Legal
Data Processing Addendum
Last updated May 18, 2026
1. Scope and Definitions
This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Controller") and Innovenses Pty Ltd trading as TrustekAI ("Processor") for the provision of the TrustekAI platform (the "Service"). Capitalized terms have the meanings set out in the GDPR or, where applicable, the Australian Privacy Act 1988 ("Privacy Act") and the equivalent laws of the customer's jurisdiction. "Customer Data" means personal data that the Controller, its end users, or its AI agents transmit to or through the Service.
2. Roles of the Parties
The Controller is the controller of Customer Data. TrustekAI is the processor and processes Customer Data only on documented instructions from the Controller, including with regard to transfers to third countries. Where TrustekAI is required by law to process Customer Data otherwise, it shall inform the Controller of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.
3. Purpose and Duration
TrustekAI processes Customer Data solely for the purposes of providing, securing, and improving the Service for the Controller. Processing continues for the term of the customer's subscription. On termination, the Controller has 30 days to export Customer Data; after that period, TrustekAI deletes or anonymizes the data per Section 8.
4. Categories of Data and Data Subjects
Categories of personal data: account contact details (name, email), authentication tokens, usage logs, and any personal data contained in agent inputs/outputs the Controller routes through the Service. Categories of data subjects: the Controller's employees who use the Service; the Controller's end users whose interactions are processed by the Controller's AI agents.
5. Security Measures
TrustekAI implements the following technical and organisational measures: • Encryption in transit (TLS 1.2+) for all customer-facing endpoints. • Encryption at rest (AES-256) for the primary database and object storage. • Role-based access control with least-privilege defaults. • Audit logging of administrative actions retained for 7 years. • Annual penetration testing by an independent third party. • Quarterly access reviews of production systems. • Multi-factor authentication for all employee access to production environments. Additional measures (BYOK, private networking, customer-managed retention) are available under the Enterprise plan.
6. Sub-processors
TrustekAI uses sub-processors to provide certain elements of the Service. The current list is maintained at /subprocessors and includes infrastructure, observability, and email-delivery vendors. TrustekAI imposes data-protection obligations equivalent to those in this DPA on each sub-processor. TrustekAI will give Controller at least 30 days' advance notice of any new sub-processor; Controller may object on reasonable data-protection grounds.
7. International Transfers
Where personal data is transferred outside the European Economic Area, the United Kingdom, or Australia, TrustekAI relies on Standard Contractual Clauses (Modules 2 or 3 as applicable), the UK International Data Transfer Addendum, and Australian Privacy Principle 8 cross-border disclosure safeguards. Customer-specific transfer impact assessments are provided on request.
8. Data Retention and Deletion
Customer Data is retained for the window specified in the Controller's subscription (typically 30, 90, or 365 days for telemetry; 7 years for compliance evidence). On termination, Customer Data is exportable for 30 days and then deleted from primary systems within 60 days; backups are purged on the next regularly-scheduled rotation, within at most 35 days thereafter.
9. Data Subject Rights
TrustekAI will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests for exercising data subject rights (access, rectification, erasure, restriction, portability, objection). Such requests should be addressed by the Controller; TrustekAI does not respond directly to data subjects on the Controller's behalf.
10. Personal Data Breach
TrustekAI will notify the Controller without undue delay and in any case within 72 hours after becoming aware of a personal data breach affecting Customer Data. Notifications will include the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and the measures taken to address the breach.
11. Audit Rights
TrustekAI will make available to the Controller all information necessary to demonstrate compliance with this DPA. On reasonable prior notice (not less than 30 days), the Controller (or its independent auditor under NDA) may audit TrustekAI's compliance once per year. Audits will be conducted during business hours and will not unreasonably interfere with operations. Where TrustekAI has obtained applicable third-party audit reports (such as SOC 2 or ISO 27001), it may, with the Controller's agreement, provide them in lieu of on-site audits to the extent they cover the relevant scope; TrustekAI does not currently hold such reports and will notify enterprise customers as they become available.
12. Return or Deletion at End of Services
On termination or expiry of the agreement, TrustekAI will return Customer Data or delete it at the Controller's choice, except where applicable law requires retention. Deletion is confirmed in writing on request.
13. Conflicts
In the event of any conflict between this DPA and the underlying agreement, this DPA governs with respect to the processing of personal data.
Questions about this document can be sent to privacy@trustekai.com.