Data Processing Agreement

"Controller" means the Customer (you, the organization using TrussNote) who determines the purposes and means of processing Personal Data.

"Processor" means TrussNote, Inc., which processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.

"Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR) 2016/679, the UK GDPR, and the California Consumer Privacy Act (CCPA).

This Data Processing Agreement ("DPA") forms part of the TrussNote Terms of Service and applies where TrussNote processes Personal Data on your behalf in the course of providing the Services.

You are the Controller of Personal Data submitted to the Services. TrussNote acts as a Processor of that data, processing it only on your documented instructions as described in this DPA and the Terms of Service.

TrussNote will process Personal Data only on your documented instructions. The subject matter, duration, nature, and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are as described in the Terms of Service and this DPA.

You instruct TrussNote to process Personal Data to provide, operate, maintain, and improve the Services; to comply with your instructions and requests; and to comply with applicable legal obligations.

TrussNote will ensure that all personnel authorized to process Personal Data are subject to a binding confidentiality obligation and are only permitted to process Personal Data on a need-to-know basis.

TrussNote implements and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256). Role-based access controls limiting internal access to authorized personnel. Regular security assessments and vulnerability testing. Incident response and breach notification procedures.

You authorize TrussNote to engage sub-processors to assist in providing the Services. TrussNote's current sub-processors include:

Supabase, Inc. (cloud infrastructure and database hosting, United States). Resend, Inc. (transactional email delivery, United States). OpenAI, Inc. (AI language model inference, United States). Anthropic, PBC (AI language model inference, United States). Stripe, Inc. (payment processing, United States).

TrussNote will impose data protection obligations on each sub-processor equivalent to those in this DPA. TrussNote will notify you of any intended changes to this sub-processor list with at least 10 days' notice, giving you the opportunity to object.

TrussNote stores and processes data in the United States. Where TrussNote transfers Personal Data from the European Economic Area (EEA) or the United Kingdom to a country that has not been deemed adequate, it does so pursuant to the Standard Contractual Clauses adopted by the European Commission or equivalent transfer mechanisms.

By entering into this DPA, you acknowledge and agree to such transfers.

TrussNote will assist you in fulfilling your obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, portability, restriction, and objection). Users may exercise these rights directly via account settings or by contacting info@trussnote.com.

TrussNote will notify you promptly if it receives a Data Subject request relating to data you control, without responding directly unless instructed.

In the event of a Personal Data breach, TrussNote will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification will describe the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.

TrussNote will provide reasonable assistance to you in carrying out any Data Protection Impact Assessment (DPIA) required under Article 35 of the GDPR, where such assessment relates to the processing activities TrussNote performs under this DPA.

TrussNote will retain Personal Data for as long as your account is active or as necessary to provide the Services. Upon termination of your account or upon your written request, TrussNote will delete or return all Personal Data within 30 days, except where retention is required by law.

You may request deletion of your data at any time via account settings (Settings > Danger Zone) or by contacting info@trussnote.com.

Upon your written request and with at least 30 days' notice, TrussNote will provide information necessary to demonstrate compliance with this DPA. TrussNote may satisfy audit rights by providing relevant third-party audit reports (e.g., SOC 2 Type II) in lieu of on-site audits.

This DPA is governed by the same law as the Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA will prevail with respect to Personal Data processing.

For questions about this DPA or to submit data processing instructions, contact us at info@trussnote.com.

TrussNote, Inc. Data Protection inquiries: info@trussnote.com