This Data Processing Addendum describes how TrustCheck processes customer data when providing the platform. It is intended as a baseline addendum and should be reviewed by legal counsel before contractual use.
1. Roles
For most customer content, scan data, evidence, and organization records, the customer is the controller or business and TrustCheck acts as processor or service provider. TrustCheck may act as controller for account administration, billing, fraud prevention, security, legal compliance, and product operations.
2. Processing Instructions
TrustCheck processes customer data according to the customer's use of the platform, these policies, applicable agreements, support instructions, legal obligations, and security requirements.
3. Data Categories
Processed data may include account data, organization data, asset records, scan targets, source code uploads, security findings, evidence files, reports, billing metadata, integration logs, support messages, and audit logs.
4. Security Measures
- Authentication, authorization, role-based access, and admin review controls.
- Asset ownership verification before sensitive scanning and monitoring.
- Encryption or protected storage for secrets and provider credentials where applicable.
- Audit logging for sensitive actions such as verification, scans, plan changes, and badge updates.
- Operational controls for backups, access review, incident response, and secure configuration.
5. Subprocessors
TrustCheck may use subprocessors for hosting, email, payment, analytics, security, storage, messaging, and integrations. See the Subprocessors page.
6. Deletion And Return
Upon account closure or written request, TrustCheck will delete or return eligible customer data subject to legal, security, backup, audit, billing, fraud-prevention, and contractual retention requirements.
7. Assistance
TrustCheck will provide reasonable assistance for security, privacy, access, deletion, and compliance requests through the support process.