For procurement & legal
The page your security team can forward without follow-ups.
Contracting, payment, security, sub-processors, residency, renewal and termination — the things a procurement reviewer needs in one place. No marketing wrapper. If something’s missing, the contact link at the bottom routes straight to the right person.
Jump to Contracting & payment · Legal documents · Security & residency · Procurement Q&A · Contact.
Contracting & payment
Four payment paths.
Annual prepaid by default
Stripe Checkout, 5–500 seats, billed once for the year. Discounts band at 11, 31, and 101 seats — down to $55 / seat / year at 101–500. The 12-month pool is sized to your expected uptake; at renewal we re-size based on actual redemption.
Invoicing on request for orders we can’t put on a card
For orders above the self-serve range, or where your finance function pays by PO on net-30/60 against an invoice, email teams@trueings.com. We process those manually and you’ll have a counter-signed PO and an invoice within five business days.
Monthly arrears, pay-as-you-go
Available on request for partnership channels and enterprise customers. Not on the self-serve surface today; ask in the lead form.
Multi-year commitments
Not on the self-serve surface. Today the structure is annual + renewal; if your procurement team requires a multi-year term to release budget, talk to us — we will look at it on a per-deal basis.
The “unredeemed codes don’t roll over” line on the buy page is the consequence of sizing the pool to expected uptake. If your renewal model needs rollover (or any other modification), say so in the lead form — we negotiate at renewal, not at first order.
Legal documents
The contracts and the disclosures.
Master Subscription Agreement
The contract for firms buying a license pool. Roles, licences and redemption rules, payment, term and termination, liability, governing law.
Data Processing Agreement
Roles and responsibilities, what we process on your employees’ behalf, confidentiality boundary, sub-processors, retention, cross-border transfers, security measures, data-subject rights.
Privacy notice
The Article 13/14 disclosures for subjects and respondents — what we process, why, how long, the rights they have.
Terms of service
The contract for the individual subject using Trueings. Acceptable use, AI limitations, your content, termination.
All four are the current public versions. The MSA and DPA are under final counsel review before the B2B2C launch announcement; they will be re-published with a version marker the moment that review completes.
Security & residency
The short version, here. The forwardable version, at /security.
Sub-processors
Supabase (EU) for the application database; Anthropic (US, SCCs) for LLM inference; Resend (EU) for email; Stripe for payments; PostHog (EU) for cookieless event counts. Full list with regions and transfer bases on the Security page.
Residency
Subject and respondent data live in an EU Supabase project. LLM inference runs at Anthropic in the United States under Standard Contractual Clauses — disclosed honestly in the Privacy notice and DPA.
Retention
Raw conversational transcripts are deleted by a scheduled database job 30 days after each campaign’s synthesis. Synthesised reports and account data persist for the lifetime of the subject’s account.
Authentication
Subjects sign in via single-use magic links; no passwords are stored or accepted. Respondents access via signed, single-use JWTs bound to one response. Firm administrators authenticate the same way as subjects into a content-blind portal.
Procurement Q&A
The questions your reviewer will ask.
Do you offer a counter-signed DPA?
Yes, on request, for any order. The text is the same as the public DPA at /legal/dpa; we counter-sign and return within three business days.
What are the renewal and termination terms?
Annual auto-renews at the then-current per-seat price, with 60 days’ notice before the renewal date. Termination for convenience at the renewal date; termination for cause per the MSA. Renewals can be re-sized down or up based on the prior year’s actual redemption.
What is your incident-response and breach-notification commitment?
If we become aware of a personal-data breach affecting subject or respondent data, we notify the relevant controller without undue delay and within 72 hours where the breach is likely to result in a risk to data subjects (GDPR Art. 33). Procedural commitments live in the DPA.
What service-level commitments do you make?
For self-serve orders, the service is provided on a commercially reasonable best-efforts basis as described in the Terms. For orders that need a contracted SLA, email teams@trueings.com — we negotiate on a per-deal basis for enterprise rollouts.
Do you have SOC 2 / ISO 27001 / a SIG / a CAIQ?
Not today. The Security page is the most honest version of what we have and what we don’t — see the “What we don’t claim” section. SOC 2 Type I is scoped for the B2B2C mid-market phase; we will publish the report when it is real and not before.
Where do I send a vendor security questionnaire?
teams@trueings.com. We respond within five business days; longer questionnaires (SIG-Lite, CAIQ-Lite, custom) on a case-by-case basis as we scale. We will be honest about what we can answer in the affirmative today.
Contact
For your security and legal team.
For a vendor questionnaire (SIG-Lite, CAIQ-Lite, custom), a counter-signed DPA, monthly billing, a multi-year term, a custom SLA, or any change to the standard contracting surface, email teams@trueings.com or use the lead form on /for-teams. Replies within two business days.