Definitions
“Affiliate” means, with respect to a party, any person or entity that controls, is controlled by, or is under common control with such party, where “control” means ownership of fifty percent (50%) or more of the outstanding voting securities.
“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data, including a “Business” as defined under Section 1798.140(c) of the CCPA.
“Data Processor” means a natural or legal person, public authority, agency, or other body which Processes Data on behalf of a Controller, including any “Service Provider” as defined under Section 1798.140(v) of the CCPA.
“Data Protection Laws” means, as and to the extent they apply to that Party, any applicable laws and regulations in relation to the privacy or Processing of Personal Data, including as may be applicable: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (b) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”); and (c) any laws intended to implement, replace or supplement any of the foregoing, as amended, consolidated, re-enacted or replaced from time to time.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable natural person, including without limitation, information about Customer employees that is Processed by Privacera pursuant to this DPA.
“Process” (or “Processing” or “Processed”) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Sub-processors” means each third party with which Privacera contracts in connection with the performance by that third party of any part of the Services and each other downstream third-party contractor engaged for such purposes.
The terms “Transfer”, “Supervisory Authority”, and “appropriate technical and organizational measures” shall be interpreted in accordance with the applicable Data Protection Laws.
Roles of the Parties
For the purpose of this DPA, the Parties acknowledge and confirm that Customer is a Controller and Privacera is a Processor for the Processing of Personal Data. Each party shall, and agrees to, comply with Data Protection Laws with respect to the performance of its obligations hereunder.
Description of the Processing Activities
Personal information is processed for the period necessary to fulfill the purposes for which it is collected, to comply with legal and regulatory obligations, and for the duration of any period necessary to establish, exercise or defend any legal rights.
In some instances, we may choose to anonymize personal information instead of deleting it for statistical use. When we choose to anonymize, we make sure that there is no way that the personal information can be linked back to any specific individual.
While we retain this information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or modification.
Transfer of Data
Where Privacera Processes Personal Data that is subject to the GDPR, the terms and conditions set forth in the standard contractual clauses issued by the European Commission attached hereto at Exhibit A (the “Standard Contractual Clauses”) shall apply to such Processing. The Parties agree that the terms in the Standard Contractual Clauses are incorporated by reference into this DPA. Customer is defined as data exporter and Privacera is defined as data importer within the terms of the Standard Contractual Clauses. If there is a conflict between the provisions of this DPA or the data privacy provisions of the Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Privacera dba Trust3 AI Obligations
Processing of Data
Privacera shall only Process such Personal Data in accordance with Customer’s written instructions from time-to-time or as required for Privacera to provide, manage and facilitate the provision of the Services. To the extent Privacera Processes any Personal Data subject to the CCPA, Privacera (a) shall not further collect, use, retain, access, share, transfer, or otherwise Process Personal Data for any purpose not related to providing the Services; and (b) is prohibited from “selling” Personal Data as defined under the CCPA. Privacera shall promptly inform Customer if, in its opinion, the Customer’s instructions infringe or violate any Data Protection Laws.
Security; Confidentiality
Privacera will implement appropriate industry standard technical and organizational measures reasonably designed to ensure a level of security appropriate to the risk. Privacera will take reasonable steps to ensure that any person acting under its authority who has access to Personal Data is bound by enforceable contractual or statutory confidentiality obligations.
Data Breach
Privacera shall inform Customer without undue delay upon becoming aware of a security breach resulting in accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to unencrypted Personal Data. Privacera shall provide all reasonable information concerning such Data Breach including: (a) possible cause and consequences for Data Subjects; (b) categories of Personal Data involved; (c) summary of possible consequences; (d) summary of unauthorized recipients; and (e) measures taken to mitigate any damage.
Assistance to Customer
Privacera will assist Customer, at Customer’s cost and expense, in complying with data security, data breach notifications, data protection impact assessments, and prior consultations with supervisory authorities requirements under Data Protection Laws. If Privacera receives a request from a Data Subject to exercise a Data Subject right, Privacera will promptly notify Customer of the request and use commercially reasonable efforts to assist Customer with responding.
Return/Destruction of Personal Data
Upon termination of the Agreement or this DPA for any reason, or on Customer’s instructions, Privacera shall promptly cease to Process the Personal Data and shall return and/or destroy all copies in Privacera’s possession or control, unless any Data Protection Law prevents it from doing so.
Customer Obligations
General
Customer represents and warrants that (a) it has the necessary rights to transfer or make available such Personal Data to Privacera; (b) Customer’s instructions comply with and will not cause Privacera to be in breach of any Data Protection Laws; (c) that Customer has taken all necessary steps to ensure that any Data Subjects are aware of the nature of the Processing; and (d) Customer is in compliance with all Data Protection Laws.
Affiliates
Where an Affiliate of Customer is the Data Controller over any Personal Data processed by Privacera under this DPA, Customer will procure that any relevant Affiliate complies with its obligations under the Data Protection Laws. Customer shall remain responsible for its Affiliates’ performance under this DPA.
