes a breach of applicable law, it shall inform the Client without delay.\n\n**5.2 Confidentiality**\n\nTrustData ensures that persons authorised to process Client Data are subject to a contractual obligation of confidentiality and have received appropriate data protection training.\n\n**5.3 Security of processing (Article 32 GDPR)**\n\nTrustData implements appropriate technical and organisational measures, including:\n\n- Encryption of data in transit (TLS 1.2 minimum) and at rest\n- Role-based access control (RBAC) with strong authentication\n- Access logging and monitoring\n- Regular, tested backups\n- Network segmentation and firewall protection\n- Periodic security testing\n\n**5.4 Assistance to the Client**\n\nTrustData assists the Client in fulfilling its obligations regarding data subject rights and Articles 32 to 36 of the GDPR (security, breach notification, DPIA). If TrustData receives a data subject rights request directly, it shall forward it to the Client without delay.\n",{"title":31,"content":32},"Article 6 — Sub-processors","**6.1 General authorisation**\n\nThe Client authorises TrustData to engage the sub-processors listed in Annex 2 of this DPA. TrustData ensures that each sub-processor is bound by data protection obligations at least as protective as those in this DPA (Article 28(4) of the GDPR).\n\n**6.2 Change notification**\n\nTrustData shall notify the Client of any addition or replacement of a sub-processor at least **thirty (30) days** before the change takes effect.\n\n**6.3 Right to object**\n\nThe Client has thirty (30) days in which to object by written, reasoned notification. If the disagreement persists, the Client may cancel its subscription without penalty.\n\n**6.4 Liability**\n\nTrustData remains fully liable to the Client for the performance of its sub-processors' obligations.\n",{"title":34,"content":35},"Article 7 — International Data Transfers","**7.1 Primary hosting within the EU**\n\nClient Data is hosted on servers located in **Helsinki, Finland (European Union)**, operated by Hetzner Online GmbH. TrustData undertakes to maintain the primary hosting of Client Data within the EEA.\n\n**7.2 Governed transfers**\n\nCertain sub-processors are located in the United States (Cloudflare, Stripe, Resend). Data transfers are governed by the **Standard Contractual Clauses (SCCs)** adopted by the European Commission (implementing decision 2021/914/EU of 4 June 2021), in accordance with Article 46(2)(c) of the GDPR.\n\n**7.3 Transfer Impact Assessments (TIA)**\n\nTrustData has carried out a Transfer Impact Assessment for each sub-processor located outside the EEA. A summary of these assessments is available on request at dpo@trustdata.tech.\n\n**7.4 Supplementary measures**\n\nIn addition to the SCCs: encryption of data in transit and at rest, minimisation of transferred data, assessment of applicable local law.\n",{"title":37,"content":38},"Article 8 — Data Breach Notification","**8.1 Timeline**\n\nIn the event of a data breach affecting Client Data, TrustData shall notify the Client **without undue delay and no later than forty-eight (48) hours** after becoming aware of it.\n\n**8.2 Content of the notification**\n\nThe initial notification shall include, to the extent information is available:\n\n- The nature of the breach, the categories and approximate number of data subjects affected\n- The name and contact details of the DPO\n- The likely consequences of the breach\n- The measures taken or proposed to remediate the breach\n\n**8.3 Updates**\n\nTrustData shall provide regular updates as additional information becomes available.\n",{"title":40,"content":41},"Article 9 — Audit Rights","**9.1 Right to audit**\n\nThe Client, or a mandated third-party auditor bound by confidentiality obligations, has the right to verify TrustData's compliance with its obligations under this DPA, in accordance with Article 28(3)(h) of the GDPR.\n\n**9.2 Audit conditions**\n\n- Written notice at least **thirty (30) days** in advance\n- Conducted during business hours with minimal disruption\n- The auditor is bound by confidentiality obligations\n- Except where required by law, a maximum of one (1) audit per twelve (12) month period\n\n**9.3 Compliance evidence**\n\nTrustData makes available: security questionnaires, documentation of technical and organisational measures (Annex 1), certifications and third-party audit reports where applicable.\n",{"title":43,"content":44},"Article 10 — Data Subject Rights Assistance","TrustData assists the Client in managing requests from data subjects exercising their rights (Articles 15 to 22 of the GDPR) through appropriate technical and organisational measures.\n\nIf a data subject addresses a rights request directly to TrustData, TrustData shall forward it to the Client without delay.\n\nThe Service provides the Client with features to respond to data subject requests, including data export and deletion.\n",{"title":46,"content":47},"Article 11 — Liability and Indemnification","The liability of each party under this DPA is subject to the limitations and exclusions set out in the Terms of Sale, unless otherwise required by the GDPR.