True Record
Back to Home

Data Processing Agreement

Last updated: December 12, 2025

Note: We're an early-stage company and will keep this document updated as our policies mature.

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer," "Data Controller") and True Record ("Processor," "we," "us") for the provision of duplicate detection services ("Services").

This DPA reflects the parties' agreement with respect to the processing of Personal Data in accordance with the requirements of Data Protection Laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Definitions

  • "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR, CCPA, and any successor legislation.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by True Record on behalf of the Customer.
  • "Processing" has the meaning given in applicable Data Protection Laws.
  • "Sub-processor" means any third party engaged by True Record to process Personal Data on behalf of the Customer.
  • "Data Subject" means the individual to whom Personal Data relates.

3. Roles and Responsibilities

3.1 Customer as Data Controller

The Customer is the Data Controller for the Personal Data processed through the Services. As Data Controller, the Customer:

  • Determines the purposes and means of processing Personal Data
  • Ensures it has a lawful basis for processing under Data Protection Laws
  • Provides necessary notices to Data Subjects
  • Ensures compliance with Data Protection Laws
  • Has authority to share Personal Data with True Record

3.2 True Record as Data Processor

True Record acts as a Data Processor, processing Personal Data only on documented instructions from the Customer. We:

  • Process Personal Data only as necessary to provide the Services
  • Comply with Customer's lawful processing instructions
  • Implement appropriate security measures
  • Assist with Data Subject requests
  • Support the Customer's compliance obligations

4. Scope of Processing

4.1 Nature and Purpose of Processing

True Record processes Personal Data for the following purposes:

  • Duplicate detection and data quality management in Salesforce
  • Providing audit trails and reports
  • Delivering the Services as described in the Terms of Service

4.2 Types of Personal Data

The Personal Data processed may include:

  • Contact information (names, email addresses, phone numbers)
  • Company/organization names
  • Salesforce record identifiers
  • User account information (email, org affiliation)
  • Field text configured for matching that may be sent to OpenAI to generate embeddings (no training use)
  • Audit log data (actions performed, timestamps)

4.3 Categories of Data Subjects

Data Subjects may include:

  • Customer's employees and team members
  • Customer's leads, contacts, and prospects in Salesforce
  • Business contacts and account representatives

4.4 Duration of Processing

Processing will continue for the duration of the Customer's subscription and during the retention period specified in our Privacy Policy (typically 90 days after resolution, configurable by Customer).

5. Customer Instructions

True Record will process Personal Data only in accordance with the Customer's documented instructions, which include:

  • The Terms of Service and this DPA
  • Configuration settings chosen by the Customer (matching rules, fields, thresholds)
  • Actions taken through the Service interface (merges, dismissals, exports)
  • Written instructions provided to our support team

If we believe an instruction violates Data Protection Laws, we will inform the Customer and, unless legally prohibited, suspend processing until the instruction is confirmed or amended.

6. Security Measures

True Record implements appropriate technical and organizational measures to protect Personal Data, including:

6.1 Technical Measures

  • Encryption in Transit: TLS 1.2+ for all data transmission
  • Encryption at Rest: AES-256-GCM for sensitive data (OAuth tokens)
  • Database Encryption: Enabled for PostgreSQL database
  • Access Controls: Role-based access control (RBAC)
  • Authentication: Secure OAuth 2.0 flows, magic link authentication

6.2 Organizational Measures

  • Access Limitation: Access restricted to authorized personnel only
  • Audit Logging: Comprehensive logging of all data access and modifications
  • Data Minimization: Collection limited to what's necessary for the Services
  • Incident Response: Procedures for detecting and responding to security incidents
  • Regular Updates: Security patches and updates applied promptly

For more details, see our Security & FAQ page.

7. Sub-processors

7.1 Authorized Sub-processors

The Customer authorizes True Record to engage the following Sub-processors:

  • Salesforce (core integration, customer's Salesforce instance region)
  • OpenAI (embedding generation; receives only configured matching fields; no model training)
  • Neon (database hosting, US East - AWS us-east-1)
  • Vercel (application hosting, global edge network)
  • Stripe (payment processing, US with global replication)
  • Resend (email delivery, US)

See our complete Subprocessor List for details including data regions and privacy policies.

