Data Processing Agreement
Data Processing Agreement
Version 2026-05-20
This Data Processing Agreement ("DPA") supplements the Master Subscription Agreement between Trueings and your organization. It addresses how personal data is processed when your organization participates in the Trueings B2B2C channel.
1. Roles and responsibilities
Your employees are the data subjects whose personal data flows through Trueings. You (the organization) are the buyer of the licence pool; Trueings is the data controller for employee account data and feedback content; your employees are also data controllers in respect of their own accounts and the people they invite to respond.
Your organization does not have access to employee feedback content. The DPA confirms that boundary in writing.
2. What we process on your employees' behalf
- Account data: each redeeming employee's chosen account email, display name, country, profession, and the employer affiliation credential (work email + employer display name, license-bound active window).
- Feedback content: conversational interview turns from respondents the employee invites, stored as raw transcripts for up to 30 days post- synthesis, then automatically purged.
- Synthesized output: the anonymised, confidentiality-filtered report accessible only to the employee.
3. Confidentiality boundary
Your organization receives only aggregate, content-blind metrics (redemption rate, completion rate, tool-satisfaction NPS once collected). Your organization will not attempt to identify which employee redeemed which license, nor to infer feedback content from engagement data, nor to compel employees to share their reports.
4. Sub-processors
We use the following sub-processors. The list reflects providers actively in use; material changes are notified with at least thirty days' notice.
- Supabase — managed Postgres and passwordless authentication. EU region.
- Anthropic — large-language-model inference. US-hosted; transfers covered by Standard Contractual Clauses. Zero-retention agreement applies to traffic from our org — content is not retained beyond inference and is not used for training.
- Resend — transactional email delivery. EU region.
- Stripe — payment processing for paid plans. We do not store card details.
5. Retention
- Raw conversational transcripts: automatically deleted thirty days after each employee's report is finalised.
- Synthesized reports: retained for the lifetime of the employee's account (which survives their leaving your organization).
- License records: retained for the lifetime of your organization's account plus a statutory archival period for billing.
6. Cross-border transfers
Data is primarily processed in the European Union. Transfers to non-EU sub-processors (currently: Anthropic, US) are covered by Standard Contractual Clauses and minimised to what the service requires (LLM inference only; no identifying data flows alongside).
7. Security measures
We maintain technical and organisational measures consistent with the sensitivity of the data, including row-level security on personal data, encrypted-in-transit + at-rest storage, principle-of-least-privilege access controls, and an audited operator surface for any cross-tenant access.
8. Data subject rights
Employees can exercise their GDPR rights (access, rectification, erasure, portability) directly from their Trueings dashboard or by emailing privacy@trueings.com. Your organization is not in the loop for these requests, consistent with the confidentiality boundary above.
9. Term and termination
This DPA remains in effect for as long as the MSA is in effect AND as long as Trueings retains any personal data processed on behalf of your employees. Termination triggers the standard retention timelines above.
10. Contact
Counter-signed DPA, sub-processor notifications, security questionnaires: teams@trueings.com. Data-subject (employee) requests: privacy@trueings.com.