Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween Trst and the customer ("Customer"). It governs Trst's processing of personal data on the Customer's behalf and is designed to satisfy India's DPDP Act, 2023 (Sec 8(2)) and the EU GDPR (Art. 28).

1. Roles

For personal data the Customer connects or uploads, the Customer is the Data Fiduciary / Controllerand Trst is the Data Processor. Trst processes such personal data only on the Customer's documented instructions, which include using the Trst platform as configured by the Customer.

2. Nature, purpose & duration

Trst processes personal data to provide the compliance-monitoring service — collecting and storing control evidence and metadata from systems the Customer connects — for the duration of the Customer's subscription. Categories of data and data principals are described in Annex A.

3. Trst's obligations as processor

Trst shall: (a) process only on the Customer's instructions; (b) ensure personnel are bound by confidentiality; (c) implement the security measures in Annex B; (d) assist the Customer in responding to data-principal/subject rights requests; (e) assist with the Customer's breach-notification and DPIA obligations; and (f) make available information to demonstrate compliance.

4. Security

Trst maintains appropriate technical and organisational measures (Annex B), including encryption of credentials at rest (AES-256-GCM), TLS in transit, least-privilege access, hash-verified evidence, and an immutable activity log. See our Security & Trust page.

5. Sub-processors

The Customer authorises Trst to engage the sub-processors listed at /subprocessors. Trst imposes data-protection obligations on each sub-processor no less protective than this DPA, and will give notice before adding a new sub-processor so the Customer may object.

6. Data-principal / data-subject rights

Trst provides functionality and reasonable assistance to help the Customer fulfil requests for access, correction, erasure, and grievance redressal within statutory timelines.

7. Personal data breach

Trst will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, with information reasonably available to assist the Customer's own notification duties (DPDP Sec 8(6) / GDPR Art. 33).

8. Return & deletion

On termination, Trst will delete or return the Customer's personal data within a reasonable period, except where retention is required by law.

9. Audits

Trst will make available information necessary to demonstrate compliance with this DPA and allow for audits, subject to reasonable confidentiality and security conditions.

10. International transfers & residency

The Customer's personal data is hosted in India. Trst does not transfer it outside India except as necessary to provide the service and as permitted by applicable law.

Annex A — Details of processing

Subject matter: provision of the Trst compliance platform. Duration: the subscription term. Nature/purpose: collecting, storing and analysing control evidence and metadata. Categories of data: account data, connector credentials, and configuration/evidence metadata from connected systems. Data principals:the Customer's personnel and, indirectly, individuals referenced in connected systems.

Annex B — Security measures

Encryption at rest (AES-256-GCM) and in transit (TLS); role-based least-privilege access; hash-verified, append-only evidence; immutable activity logging; India data residency; least-scope, revocable connector access.

Annex C — Sub-processors

The current list is published at /subprocessors.

How to execute

To countersign this DPA for your organisation, contact privacy@trst.tech. We'll provide a signable copy.