Sub-processors
Customer gives a general authorization to Privacera to disclose Personal Data to Sub-Processors; provided that each Sub-Processor shall be bound by a written agreement imposing the same data protection obligations as are imposed on Privacera under this DPA. Privacera shall give Customer reasonable prior written notice of any new Sub-processor appointment. If Customer notifies Privacera in writing of any objections within seven (7) business days of receipt of that notice, then Privacera shall not appoint the proposed Sub-processor.
Audit and Records
Privacera shall make available to Customer, on request, all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections by Customer, a Supervisory Authority, or an independent auditor mandated by Customer of Privacera’s data processing facilities, procedures and documentation. Privacera shall fully cooperate with Customer in respect of any such audit.
Changes in Data Protection Laws
Notwithstanding any provisions to the contrary in this DPA, if any change in Data Protection Laws may require or result in any variation to this DPA, Privacera will modify this DPA as necessary and provide a copy of the modified DPA to Customer. Customer shall notify Privacera of any objection to such modifications within thirty (30) days. If no objection is received within this period, Customer will be deemed to have accepted such modifications.
Schedule A — Description of Processing Activities
| Data Subjects | Customer employees (name and email). |
| Categories of data | Employee name and business email address; user/account identifiers; authentication and access-log metadata. |
| Special categories of data | None. |
| Geographic location | [Insert processing/hosting region(s)]. |
| Subcontractors | Privacera’s subcontractors that have access to or otherwise Process Personal Data are identified under the applicable Agreement/MSA. |
Exhibit A — Standard Contractual Clauses
EU Module Two: Controller to Processor
1. Incorporation
The standard contractual clauses for the transfer of personal data to third countries set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the “EU SCCs”) are incorporated into and form part of this DPA and apply wherever Privacera Processes Personal Data subject to the GDPR that is transferred outside the EEA. Only Module Two (Controller to Processor) applies. Customer is the data exporter; Privacera is the data importer.
2. Elections
| Clause 7 (Docking clause) | Applies. |
| Clause 9 (Sub-processors) | Option 2 — general written authorisation. Privacera will notify Customer of any addition or replacement at least 14 days in advance. |
| Clause 11 (Optional redress) | The optional independent dispute-resolution language does NOT apply. |
| Clause 17 (Governing law) | Law of Ireland. |
| Clause 18 (Forum/jurisdiction) | Courts of Ireland. |
3. UK & Swiss Transfers
For Personal Data subject to the UK GDPR, the UK International Data Transfer Addendum (version B1.0, in force 21 March 2022) is incorporated. For Personal Data subject to the Swiss FADP, references to the GDPR are read as the FADP, the competent authority is the Swiss FDPIC, and “Member State” includes Switzerland for data-subject claims.
4. Precedence
In the event of any conflict between the EU SCCs and the remainder of this DPA or the Agreement, the EU SCCs prevail with respect to the transfer of Personal Data subject to the GDPR.
Annex I
A. List of Parties
Data exporter — Controller:
| Name & address | [Customer legal entity name and registered address] |
| Contact | [Customer privacy contact — name, title, email] |
| Role | Controller |
Data importer — Processor:
| Name & address | Privacera, Inc., 39899 Balentine Dr., Suite 330, Newark, CA 94560, USA |
| Contact | Privacera Privacy / Legal |
| Role | Processor |
Signature/date: Execution of the DPA by each Party is deemed signature of these Clauses.
B. Description of Transfer
| Data subjects | Customer’s authorised users and personnel (employees, contractors, administrators) of the Services. |
| Categories of personal data | Name; business email address; user/account identifiers; authentication and access-log data (login events, IP address, role/entitlement and audit metadata). |
| Sensitive data | None intended. Where Customer data sources contain sensitive data, the access controls, encryption and masking in Annex II apply. |
| Nature & purpose | Hosting, storage, access control, logging, audit, monitoring and support necessary to provide and operate the Services per Customer’s documented instructions. |
| Frequency | Continuous, for the term of the Agreement. |
| Retention | For the term of the Agreement; returned or deleted on termination, then retained only as required by law. |
C. Competent Supervisory Authority
The supervisory authority of the EU Member State in which the data exporter (or its Art. 27 representative) is established; failing that, the Irish Data Protection Commission.
Annex II — Technical and Organisational Measures
The data importer maintains, and requires of its sub-processors, security measures appropriate to the risk, including:
- Access control: role-based, least-privilege access; MFA for admin/remote access; prompt deprovisioning.
- Encryption: data encrypted in transit (TLS) and at rest; controlled key management; masking/pseudonymisation where appropriate.
- Resilience: network segmentation, firewalls, intrusion detection, access logging, backups and tested restoration.
- Vulnerability management: regular scanning, patching and periodic penetration testing; secure-development and change-management procedures.
- Organisational: security policies, staff training and confidentiality obligations; documented incident/breach response; SOC 2 / ISO 27001 as maintained; sub-processor risk management with equivalent flow-down obligations.
- Assistance: configurable access/export/deletion features and audit logs to help Customer meet data-subject requests and Articles 32–36 GDPR.
Download the full DPA as a Word document to review or execute with your legal team.
Download .docx