// data processing agreement

Data Processing Agreement

Last updated: April 12, 2026

1. Data Processing Agreement

This Data Processing Agreement (the "Data Processing Agreement"), published by truval.dev forms part of the Terms of Service between truval.dev and the Customer for the provision of the truval.dev Service and sets out the terms upon which truval.dev will process Relevant Personal Data on the Customer's behalf when providing the truval.dev Service and acting as a data processor.

During the course of providing the truval.dev Service, truval.dev may process Relevant Personal Data that is subject to Data Protection Laws. By using the truval.dev Service or entering into an Agreement with truval.dev, the Customer appoints truval.dev to process such Relevant Personal Data in accordance with this Data Processing Agreement.

2. Interpretation

In this Data Processing Agreement the definitions and rules of interpretation set out in the Terms of Service apply and, save where the context requires otherwise, the following words and expressions have the following meaning:

"Business Day" means a day other than a Saturday, Sunday or bank or public holiday in Portugal;
"Data Subject Request" means a request made by a data subject to exercise any rights of data subjects under Data Protection Laws relating to the Relevant Personal Data;
"EEA" means the European Economic Area;
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Relevant Personal Data transmitted, stored or otherwise processed by the Processor or any Sub-processor;
"Standard Contractual Clauses" means the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the EU GDPR as set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or any set of clauses approved by the European Commission which amends, replaces or supersedes these and, where UK GDPR applies, the UK ICO's International Data Transfer Addendum to the Standard Data Protection Clauses;
"Sub-processor" means any data processor (including any affiliate of truval.dev) appointed by truval.dev to process Relevant Personal Data on behalf of the Customer;
"Supervisory Authority" means any regulatory authority responsible for the enforcement of Data Protection Laws; and

3. Processing of Relevant Personal Data

Each party acknowledges and agrees that for the purposes of the Agreement and Data Protection Laws, the Customer shall be the controller and truval.dev the processor in respect of the Relevant Personal Data.

Each party confirms that in the performance of the Agreement it will comply with Data Protection Laws.

truval.dev shall only process the types of Relevant Personal Data relating to the categories of data subjects for the specific purposes in each case as set out in Annex 1 (Data Processing Information) to this Data Processing Agreement and shall not process the Relevant Personal Data other than in accordance with the Customer's documented instructions (whether in the Agreement or otherwise) unless processing is required by applicable law to which truval.dev is subject, in which case truval.dev shall, to the extent permitted by such law, inform the Customer of that legal requirement before processing that Relevant Personal Data.

truval.dev shall inform the Customer if, in its opinion, an instruction it receives from the Customer pursuant to the Agreement infringes the GDPR.

4. Customer warranty

The Customer warrants that it has all necessary rights to provide the Relevant Personal Data to truval.dev for the processing to be performed in relation to the truval.dev Service.

5. Supplier personnel

truval.dev shall treat all Relevant Personal Data as confidential and shall use reasonable efforts to inform all its relevant employees, contractors and/or any Sub-processors engaged in processing the Relevant Personal Data of the confidential nature of such Relevant Personal Data.

truval.dev shall take reasonable steps to ensure the reliability of any employee, contractor and/or any Sub-processor who may have access to the Relevant Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the Relevant Personal Data, as necessary for the purposes set out in Annex 1 (Data Processing Information) in the context of that person's or party's duties to truval.dev.

truval.dev shall ensure that all such persons or parties involved in the processing of Relevant Personal Data are subject to:

Confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
User authentication processes when accessing the Relevant Personal Data.

6. Security

truval.dev shall implement the technical and organisational measures set out in Annex 2 (Security Measures) to this Data Processing Agreement and the Customer acknowledges that such measures ensure a level of security of the Relevant Personal Data appropriate to the risks that are presented by the processing.

7. Sub-processing

The Customer hereby grants its general authorisation to the appointment of Sub-processors by truval.dev under the Agreement.

When truval.dev replaces any existing Sub-processor and/or appoints any new Sub-processor, truval.dev will use reasonable endeavours to notify the Customer of such changes to Sub-processor(s), and the Customer shall have the right to terminate the Agreement within 30 days after its receipt of such notification if it objects to the new Sub-processor(s).

The Customer's sole remedy if it does not agree to the replacement or appointment of a Sub-processor shall be to terminate the Agreement.

With respect to each Sub-processor, truval.dev shall:

Enter into a written contract with the Sub-processor which shall contain terms materially the same as those set out in this Data Processing Agreement;
Remain liable to the Customer for any failure by the Sub-processor to fulfil its obligations in relation to the processing of any Relevant Personal Data.

