Data Processing Agreement
# TRUOPTIM SOLUTIONS LTD
# DATA PROCESSING AGREEMENT
Copyright © 2025-present TruOptim Solutions Ltd. All rights reserved.
**Version:** 1.0
**Effective Date:** January 2026
**Last Updated:** January 2026
---
## PARTIES
This Data Processing Agreement ("**DPA**") is entered into between:
**TruOptim Solutions Ltd** ("**Processor**", "**TruOptim**", "**we**", "**us**", or "**our**")
Company Registration No. 16742261
Registered in England and Wales
205 Regent Street, 4th Floor
London, England, W1B 4HB
United Kingdom
and
**The Customer** ("**Controller**", "**you**", or "**your**")
As identified in the applicable Software Licence Agreement or End User Licence Agreement
---
## 1. DEFINITIONS AND INTERPRETATION
### 1.1 Definitions
In this DPA, unless the context otherwise requires:
"**Applicable Data Protection Laws**" means all laws and regulations relating to the processing of personal data that apply to the processing activities under this DPA, including:
- UK General Data Protection Regulation (UK GDPR)
- EU General Data Protection Regulation (EU GDPR) 2016/679
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations 2003 (PECR)
- Any applicable laws in other jurisdictions where personal data is processed
"**Controller**" has the meaning given in Article 4(7) UK GDPR – the natural or legal person which determines the purposes and means of the processing of Personal Data.
"**Data Subject**" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
"**EEA**" means the European Economic Area.
"**Personal Data**" has the meaning given in Article 4(1) UK GDPR – any information relating to an identified or identifiable natural person.
"**Personal Data Breach**" has the meaning given in Article 4(12) UK GDPR – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"**Processing**" has the meaning given in Article 4(2) UK GDPR – any operation performed on Personal Data.
"**Processor**" has the meaning given in Article 4(8) UK GDPR – a natural or legal person which processes Personal Data on behalf of the Controller.
"**Services**" means the TruOptim Industrial AI Gateway software and related support services as described in the applicable Software Licence Agreement.
"**Software Licence Agreement**" means the End User Licence Agreement (EULA), subscription agreement, or other agreement under which you have licensed the Services.
"**Standard Contractual Clauses**" or "**SCCs**" means:
- For UK transfers: the International Data Transfer Agreement (UK IDTA) or UK Addendum to EU SCCs
- For EEA transfers: the Standard Contractual Clauses adopted by EU Commission Decision 2021/914
"**Sub-processor**" means any third party engaged by TruOptim to process Personal Data on behalf of the Controller.
"**Technical and Organisational Measures**" or "**TOMs**" means appropriate technical and organisational security measures as required by Article 32 UK GDPR.
### 1.2 Interpretation
- References to "**Articles**" are to Articles of the UK GDPR unless otherwise specified.
- Headings are for convenience only and do not affect interpretation.
- "**Including**" means "including without limitation".
- References to legislation include amendments, re-enactments, and subordinate legislation.
---
## 2. SCOPE AND APPLICATION
### 2.1 Application of this DPA
This DPA applies where and to the extent that:
(a) TruOptim processes Personal Data on your behalf in connection with the Services; and
(b) you are a Controller in respect of that Personal Data.
### 2.2 Incorporation
This DPA:
(a) supplements and forms part of the Software Licence Agreement;
(b) takes precedence over the Software Licence Agreement to the extent of any conflict regarding data protection matters; and
(c) shall remain in effect for the duration of TruOptim's processing of Personal Data under the Software Licence Agreement.
### 2.3 Customer as Controller
You acknowledge and agree that:
(a) you are the Controller in respect of any Personal Data processed through the Services;
(b) **Customer Data** (including industrial process data, sensor readings, OPC UA telemetry, and AI Agent interactions) **remains within your Microsoft Azure tenant** and is not accessed by TruOptim except as expressly permitted under Section 2.4;
(c) you are responsible for determining the lawful basis for processing and ensuring compliance with your obligations as Controller under Applicable Data Protection Laws.