\n\nFor external liability towards data subjects, Article 82 of the GDPR applies.\n\nThe Client shall indemnify TrustData against any claim arising from instructions given by the Client that are contrary to applicable law.\n",{"title":49,"content":50},"Article 12 — Duration and End of Processing","**12.1 Duration**\n\nThis DPA enters into force on the date of acceptance of the Terms of Sale and remains in force for as long as TrustData processes Client Data on behalf of the Client.\n\n**12.2 Fate of data at the end of the contract**\n\nUpon termination, the Client has **thirty (30) days** to export its Client Data. After this period, TrustData shall permanently and irreversibly delete all Client Data, unless required by law. Written confirmation of deletion is provided upon request.\n\nEncrypted backups may be retained for up to **sixty (60) days** after termination, solely for integrity purposes, before deletion in the normal rotation cycle.\n\n**12.3 Survival**\n\nThe obligations of confidentiality and data protection shall survive the termination of this DPA.\n",{"title":52,"content":53},"Articles 13 to 15 — Final Provisions","**Article 13 — DPO**\n\nTrustData's Data Protection Officer may be contacted at: **dpo@trustdata.tech** — TRUSTDATA, 7 rue Cail, 75010 Paris.\n\n**Article 14 — Applicable law**\n\nThis DPA is governed by French law. Any dispute shall be subject to the exclusive jurisdiction of the Paris Commercial Courts.\n\n**Article 15 — Miscellaneous**\n\nIn the event of a conflict between this DPA and the Terms of Sale, the provisions of the DPA shall prevail in all matters relating to the processing of personal data. If any provision is declared void, the remaining provisions shall continue in force.\n\nTrustData may amend this DPA to comply with changes in legislation, with thirty (30) days' notice. Continued use of the Service constitutes acceptance.\n",{"title":55,"content":56},"Annex 1 — Technical and Organisational Measures (Art. 32 GDPR)","TrustData maintains the following security measures to protect Client Data:\n\n**Physical access control**\n\nServers are hosted in Hetzner data centres in Helsinki, certified to ISO/IEC 27001, with badge-controlled access, CCTV surveillance and 24/7 security personnel.\n\n**Logical access control**\n\n| Measure | Description |\n|---------|-------------|\n| Authentication | Strong authentication required for all access to production systems |\n| Access control | Role-based access control (RBAC), principle of least privilege |\n| Logging | All login attempts and rights modifications are recorded |\n| Password management | Complexity policy, automatic lock-out after inactivity |\n| Production access | Restricted to a limited group of authorised personnel |\n\n**Encryption**\n\n| Scope | Measure |\n|-------|---------|\n| In transit | TLS 1.2 minimum for all communications (HTTPS) |\n| At rest | Encryption of stored data (disk encryption) |\n| Backups | Encrypted and stored at a geographically separate location within the EU |\n\n**Network security**\n\n- Network segmentation by VPC\n- Firewall and security groups configured on a least-access basis\n- Network anomaly monitoring\n- DDoS protection via Cloudflare\n\n**Availability and resilience**\n\n- Redundant architecture with no single point of failure\n- Regular backups with restoration testing\n- Documented disaster recovery plan (DRP)\n- Continuous 24/7 system monitoring\n\n**Organisational measures**\n\n- Staff training on data protection and security\n- Contractual confidentiality commitments for all staff\n- Documented information security policy\n- Periodic security measure reviews\n",{"title":58,"content":59},"Annex 2 — List of Sub-processors","| Sub-processor | Role | Data location | Transfer safeguards |\n|---------------|------|--------------|-------------------|\n| Hetzner Online GmbH | Application hosting and Client Data storage | Helsinki, Finland (EU) | Data within the EU — no transfer outside EEA |\n| Cloudflare, Inc. | CDN, DDoS protection, DNS for the marketing website | United States | SCCs (decision 2021/914/EU) |\n| Stripe, Inc. | Payment processing and billing | United States | SCCs (decision 2021/914/EU) |\n| Resend | Transactional email delivery | United States | SCCs (decision 2021/914/EU) |\n\n**Notes:**\n\n- Client Data (analytics) is stored exclusively within the EU (Hetzner, Helsinki).\n- Cloudflare processes transit data (CDN) for the marketing website only. Analytics data does not transit through Cloudflare.\n- Stripe processes Client payment data only. It does not process analytics Client Data.\n- Resend processes email addresses for the delivery of transactional emails related to the Service.\n\nThe up-to-date list of sub-processors is available at: https://www.trustdata.tech/legal/dpa\n",{"title":61},"DPA","/legal/dpa",{"title":64,"description":65},"Data Processing Agreement (DPA) - TrustData","TrustData Data Processing Agreement — Article 28 GDPR. Terms for the processing of personal data on behalf of TrustData Service clients.","legal/dpa","SZx44NAPLj7gAUPZXhYqd149EstGInFurJokfyn1hwo",1773825055073]