The current list of Sub-processors is published at https://truval.dev/legal/subprocessors/ and set out in Annex 3 to this Data Processing Agreement. truval.dev may update that list from time to time in accordance with this section; the web page will reflect the current list.

8. Data subject rights

truval.dev shall refer all Data Subject Requests it receives to the Customer without undue delay and, in any event, within 2 Business Days. The truval.dev Service will enable the Customer to access, rectify and restrict processing of the Relevant Personal Data, and to erase and export the Relevant Personal Data.

In the event that the Customer cannot fulfil any Data Subject Request itself using the means described in the first paragraph of section 8, truval.dev shall co-operate as reasonably requested by the Customer to enable the Customer to comply with any such request.

9. Incident management

In the case of a Personal Data Breach, truval.dev shall not later than 72 hours after having become aware of it notify the Personal Data Breach to the Customer providing the Customer with sufficient information which allows the Customer to meet any obligations to report a Personal Data Breach under Data Protection Laws.

10. Data protection impact assessments and prior consultation

truval.dev shall, at the Customer's request, provide reasonable assistance to the Customer with any data protection impact assessments which are required under applicable Data Protection Laws and with any prior consultations to any Supervisory Authority of the Customer or any of its affiliates which are required under Data Protection Laws, in each case in relation to processing of Relevant Personal Data by truval.dev on behalf of the Customer and taking into account the nature of the processing and information available to truval.dev.

11. Deletion or return of Relevant Personal Data

On cessation of processing of Relevant Personal Data by truval.dev, or termination of the Agreement, truval.dev shall permit Customer (at its option) to:

Extract a complete copy of all Relevant Personal Data by secure file transfer and securely wipe all other copies of the Relevant Personal Data processed by truval.dev or any Sub-processor unless required to retain such data in order to comply with applicable laws; or
Request truval.dev to delete the Relevant Personal Data (and procure that any Sub-processor does the same) unless required to retain such data in order to comply with applicable laws.

If the Customer fails to exercise its rights under the steps described above, truval.dev shall delete the Relevant Personal Data (and procure that any Sub-processor does the same) within 90 days following the termination of the Agreement, unless required to retain such data in order to comply with applicable laws.

12. Audit rights

truval.dev shall make available to the Customer on request all information reasonably necessary to demonstrate compliance with this Data Processing Agreement and Data Protection Laws and allow for and contribute to audits in accordance with truval.dev's or its Sub-processors' policies in place from time to time.

Prior to conducting any audit pursuant to the first paragraph of section 12, the Customer must submit an audit request to truval.dev and the Customer and truval.dev must agree the start date, scope and duration of and security and confidentiality controls applicable to any such audit.

truval.dev may (acting reasonably) object to the appointment by the Customer of an independent auditor to carry out an audit pursuant to the first paragraph of section 12 and, where this is the case, the Customer shall be required to appoint another auditor or conduct the audit itself.

13. International transfers of Relevant Personal Data

In the event that a transfer of Relevant Personal Data to truval.dev or any Sub-processor is reasonably considered to involve a transfer of Relevant Personal Data outside of the UK and/or the EEA to a country which is not recognised by the UK ICO or the European Commission (as the case may be) as having an adequate level of protection for personal data, truval.dev shall use reasonable endeavours to enter into Standard Contractual Clauses with the relevant Sub-processor for such transfer of Relevant Personal Data.

14. Costs

The Customer shall pay any reasonable costs and expenses incurred by truval.dev in meeting the Customer's requests made under sections 8, 10 and 12 of this Data Processing Agreement.

15. Liability

For the avoidance of doubt, each party's liability, taken together in the aggregate, arising out of or related to this Data Processing Agreement, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability contained within the Terms of Service, and any reference to the liability of a party means the aggregate liability of that party under the Agreement (including under this Data Processing Agreement) collectively.

16. Miscellaneous

16.1. Any obligation imposed on truval.dev under the Agreement in relation to the processing of Relevant Personal Data shall survive any termination or expiration of the Agreement.

16.2. In the event of inconsistencies between any provision of this Data Processing Agreement and the remainder of the Agreement, the provision of this Data Processing Agreement shall prevail with regard to the parties' obligations relating to the processing of the Relevant Personal Data.

Annex 1 — Data Processing Information

Subject matter — Provision of the truval.dev Service, including email verification and related APIs, account and API key management features, the developer dashboard, and related interfaces (such as MCP endpoints) made available to the Customer.