### 2.4 TruOptim as Processor
TruOptim acts as Processor only for the limited processing activities described in **Schedule 1** (Processing Details), which includes:
(a) **Lead Capture Data**: Contact details provided through ROI Calculator, Readiness Assessment, and similar tools on TruOptim websites;
(b) **Account Data**: User credentials, recovery emails, and authentication data for the Cloud Gateway;
(c) **Transactional Communications**: Email addresses for password reset, trial notifications, and welcome emails;
(d) **Support Data**: Information provided during support requests;
(e) **Audit Logs**: Security and operational audit logs containing usernames and timestamps.
---
## 3. PROCESSING OF PERSONAL DATA
### 3.1 Processor Obligations
TruOptim shall:
(a) process Personal Data only on your documented instructions, unless required by law (in which case TruOptim shall inform you before processing unless prohibited by law);
(b) ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) implement and maintain appropriate Technical and Organisational Measures as described in **Schedule 2**;
(d) comply with the conditions for engaging Sub-processors set out in Section 6;
(e) taking into account the nature of the processing, assist you by appropriate technical and organisational measures for the fulfilment of your obligation to respond to Data Subject requests;
(f) assist you in ensuring compliance with Articles 32-36 (security, breach notification, DPIAs, prior consultation);
(g) at your choice, delete or return all Personal Data on termination and delete existing copies unless storage is required by law;
(h) make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.
### 3.2 Controller Obligations
You shall:
(a) ensure you have a lawful basis for the processing of Personal Data;
(b) ensure Data Subjects have received appropriate privacy notices;
(c) comply with your obligations as Controller under Applicable Data Protection Laws;
(d) provide documented instructions for processing that comply with Applicable Data Protection Laws;
(e) be responsible for the accuracy, quality, and legality of Personal Data provided to TruOptim.
### 3.3 Processing Instructions
Your instructions for processing are set out in:
(a) this DPA;
(b) the Software Licence Agreement;
(c) your configuration and use of the Services; and
(d) any additional written instructions provided by you and accepted by TruOptim.
TruOptim shall immediately inform you if, in its opinion, an instruction infringes Applicable Data Protection Laws.
---
## 4. DATA SUBJECT RIGHTS
### 4.1 Data Subject Requests
TruOptim shall:
(a) promptly notify you if it receives a request from a Data Subject to exercise rights under Articles 15-22 UK GDPR (access, rectification, erasure, restriction, portability, objection);
(b) not respond to such requests directly except to confirm that the request relates to your use of the Services;
(c) provide reasonable assistance to enable you to respond to Data Subject requests, taking into account the nature of the processing.
### 4.2 Self-Service GDPR Features
The Services include self-service GDPR features allowing your users to:
(a) **Export their data** via `/api/auth/gdpr/export` endpoint;
(b) **Request account deletion** (non-admin users) via `/api/auth/gdpr/delete` endpoint.
These features are documented in ADR 005 (GDPR Data Subject Workflows).
### 4.3 Costs
TruOptim may charge reasonable fees for assistance with Data Subject requests beyond the self-service features, based on time and materials at TruOptim's then-current rates.
---
## 5. SECURITY
### 5.1 Technical and Organisational Measures
TruOptim shall implement and maintain the Technical and Organisational Measures described in **Schedule 2**, including:
(a) **Encryption**: TLS 1.3 for data in transit; AES-256-GCM for data at rest;
(b) **Access Controls**: Role-based access control (RBAC), multi-factor authentication options, principle of least privilege;
(c) **Audit Logging**: Security event logging with configurable retention (90 days security logs, 30 days MCP tool logs);
(d) **Vulnerability Management**: Regular security assessments, SAST/SCA scanning, container image scanning;
(e) **Incident Response**: Documented incident response procedures aligned with IEC 62443 and NIST SSDF.
