Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") supplements the TrustFlow Terms of Service and governs the processing of personal data by TrustFlow SL ("Processor") on behalf of the Customer ("Controller").

1. Definitions

  • Personal Data — Any data relating to an identified or identifiable natural person, as submitted to the TrustFlow API by the Controller.
  • Processing — Any operation performed on Personal Data, including collection, storage, evaluation, and deletion.
  • Sub-processor — A third party engaged by the Processor to process Personal Data.

2. Scope and Purpose

The Processor processes Personal Data solely to provide the TrustFlow risk evaluation Service, as described in the Terms of Service. Processing activities include:

  • Risk evaluation — Transaction amounts, user IDs, merchant IDs → Compute risk score and governance decision
  • Usage metering — API call metadata → Billing and rate limiting
  • Audit logging — Trace IDs, decisions, timestamps → Compliance and debugging

3. Controller Obligations

The Controller shall:

  • Ensure a valid legal basis for submitting Personal Data to the API
  • Minimize Personal Data transmitted (use pseudonymous IDs where possible)
  • Inform data subjects about the use of TrustFlow for transaction governance
  • Notify the Processor of any data subject requests within 5 business days

4. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel with access to Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Not engage Sub-processors without prior written authorization
  • Assist the Controller in responding to data subject requests
  • Delete or return Personal Data upon termination of the Service
  • Make available all information necessary for compliance audits

5. Security Measures

5.1 Technical

  • TLS 1.2+ encryption for all API communications
  • SHA-256 hashing of API keys and webhook secrets
  • Rate limiting and abuse detection
  • Security headers (HSTS, X-Frame-Options, CSP)
  • Infrastructure hosted in EU data centers
  • Automated vulnerability scanning

5.2 Organizational

  • Access to production systems limited to authorized personnel
  • Security incident response procedures
  • Employee confidentiality agreements
  • Regular security reviews

6. Sub-processors

Current authorized Sub-processors:

  • Fly.io / Railway — Cloud hosting (EU, Ireland)
  • Stripe — Payment processing (EU/US, with SCCs)
  • PostgreSQL hosting provider — Database (EU)

The Processor will notify the Controller at least 30 days before engaging a new Sub-processor. The Controller may object within 15 days.

7. Data Breach Notification

The Processor shall notify the Controller of any Personal Data breach without undue delay, and no later than 48 hours after becoming aware. Notification shall include:

  • Nature of the breach
  • Categories and approximate number of affected data subjects
  • Likely consequences
  • Measures taken or proposed to mitigate

8. Data Subject Requests

The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within 10 business days.

9. Data Transfers

Personal Data is processed within the EU. If transfer outside the EU is required, the Processor shall ensure:

  • An adequacy decision exists (GDPR Art. 45), or
  • Standard Contractual Clauses are in place (GDPR Art. 46.2.c)

10. Audit Rights

The Controller may audit the Processor's compliance with this DPA:

  • Once per year with 30 days notice
  • At the Controller's expense
  • During normal business hours
  • Subject to reasonable confidentiality obligations

11. Duration and Termination

  • This DPA applies for the duration of the Service agreement
  • Upon termination, the Processor shall delete all Personal Data within 30 days
  • The Controller may request a data export before deletion

12. Liability

Liability under this DPA is governed by the Terms of Service.

13. Governing Law

This DPA is governed by the laws of Spain, in compliance with GDPR (EU Regulation 2016/679).

Contact

TrustFlow SL — legal@trust-flow.dev · DPO: dpo@trust-flow.dev