Data Processing Agreement

1. Scope

This Data Processing Agreement (DPA) governs the processing of personal data by Trust OS on behalf of its customers, in compliance with GDPR, CCPA, and applicable data protection laws.

2. Processing Details

Categories of data subjects: Customer employees, contractors, and authorized users.

Types of personal data: Name, email, job title, organization, authentication logs, and usage metadata.

Processing purpose: Platform operation, security enforcement, compliance monitoring, and customer support.

3. Subprocessors

Authorized subprocessors include: AWS (infrastructure hosting), Cloudflare (CDN and security), and DataDog (monitoring). All subprocessors are bound by contractual obligations equivalent to this DPA.

4. Security Measures

Technical and organizational measures include: encryption at rest and in transit, 24/7 SOC monitoring, penetration testing, access controls with MFA, and regular security audits.

5. Data Subject Rights

Trust OS provides customer with the ability to fulfill data subject access, rectification, erasure, portability, and objection requests through platform tools and API.

6. International Transfers

Data processed in US regions by default. EU data protected under Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.

7. Duration

DPA effective for the term of the underlying service agreement. Data returned or deleted within 60 days of termination.