Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Services.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Services" means the Trulit test management platform and related services provided to the Controller.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data solely for the purpose of providing the Services to the Controller, as described in the main service agreement.

2.2 Categories of Data Subjects

• Controller's employees and contractors who use the Services
• Individuals whose data may be included in test cases, defect reports, or project data uploaded by the Controller

2.3 Types of Personal Data

• Account information (name, email address, job title)
• Usage data (IP address, browser type, session data)
• Content data (test cases, comments, attachments created by users)
• Authentication data (encrypted credentials, MFA tokens)

2.4 Duration of Processing

Personal Data will be processed for the duration of the service agreement and for the retention period specified in our Privacy Policy, unless earlier deletion is requested by the Controller.

3. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law
• Ensure that persons authorized to process Personal Data have committed to confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability)
• Notify the Controller without undue delay upon becoming aware of a Personal Data breach
• Delete or return all Personal Data upon termination of the service agreement, at the Controller's choice
• Make available all information necessary to demonstrate compliance with this DPA

4. Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

• Encryption: Data encrypted in transit (TLS) and at rest by our cloud infrastructure provider
• Access Control: Role-based access control (RBAC) with multi-factor authentication
• Data Isolation: Row-level security policies ensuring project-level data separation
• Audit Logging: Activity tracking for data access and modifications
• Backup: Automated database backups provided by our cloud infrastructure
• Incident Response: Documented procedures for detecting and responding to security incidents

5. Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall:

• Maintain a list of current Sub-processors, available upon request
• Notify the Controller of any intended changes to Sub-processors, providing the Controller an opportunity to object
• Ensure Sub-processors are bound by data protection obligations no less protective than those in this DPA
• Remain fully liable for the acts and omissions of its Sub-processors

Current categories of Sub-processors include:

• Cloud Infrastructure: Database hosting, storage, and compute services
• Payment Processing: Subscription billing and payment handling (no credit card data stored by Trulit)
• Email Services: Transactional emails and notifications
• Analytics: Usage analytics and performance monitoring

6. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

• Right of Access (Article 15): Data export functionality is available within the platform
• Right to Rectification (Article 16): Users can update their personal data through account settings
• Right to Erasure (Article 17): Account deletion with a 90-day grace period is available
• Right to Data Portability (Article 20): Data can be exported in standard formats

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:

• The nature of the breach, including categories and approximate number of Data Subjects affected
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach

9. Term and Termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination, the Processor shall, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller within 90 days, unless retention is required by applicable law.

10. Contact

For questions about this Data Processing Agreement or to request the current list of Sub-processors, please contact us through our contact form or at privacy@trulit.com.