← Truvana

Data Processing Agreement

Last Updated: December 27, 2024

Note: This Data Processing Agreement ("DPA") supplements your Master Services Agreement or subscription agreement with Truvana. To execute this DPA, please contact legal@truvana.com.

1. Definitions

  • "Customer" means the organization that has entered into an agreement with Truvana for the provision of the Service.
  • "Customer Data" means any personal data processed by Truvana on behalf of the Customer in connection with the Service.
  • "Data Controller" means the Customer, who determines the purposes and means of processing Customer Data.
  • "Data Processor" means Truvana, who processes Customer Data on behalf of the Customer.
  • "Sub-processor" means any third party engaged by Truvana to process Customer Data.
  • "Personal Data" has the meaning given under applicable data protection laws, including CCPA and GDPR where applicable.

2. Scope and Purpose

This DPA applies when Truvana processes Personal Data on behalf of the Customer in connection with the Service. The types of Personal Data processed may include:

  • Employee names, contact information, and employment details
  • Performance evaluation data
  • Infraction and disciplinary records
  • Manager and administrator account information

Truvana shall process Customer Data only for the purpose of providing the Service and in accordance with the Customer's documented instructions.

3. Truvana's Obligations

Truvana agrees to:

  • Process Customer Data only on documented instructions from the Customer
  • Ensure that personnel processing Customer Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Customer in responding to data subject requests
  • Notify the Customer of any data breach without undue delay (within 72 hours)
  • Delete or return Customer Data upon termination of the Service, unless retention is required by law
  • Make available information necessary to demonstrate compliance with this DPA

4. Sub-processors

The Customer authorizes Truvana to engage Sub-processors to process Customer Data, subject to the following conditions:

  • Truvana maintains a list of current Sub-processors at truvana.com/subprocessors
  • Truvana will notify the Customer of any intended changes to Sub-processors at least 30 days in advance
  • Each Sub-processor will be bound by data protection obligations substantially similar to those in this DPA
  • Truvana remains liable for the acts and omissions of its Sub-processors

5. Security Measures

Truvana implements and maintains the following security measures:

  • Encryption of data at rest and in transit
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Employee security training
  • Incident response procedures
  • Business continuity and disaster recovery

For details, see our Security & Compliance page.

6. Data Breach Notification

In the event of a confirmed data breach affecting Customer Data, Truvana will:

  • Notify the Customer within 72 hours of becoming aware of the breach
  • Provide details of the breach, including categories and approximate number of data subjects affected
  • Describe the likely consequences and measures taken to address the breach
  • Cooperate with the Customer in investigating and remediating the breach

7. Audit Rights

The Customer may, upon reasonable notice, request information or conduct audits to verify Truvana's compliance with this DPA. This may be satisfied by:

  • Responding to security questionnaires (SIG, HECVAT, custom formats)
  • Providing security and privacy documentation
  • Permitting on-site audits with reasonable advance notice

8. Data Transfers

Customer Data is stored and processed in the United States. Truvana does not transfer Customer Data outside the United States except as necessary to provide the Service using approved Sub-processors.

9. Term and Termination

This DPA remains in effect for the duration of the Customer's use of the Service. Upon termination:

  • Customer may request export of Customer Data within 30 days
  • Truvana will delete Customer Data within 90 days, unless legal retention requirements apply
  • Upon request, Truvana will certify the deletion of Customer Data in writing

10. Contact

For questions about this DPA or to execute an agreement:

Truvana, LLC
Email: legal@truvana.com
Data Protection Contact: privacy@truvana.com

© 2026 Truvana, LLC. All rights reserved.