7.2 Sub-processor Obligations

True Record ensures that:

  • Sub-processors are bound by written agreements imposing data protection obligations equivalent to this DPA
  • Sub-processors implement appropriate security measures
  • Sub-processors comply with Data Protection Laws
  • True Record remains liable for Sub-processor performance

7.3 Changes to Sub-processors

True Record will provide reasonable notice of any new Sub-processors or changes to existing Sub-processors by:

The Customer may object to a new Sub-processor within 30 days of notice. If the objection is reasonable and True Record cannot accommodate it, either party may terminate the affected Services.

8. Data Subject Rights

8.1 Assistance with Requests

True Record will assist the Customer in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:

  • Access: Right to obtain confirmation and access to Personal Data
  • Rectification: Right to correct inaccurate Personal Data
  • Erasure: Right to deletion ("right to be forgotten")
  • Portability: Right to receive Personal Data in a machine-readable format
  • Restriction: Right to restrict processing
  • Objection: Right to object to processing

8.2 Self-Service Tools

We provide self-service tools for common Data Subject requests:

  • Data Export: Automated export via Privacy Settings page (JSON format)
  • Data Deletion: Deletion request workflow with admin review
  • Account Updates: Self-service settings management

8.3 Request Handling

If True Record receives a Data Subject request directly, we will:

  • Promptly notify the Customer
  • Not respond directly unless legally required
  • Provide reasonable assistance to the Customer

9. Data Breach Notification

In the event of a Personal Data breach, True Record will:

  • Notify the Customer without undue delay and within 72 hours of becoming aware
  • Provide information about:
    • Nature of the breach
    • Categories and approximate number of Data Subjects affected
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach
  • Cooperate with the Customer's investigation and remediation
  • Take reasonable steps to mitigate harm

Notification will be made to the Customer's primary contact via email at security@[customer-domain] (if provided) or the registered account email.

10. Data Protection Impact Assessment (DPIA)

Upon reasonable request, True Record will provide information necessary for the Customer to conduct a Data Protection Impact Assessment (DPIA) or prior consultation with supervisory authorities.

This may include:

  • Description of processing activities
  • Security measures implemented
  • Sub-processor information
  • Data flow diagrams

11. Audits and Compliance

11.1 Audit Rights

The Customer may audit True Record's compliance with this DPA:

  • Once per year, upon reasonable notice (30 days)
  • During normal business hours
  • At Customer's expense
  • Subject to confidentiality obligations

11.2 Documentation

True Record will maintain records of processing activities, including:

  • Categories of processing
  • Sub-processors used
  • Security measures implemented
  • Data breach incidents and responses

12. International Data Transfers

12.1 Data Locations

Personal Data is primarily processed and stored in the United States (AWS us-east-1 region).

12.2 Transfer Mechanisms

For transfers from the EEA/UK/Switzerland to the United States, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Sub-processor data processing agreements with equivalent protections
  • Supplementary measures where appropriate

12.3 Salesforce Data Residency

Data synced from Salesforce follows the Customer's Salesforce instance region. We only store minimal snapshots in our US database.

13. Return and Deletion of Data

13.1 Upon Termination

Upon termination of the Services, True Record will:

  • Delete or return Personal Data at the Customer's choice
  • Complete deletion within 30 days
  • Provide confirmation of deletion upon request
  • Retain only as required by law or legitimate business purposes

13.2 Retention Exceptions

We may retain Personal Data to the extent required by:

  • Applicable law (e.g., financial records for tax purposes)
  • Backup systems (automatically purged within 30 days)
  • Audit log requirements (subject to retention policy)

14. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service.

True Record will indemnify the Customer against fines and penalties imposed by supervisory authorities for breaches of this DPA caused by True Record's failure to comply with Data Protection Laws, subject to the limitations in the Terms of Service.

15. Term and Termination

This DPA will remain in effect for as long as True Record processes Personal Data on behalf of the Customer. It will automatically terminate when:

  • The Services are terminated
  • All Personal Data has been deleted or returned
  • No processing is occurring

Sections that by their nature should survive termination (including confidentiality, liability, and audit rights) will continue to apply.

16. Governing Law and Disputes

This DPA is governed by the same law as the Terms of Service. Any disputes will be resolved in accordance with the dispute resolution provisions in the Terms of Service.

17. Contact Information

For DPA-related inquiries, contact:

Related Documents

Privacy PolicyTerms of ServiceSubprocessor ListSecurity & FAQ