TrueSign
Legal · DPA

Data Processing Addendum.

A standard DPA is available for TrueSign customer engagements. The summary below describes its principal terms; the executable instrument is provided under master agreement.

Roles

For platform operations, the customer institution is the data controller and Data World 1, LLC acts as a data processor on documented instructions. For website inquiries, Data World 1, LLC acts as an independent controller.

Subject matter and duration

Processing is limited to authorization workflow data necessary for the service and persists for the term of the master agreement plus any agreed retention.

Sub-processors

A current sub-processor list is provided to customers and updated under change-control. Customers receive prior notice of material changes with a reasonable objection window.

Security

Technical and organizational measures include hardware-bound key custody, mTLS-protected APIs, append-only audit ledger, and least-privilege administrative access. Independent assessment under SOC 2 / ISO 27001 is on roadmap and represented under NDA.

International transfers

Standard Contractual Clauses are incorporated by reference where required, supplemented as appropriate.

Audit

Customer audit rights are exercisable on reasonable notice consistent with security and confidentiality, including via independent third-party reports.

Request the executable DPA

Institutional customers may request the current DPA at charlesc@dataworldone.com.

References & footnotes
  1. [1]Regulation (EU) 2016/679, Article 28 (Processor obligations) and Article 32 (Security of processing). https://eur-lex.europa.eu/eli/reg/2016/679/oj
  2. [2]Commission Implementing Decision (EU) 2021/914, Standard Contractual Clauses for international transfers. https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
  3. [3]UK International Data Transfer Agreement and Addendum to the EU SCCs (ICO). https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/international-data-transfer-agreement-and-guidance/
  4. [4]ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection, Information security management systems.
  5. [5]AICPA Trust Services Criteria (TSP Section 100), as applied in SOC 2 Type II examinations.

Citations are provided for transparency. Authoritative interpretation of any cited statute, regulation, or standard rests with the issuing body and qualified counsel in the relevant jurisdiction.