DATA PROCESSING AGREEMENT

Last updated: January 8, 2025

This data processing agreement (the „DPA“) for Trueguard OÜ (“Trueguard”, "Company," "we," "us," or "our") constitutes an inseparable part of the Terms of Service and a data processing agreement in the meaning of GDPR Article 28 between the you („you“, „Client“) as the data controller and Trueguard as the data processor. It outlines the terms under which we process, store, and handle Personal Information on your behalf, as required to provide our Services. This includes processing activities performed when you:

• Utilize our services through our platform or APIs.

• Submit or transmit data to our systems as part of your use of our Services.

This DPA is to be read in conjunction with our Terms of Service, Privacy Policy, and other terms. All terms, conditions, and definitions outlined in Terms of Service and Privacy Policy are incorporated herein by reference. Furthermore, Parties acknowledge and agree that the data protection terms like “personal data”, “processing”, “data controller”, “data processor”, “processing”, etc., used in this DPA shall have the meaning ascribed to these in the General Data Protection Regulation EU 2016/679, “GDPR”.

For clarity, by using our Services, you explicitly acknowledge and agree that you are acting on behalf of a legal entity which you represent. All actions taken on our platform, including the provision of information, are performed in your capacity as a representative of that entity, not as an individual consumer.

Parties have agreed as follows:

1. The Client acknowledges and agrees that any and all data, including personal data, uploaded to or otherwise made available to the Services by the Client or created by the Client when using the Services, shall be treated as the Client´s data, being under the control of the Client. This means that the Client shall be the data controller and Trueguard shall act as a data processor.

2. The Parties shall comply with the obligations arising from the GDPR and other applicable legislation concerning the processing and protection of personal data (our obligations applicable to data a processor and the Client obligations applicable to a data controller) with regard to personal data processed when using the Services.

3. The Client shall at all times ensure that processing of the personal data by it is lawful and in compliance with applicable legal acts (including data protection laws) and the Client hereby instructs Trueguard to process the personal data as described in this DPA.

4. Upon processing of the personal data Trueguard shall:

   1. process the personal data only within the scope required according to the Terms of Service as well as Privacy Policy and for provision of the Services thereunder or in any other way according to the instructions of the Client (to be given by e-mail to info@trueguard.io);

   2. apply appropriate technical and organizational measures, inter alia those listed in GDPR Article 32(1), if appropriate, in order to protect the personal data against unauthorized or unlawful processing and accidental or unlawful loss, destruction, damage, alteration or disclosure; and ensure the protection of rights of data subjects;

   3. refer all requests or inquiries by data subjects (e.g., customers or employees of the Client) to the Client without responding to such requests;

   4. keep personal data confidential and not disclose them to third parties, except if disclosure to certain third parties is permitted under our other policies or this DPA and guarantee that all employees of Trueguard involved in the provision of Services are bound by confidentiality obligation;

   5. transfer the personal data outside EU only in compliance with conditions laid down in GDPR Chapter V and only upon prior consent of the Client;

   6. make available information reasonably required by the Client to demonstrate the fulfilment of the obligations of the Client as the controller and Trueguard as the processor on the basis of GDPR Article 28;

   7. once in a calendar year enable the Client or the auditor authorized by the Client to perform the personal data processing and protection related audits and contribute to their conduct, provided that the Client shall pay for the related costs;

   8. inform the Client of any data protection incident and take all measures required to remedy/mitigate the consequences of data protection incident, unless the Client has advised otherwise;

   9. assist the Client in fulfillment of the obligations stipulated in GDPR Articles 32-36, taking into consideration the method of processing of personal data and the information available to Trueguard.

5. The Parties also agree on the following:

   1. Duration of the data processing - the duration of the data processing shall be the duration of the DPA;

   2. Data subjects – personal data of the following data subjects: employees/representatives of the Client, who are authorized/invited by the Client to use the Platform/Services; metadata may concern the following categories of data subjects: representatives, employees and customers of the Client;

   3. Categories of data - the Parties acknowledge that Trueguard processes (i) names, e-mails, phone numbers, mailing addresses, passwords, contact and authentication data, IP addresses, data related to device and network fingerprints as well as personal ID code of the employees/representatives of the Client, who are authorized/invited by the Client to use the Platform/Services and (ii) metadata, which depending of the configuration used by the Client may enable personalization.

   4. Purpose of processing operations - performance of the Services according to the Terms of Service.

6. By agreeing to this DPA, the Client grants Trueguard a general authorization (in the meaning of GDPR Article 28(2)) to involve processors for the purposes of providing the services (which include processing of personal data) under the Terms of Service and Privacy Policy.

7. Trueguard shall by e-mail inform the Client of any intended changes concerning the addition or replacement of other processors, thereby giving the Client the opportunity to object to such changes by notifying Trueguard by e-mail within 14 days after receipt of respective notice from Trueguard. If the Client objects to a new processor, Trueguard will use reasonable efforts to make available to the Client a change in the Services or use of the Services to avoid processing of personal data by the objected-to new processor. If Trueguard is unable to make available such change within a reasonable period of time, which shall not exceed 30 days, the Client may refrain from the use of Platform and terminate the Terms of Service. 

8. By agreeing to this DPA, the Client approves the sub-processors listed in this Clause 8. The processors currently used by Trueguard for provision of the Services (which include processing of personal data) are:

   1. Amazon AWS (https://aws.amazon.com/) | Frankfurt and Ireland | Server Infrastructure

   2. Proxycheck (https://proxycheck.io/) | Germany and Finland | IP information service

   3. OpenAI (https://openai.com/) | USA | AI model service

   4. Anthropic (https://www.anthropic.com/) | USA | AI model service

   5. Together AI (https://www.together.ai/) | USA | AI model service

   6. Avian (https://avian.io/) | USA | AI model service

   7. Posthog (https://posthog.com/) | Frankfurt | Anyltics service

   8. Elasticsearch (https://www.elastic.co/elasticsearch) | Stockholm | Search and analytics engine

9. If Trueguard uses other processors for carrying out specific processing operations with the personal Data, it will do it based on the written contract concluded with such processor, by which the processor, when processing the personal data, is obliged to follow at least data protection level equal to the one provided in this DPA.

10. Trueguard will process Client´s data (which may include personal data) on behalf of the Client until the termination of the Terms of Service.

11. Notwithstanding the provisions of this DPA, Trueguard may store and disclose Client´s data (incl personal data) to the extent obligated by applicable laws. In such case, we will use reasonable efforts to provide Client with prior notice of such disclosure (to the extent legally permitted). Should the Client wish to contest the disclosure of such data, it shall provide Trueguard reasonable assistance and any measures to contest the disclosure will be at the cost of the Client.

12. When acting as the data controller, i.e. when collecting and processing personal data from its own clients (e.g. the name, e-mail, phone number of Client's representative for creation of a user account with us), Trueguard follows the privacy terms provided in its Privacy Policy, available at the Website.

13. With regard to issues not regulated in this DPA, e.g. governing law, resolution of disputes, liability, etc., the provisions of Terms of Service and Privacy Policy shall apply.

14. If you have questions or comments about this notice, you may email us at info@trueguard.io or by post to:

Trueguard OÜ

Valukoja 8/2

Tallinn, Harju 11415

Estonia