### 5.2 Security Certifications
TruOptim maintains alignment with:
(a) IEC 62443 (Industrial Automation and Control Systems Security);
(b) NIST SSDF SP 800-218 (Secure Software Development Framework);
(c) OWASP ASVS (Application Security Verification Standard);
(d) SLSA (Supply Chain Levels for Software Artifacts).
### 5.3 Review and Updates
TruOptim shall regularly review and update security measures to ensure continued appropriateness, taking into account:
(a) the state of the art;
(b) the costs of implementation;
(c) the nature, scope, context, and purposes of processing;
(d) the risk to Data Subjects.
---
## 6. SUB-PROCESSORS
### 6.1 Authorised Sub-processors
You provide general authorisation for TruOptim to engage Sub-processors, subject to compliance with this Section 6.
The current list of authorised Sub-processors is set out in **Schedule 3**.
### 6.2 Sub-processor Requirements
Before engaging a new Sub-processor, TruOptim shall:
(a) conduct appropriate due diligence to ensure the Sub-processor can provide the level of protection required by this DPA;
(b) enter into a written contract with the Sub-processor imposing data protection obligations no less protective than those in this DPA;
(c) remain fully liable to you for the Sub-processor's performance.
### 6.3 Notification of Changes
TruOptim shall:
(a) maintain an up-to-date list of Sub-processors at [https://truoptim.com/sub-processors](https://truoptim.com/sub-processors) or in Schedule 3 of this DPA;
(b) notify you of any intended additions or replacements of Sub-processors at least **30 days** before the change takes effect;
(c) provide you with reasonable opportunity to object to such changes.
### 6.4 Objection to Sub-processors
If you have reasonable grounds to object to a new Sub-processor based on data protection concerns:
(a) you shall notify TruOptim in writing within **14 days** of receiving notice of the change;
(b) TruOptim shall work in good faith to address your concerns;
(c) if the parties cannot resolve the objection, you may terminate the affected Services without penalty by providing written notice within **30 days**.
---
## 7. INTERNATIONAL DATA TRANSFERS
### 7.1 Transfer Restrictions
TruOptim shall not transfer Personal Data to a country outside the UK or EEA unless:
(a) the transfer is to a country subject to an adequacy decision; or
(b) appropriate safeguards are in place in accordance with Article 46 UK GDPR.
### 7.2 Transfer Mechanisms
For transfers to countries without adequacy decisions, TruOptim relies on:
(a) **UK International Data Transfer Agreement (UK IDTA)** for transfers from the UK;
(b) **EU Standard Contractual Clauses (2021/914)** with UK Addendum for transfers from the EEA;
(c) **EU-US Data Privacy Framework** where the recipient is certified (where applicable).
### 7.3 Sub-processor Transfers
TruOptim's Sub-processors may transfer Personal Data to the following jurisdictions:
| Sub-processor | Jurisdiction | Transfer Mechanism |
|---------------|--------------|-------------------|
| Microsoft Azure | UK, EEA, US | Adequacy + DPF + Microsoft DPA |
| Google (SMTP) | US | DPF + Google Cloud DPA |
### 7.4 Additional Safeguards
In addition to the above, TruOptim implements supplementary measures including:
(a) encryption of Personal Data in transit and at rest;
(b) pseudonymisation where technically feasible;
(c) access controls limiting who can access Personal Data.
---
## 8. PERSONAL DATA BREACH
### 8.1 Notification
TruOptim shall notify you of any Personal Data Breach **without undue delay** and in any event within **48 hours** of becoming aware of the breach.
### 8.2 Breach Information
The notification shall include, to the extent known:
(a) a description of the nature of the breach, including categories and approximate number of Data Subjects and records affected;
(b) the name and contact details of TruOptim's data protection contact;
(c) the likely consequences of the breach;
(d) measures taken or proposed to address the breach and mitigate adverse effects.
### 8.3 Assistance
TruOptim shall:
(a) cooperate with your investigation of the breach;
(b) take reasonable steps to mitigate the effects and prevent recurrence;
(c) assist you in complying with your notification obligations to supervisory authorities and Data Subjects under Articles 33-34;
(d) not notify any supervisory authority or Data Subject directly unless required by law or instructed by you.
### 8.4 Records
TruOptim shall maintain records of all Personal Data Breaches, including facts, effects, and remedial actions, regardless of whether notification to you was required.
---
## 9. DATA PROTECTION IMPACT ASSESSMENTS
### 9.1 Assistance with DPIAs
Where you are required to conduct a Data Protection Impact Assessment (DPIA) under Article 35, TruOptim shall provide reasonable assistance, including:
(a) information about processing operations, security measures, and data flows;
(b) technical documentation and risk assessments;
(c) consultation on privacy-by-design measures.
### 9.2 Prior Consultation
If prior consultation with a supervisory authority is required under Article 36, TruOptim shall cooperate and provide necessary information.
---
## 10. AUDIT RIGHTS
### 10.1 Information and Audit
TruOptim shall:
(a) make available to you all information necessary to demonstrate compliance with this DPA;
(b) allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.
### 10.2 Audit Conditions
Audits shall be subject to:
(a) reasonable advance notice (at least **30 days** except in case of regulatory requirement or suspected breach);
(b) confidentiality obligations;
(c) being conducted during normal business hours in a manner that minimises disruption;
(d) you bearing the costs of the audit (except where the audit reveals material non-compliance).
### 10.3 Third-Party Certifications
TruOptim may satisfy audit requirements by providing:
(a) relevant certifications, attestations, or audit reports (e.g., SOC 2, ISO 27001);
(b) responses to reasonable security questionnaires;
(c) evidence of compliance with security standards referenced in Section 5.2.
---
## 11. DURATION AND TERMINATION
### 11.1 Duration
This DPA shall remain in effect for the duration of TruOptim's processing of Personal Data under the Software Licence Agreement.
### 11.2 Effects of Termination
On termination or expiry of the Software Licence Agreement:
(a) TruOptim shall, at your written election, either:
- return all Personal Data to you in a commonly used, machine-readable format; or
- securely delete all Personal Data;
(b) deletion shall be completed within **90 days** of your election (or termination if no election is made);
(c) TruOptim may retain Personal Data to the extent required by Applicable Data Protection Laws, subject to continued compliance with this DPA.
### 11.3 Certification
On request, TruOptim shall certify in writing that Personal Data has been deleted in accordance with this Section 11.
---
## 12. LIABILITY
### 12.1 Liability Cap
TruOptim's total aggregate liability under or in connection with this DPA shall be subject to the liability limitations in the Software Licence Agreement.
### 12.2 Indemnification
Each party shall indemnify the other against any losses, damages, costs, and expenses arising from:
(a) that party's breach of this DPA;
(b) that party's breach of Applicable Data Protection Laws.
### 12.3 No Limitation for Intentional Breach
Nothing in this DPA limits liability for intentional misconduct or gross negligence.
---
## 13. GENERAL PROVISIONS
### 13.1 Governing Law
This DPA shall be governed by the laws of England and Wales.
### 13.2 Jurisdiction
The courts of England and Wales shall have exclusive jurisdiction over any dispute arising under this DPA.
### 13.3 Amendments
This DPA may only be amended by written agreement signed by both parties, except that TruOptim may update Schedules to reflect changes required by Applicable Data Protection Laws or to add Sub-processors in accordance with Section 6.
### 13.4 Severability
If any provision of this DPA is found invalid or unenforceable, the remaining provisions shall continue in full force and effect.
### 13.5 Entire Agreement
This DPA, together with the Software Licence Agreement and its schedules, constitutes the entire agreement between the parties regarding data processing.
### 13.6 Contact
For data protection queries:
**Data Protection Officer**
TruOptim Solutions Ltd
205 Regent Street, 4th Floor
London, England, W1B 4HB
United Kingdom
**Email:** dpo@truoptim.com
---
## SCHEDULE 1: PROCESSING DETAILS
### 1. Subject Matter and Duration of Processing
| Element | Description |
|---------|-------------|
| **Subject Matter** | Processing of Personal Data in connection with the provision of TruOptim Industrial AI Gateway software and related services |
| **Duration** | For the term of the Software Licence Agreement plus any retention period required by law or specified herein |
### 2. Nature and Purpose of Processing
| Processing Activity | Purpose | Lawful Basis (Controller) |
|--------------------|---------|---------------------------|
| **Lead Capture** | Collect contact details to provide ROI calculations, readiness assessments, quotes, and follow-up communications | Consent / Legitimate Interest |
| **Account Management** | Create and manage user accounts, authentication, and authorisation | Contract Performance |
| **Transactional Emails** | Send password reset links, trial notifications, welcome emails, and usage warnings | Contract Performance |
| **Support Services** | Process support requests and provide technical assistance | Contract Performance |
| **Audit Logging** | Record security events and user actions for compliance and security purposes | Legitimate Interest / Legal Obligation |
| **Billing Administration** | Process subscription and usage data for billing purposes | Contract Performance |
### 3. Types of Personal Data
| Category | Data Elements |
|----------|---------------|
| **Identity Data** | First name, last name, username, display name |
| **Contact Data** | Email address, recovery email, phone number (optional) |
| **Professional Data** | Job title/role, company/organisation name, industry sector |
| **Credential Data** | Hashed passwords (never stored in plain text) |
| **Technical Data** | IP addresses (redacted in logs), browser type, Azure subscription ID |
| **Usage Data** | Login timestamps, last activity, feature usage |
| **Audit Data** | Usernames in security logs, action timestamps, event types |
### 4. Categories of Data Subjects
| Category | Description |
|----------|-------------|
| **Prospective Customers** | Individuals who use TruOptim website tools (ROI Calculator, Readiness Assessment) |
| **Trial Users** | Individuals who sign up for free trials |
| **Licensed Users** | Employees of customer organisations who use the Software |
| **Administrators** | Customer personnel who configure and manage the Software |
| **Support Contacts** | Individuals who submit support requests |
### 5. Special Categories of Personal Data
**None.** TruOptim does not intentionally process special categories of Personal Data (Article 9 UK GDPR) or Personal Data relating to criminal convictions (Article 10 UK GDPR).
If you configure the Services to process special category data, you are solely responsible for ensuring a lawful basis exists.
---
## SCHEDULE 2: TECHNICAL AND ORGANISATIONAL MEASURES
### 1. Encryption
| Measure | Implementation |
|---------|----------------|
| **Data in Transit** | TLS 1.3 minimum for all connections; HTTPS enforced |
| **Data at Rest** | AES-256-GCM encryption for sensitive state files (auth_state.json.enc, edge_claims.json.enc) |
| **Key Management** | Encryption keys derived from deployment-specific secrets; never hardcoded |
### 2. Access Controls
| Measure | Implementation |
|---------|----------------|
| **Authentication** | Username/password with secure hashing (bcrypt); OAuth 2.0/OIDC support; API key authentication |
| **Authorisation** | Role-Based Access Control (RBAC) with 5 default roles (admin, operator, analytics, read-only, pending-user) |
| **Least Privilege** | Tool-level and source-level permissions; sensitive tools require explicit grants |
| **Session Management** | JWT tokens with configurable expiry; refresh token rotation; token revocation |
### 3. Audit Logging
| Measure | Implementation |
|---------|----------------|
| **Security Events** | Login attempts, password changes, authentication failures, user management operations |
| **Retention** | Security logs: 90 days; MCP tool logs: 30 days (configurable) |
| **Integrity** | JSONL format with timestamps; log rotation |
| **Privacy** | Sensitive data redacted from logs; passwords never logged |
### 4. Vulnerability Management
| Measure | Implementation |
|---------|----------------|
| **Code Analysis** | SAST scanning in CI/CD pipeline |
| **Dependency Scanning** | SCA for third-party vulnerabilities |
| **Container Security** | Container image scanning; minimal base images |
| **Secrets Detection** | Automated secrets scanning; gitleaks integration |
| **Patch Management** | Critical vulnerabilities: ≤7 days; High: ≤14 days |
### 5. Infrastructure Security
| Measure | Implementation |
|---------|----------------|
| **Network Isolation** | Customer data remains in customer's Azure tenant |
| **Edge Security** | Edge gateways initiate outbound connections only; no inbound from cloud |
| **API Security** | Rate limiting; input validation; CORS configuration |
### 6. Organisational Measures
| Measure | Implementation |
|---------|----------------|
| **Staff Training** | Security awareness training for all staff |
| **Access Reviews** | Regular review of access permissions |
| **Incident Response** | Documented procedures aligned with IEC 62443 |
| **Business Continuity** | Disaster recovery procedures; backup and restore capabilities |
---
## SCHEDULE 3: AUTHORISED SUB-PROCESSORS
**Effective Date:** January 2025
| Sub-processor | Processing Activity | Location | Safeguards |
|---------------|---------------------|----------|------------|
| **Microsoft Corporation (Azure)** | Cloud infrastructure hosting; Azure Marketplace deployment | UK, EEA, US | Microsoft DPA; EU SCCs; DPF certified |
| **Google LLC (Workspace)** | SMTP email delivery for transactional emails | US | Google Cloud DPA; EU SCCs; DPF certified |
### Sub-processor Data Processing
| Sub-processor | Personal Data Processed |
|---------------|------------------------|
| **Microsoft Azure** | All Personal Data stored in cloud infrastructure (encrypted) |
| **Google Workspace** | Recipient email addresses for transactional emails |
### Updates to Sub-processor List
This list is maintained at:
- This DPA (Schedule 3)
- [https://truoptim.com/sub-processors](https://truoptim.com/sub-processors)
Changes will be notified in accordance with Section 6.3.
---
## SCHEDULE 4: STANDARD CONTRACTUAL CLAUSES
### UK Transfers
For transfers of Personal Data from the United Kingdom to countries without adequacy decisions, the parties agree to be bound by the **UK International Data Transfer Agreement (UK IDTA)** as issued by the Information Commissioner's Office.
The UK IDTA is incorporated by reference and available at: [https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/)
### EEA Transfers
For transfers of Personal Data from the European Economic Area to countries without adequacy decisions, the parties agree to be bound by the **EU Standard Contractual Clauses** (Commission Implementing Decision (EU) 2021/914) with the **UK Addendum**.
The EU SCCs are incorporated by reference and available at: [https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en](https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en)
### Module Selection
For the purposes of the SCCs:
- **Module Two** (Controller to Processor) applies where Customer is Controller and TruOptim is Processor
- **Clause 7** (Docking Clause): Not applicable
- **Clause 9** (Use of Sub-processors): Option 2 (General written authorisation) with 30-day notice period
- **Clause 11** (Redress): Optional clause not included
- **Clause 17** (Governing Law): Laws of England and Wales
- **Clause 18** (Choice of Forum): Courts of England and Wales
---
## SIGNATURE
This DPA is effective as of the date of execution of the Software Licence Agreement or, if executed separately, as of the date of the last signature below.
**TRUOPTIM SOLUTIONS LTD**
Signature: _________________________________
Name: _________________________________
Title: _________________________________
Date: _________________________________
**CUSTOMER**
Signature: _________________________________
Name: _________________________________
Title: _________________________________
Date: _________________________________
---
**Copyright © 2025 TruOptim Solutions Ltd. All rights reserved.**
*This Data Processing Agreement complies with GDPR Article 28 and UK data protection requirements.*