Duration — Processing continues for the Term of the Agreement and thereafter as described in section 11 of this Data Processing Agreement.

Nature and purpose of processing — truval.dev processes Relevant Personal Data on the Customer's documented instructions to provide the truval.dev Service. A core part of the Service is email verification: the Customer submits verification payloads (typically including email addresses), and truval.dev returns machine-readable results. That verification processing is designed so that those payloads are handled ephemerally (see Categories of personal data and Retention below). truval.dev also processes data to operate accounts, authentication, billing, and usage metering; maintain security and abuse prevention; provide support; and meet legal obligations.

Categories of data subjects

End users whose personal data (typically email addresses within verification payloads) the Customer submits to the truval.dev Service for verification;
The Customer's Users (for example account owners, billing contacts, and developers authorised to use the dashboard or APIs).

Categories of personal data (depending on use of the Service)

Verification payloads (ephemeral) — Email addresses and related inputs submitted for verification are processed in memory at the network edge to compute verification results. They are not stored at rest in truval.dev's databases as verification payload records. Outputs (such as validation outcomes) are returned to the Customer; persistence of those results on the Customer side is the Customer's responsibility.
Usage and technical data — API request metadata, timestamps, HTTP outcomes, identifiers such as API keys or account IDs where applicable, and redacted operational or usage log snapshots that strictly exclude the verified email address from verification calls.
Account data — Name, email, OAuth provider identifiers (for example GitHub, GitLab, or Google), profile metadata, billing contacts, tax identifiers, and limited payment method metadata from our payment processor (not full payment card numbers stored by truval.dev).

Retention — Verification payloads: not retained at rest in truval.dev's databases; processing is ephemeral as described above. Usage and technical records: retained as needed to operate the Service, subject to tier-based visibility in the dashboard (for example up to approximately 7 days for free tiers and up to approximately 90 days for certain paid tiers for concrete usage logs, subject to change as described in product documentation) and longer retention where required for security, abuse prevention, accounting, or law. Account and billing data: retained for the duration of the relationship and for a period afterwards where required for legal, tax, accounting, or security purposes.

Processing location — Primary application data is hosted in the European Union (for example Supabase in Frankfurt). Network edge processing (for example API delivery, caching, and security controls via Cloudflare) may occur globally. Sub-processors may process data in other jurisdictions in accordance with section 13.

Annex 2 — Security Measures

truval.dev implements technical and organisational measures appropriate to the nature of the processing, including in substance the following (as may evolve with improvements to the Service):

Transmission security — Use of encryption in transit (such as TLS) for data sent over public networks where applicable.
Access control — Logical access controls, authentication, and principle of least privilege for systems and personnel with access to production environments and Relevant Personal Data.
Confidentiality — Confidentiality commitments for personnel and contractors with access to Relevant Personal Data, consistent with section 5.
Availability and resilience — Measures to help ensure ongoing confidentiality, integrity, availability, and resilience of processing systems proportionate to the Service.
Backup and recovery — Backup and restoration procedures appropriate to the Service.
Incident management — Processes to detect, respond to, and report Personal Data Breaches in line with section 9.
Sub-processors — Written arrangements with Sub-processors requiring appropriate data protection and security obligations, as described in section 7 and Annex 3.

Annex 3 — Sub-processors

The following organisations act as Sub-processors for the truval.dev Service. Roles and locations are summarised for transparency; actual processing depends on the features you use. This list is maintained at https://truval.dev/legal/subprocessors/.

Sub-processor	Location (primary)	Role
Cloudflare, Inc.	United States / global edge	API gateway, edge compute, KV cache, network and security services.
Supabase, Inc.	Germany (EU)	Primary database, authentication backend for the developer dashboard, and related application data (infrastructure hosted on Amazon Web Services).
Hetzner Online GmbH	Germany (EU)	Infrastructure for asynchronous workloads (for example queue-backed processing).
Stripe Payments Europe, Limited	Ireland (EU) / global	Payment processing and billing (Stripe).
Plus Five Five, Inc.	United States	Transactional email delivery via the Resend service (for example account and operational notices).

The developer dashboard may also rely on Vercel, Inc. (United States) for hosting and privacy-oriented product analytics. truval.dev will update Annex 3 and the web page above if that arrangement changes in a way that materially affects how personal data is processed.

truval.dev may appoint or replace Sub-processors in accordance with section 7. The web page above will be updated to reflect material changes.