Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Poverud IT ("Processor", "we", "us") and the customer ("Controller", "you") for the use of TrueConfig services.

This DPA reflects the parties' agreement with respect to the processing of Personal Data by the Processor on behalf of the Controller in accordance with the requirements of the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

"Personal Data"

Any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.

"Processing"

Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion as defined in Article 4(2) of the GDPR.

"Controller"

The entity that determines the purposes and means of processing Personal Data (the Customer).

"Processor"

The entity that processes Personal Data on behalf of the Controller (Poverud IT / TrueConfig).

"Sub-processor"

Any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Data Subject"

An identified or identifiable natural person whose Personal Data is processed.

3.1 Categories of Data Subjects

• •Customer employees and administrators using TrueConfig
• •Users whose identity data exists in connected Microsoft Entra ID tenants
• •Guest users and external collaborators in connected tenants

3.2 Categories of Personal Data

• •Identity data: names, email addresses, user principal names, user IDs
• •Professional data: job titles, department, manager relationships
• •Access data: group memberships, role assignments, permissions
• •Technical data: IP addresses (security logs), user agents, device metadata

3.3 Processing Purposes

• •Providing the TrueConfig service as described in the Terms of Service
• •Security posture assessment and configuration monitoring
• •Drift detection and remediation
• •Audit logging and compliance reporting

3.4 Duration of Processing

Processing continues for the duration of the service agreement plus a 30-day grace period after termination. Data is retained according to the customer's subscription plan (30, 90, or 365 days) and then automatically deleted.

The Processor shall:

• a)Process Personal Data only on documented instructions from the Controller, unless required by applicable law
• b)Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• c)Implement appropriate technical and organizational security measures as described in Section 8
• d)Respect the conditions for engaging sub-processors as described in Section 6
• e)Assist the Controller in responding to data subject requests
• f)Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
• g)Delete or return all Personal Data at the end of the service, unless retention is required by law
• h)Make available information necessary to demonstrate compliance and allow for audits

The Controller warrants that:

• a)It has a lawful basis for processing Personal Data and for instructing the Processor to process such data
• b)It has provided appropriate notice to data subjects regarding the use of TrueConfig
• c)It has authority to grant the permissions requested by TrueConfig in Microsoft Entra ID
• d)Its instructions to the Processor comply with applicable data protection laws

The Controller provides general authorization for the Processor to engage sub-processors. The current list of sub-processors is:

The Processor will notify the Controller of any intended changes to sub-processors by updating this page. The Controller may object to such changes within 30 days by contacting legal@trueconfig.io.

The Processor ensures that sub-processors are bound by data protection obligations no less protective than those in this DPA.

The Processor shall assist the Controller in responding to data subject requests, including:

• •Right of access (Article 15 GDPR)
• •Right to rectification (Article 16 GDPR)
• •Right to erasure (Article 17 GDPR)
• •Right to restriction of processing (Article 18 GDPR)
• •Right to data portability (Article 20 GDPR)
• •Right to object (Article 21 GDPR)

TrueConfig provides self-service data export and account deletion functionality. For requests received directly from data subjects, the Processor will redirect them to the Controller unless otherwise instructed.

The Processor implements the following technical and organizational measures:

8.1 Encryption

• •Data in transit: TLS 1.2+ encryption for all connections
• •Data at rest: AES-256-GCM encryption for sensitive data (OAuth tokens)
• •Database encryption at rest via Supabase infrastructure

8.2 Access Control

• •Row-level security (RLS) ensuring tenant data isolation
• •Role-based access control (RBAC) for application access
• •Multi-factor authentication for administrative access

8.3 Monitoring and Logging

• •Comprehensive audit logging of all data access and modifications
• •Immutable audit trail with retention per customer plan
• •Security monitoring and alerting

8.4 Data Isolation

• •Logical separation of customer data at the database level
• •Per-organization encryption keys for sensitive data
• •No cross-tenant data access or sharing

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting the Controller's data.

The notification shall include:

• •Description of the nature of the breach
• •Categories and approximate number of data subjects affected
• •Likely consequences of the breach
• •Measures taken or proposed to address the breach

Notifications will be sent to the account owner's email address on file.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an independent auditor.

Audits shall be conducted:

• •With reasonable advance notice (minimum 30 days)
• •During normal business hours
• •Subject to confidentiality obligations
• •No more than once per year unless required by a supervisory authority

The Processor may satisfy audit requests by providing relevant certifications, audit reports, or third-party assessments.

The Processor's primary infrastructure is located in the European Union (Frankfurt, Germany).

Where Personal Data is transferred outside the European Economic Area, the Processor ensures appropriate safeguards are in place, including:

• •EU Standard Contractual Clauses (SCCs) with sub-processors
• •Adequacy decisions where applicable
• •Supplementary technical measures (encryption, pseudonymization)

Upon termination of the service agreement:

• •The Controller may request a data export within the 30-day grace period
• •Data export is provided in JSON format via the self-service portal or upon request
• •After the 30-day grace period, all Personal Data is permanently deleted
• •Deletion is verified through automated cleanup processes

Certain data may be retained longer if required by law (e.g., audit records for compliance purposes).

Each party shall be liable for damages caused by processing that infringes the GDPR or this DPA in accordance with Article 82 of the GDPR.

The Processor shall only be liable for damage caused by processing where it has not complied with obligations specifically directed to processors under the GDPR or where it has acted outside or contrary to lawful instructions of the Controller.

Any limitations of liability in the Terms of Service apply to this DPA to the extent permitted by applicable law.

For questions about this DPA or to request a signed copy: