TrustSafe
LegalData Processing Addendum

Data Processing Addendum

Last updated: June 1, 2025

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Terms") between TrustSafeMod ("Processor" or "we") and the customer using our Services ("Controller" or "you") and governs the processing of personal data in accordance with applicable data protection laws.

Terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not defined herein shall have the meaning given to them in the Terms. In case of conflict between the Terms and this DPA, the provisions of this DPA shall prevail.

2. Definitions

The terms "controller", "processor", "data subject", "personal data", "processing", "appropriate technical and organizational measures", "personal data breach" shall have the meanings given to them in applicable Data Protection Laws, including the General Data Protection Regulation (GDPR).

"Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, and the United Kingdom, applicable to the processing of Personal Data under the Terms.

"Services" means the DSA compliance toolkit and related services provided by TrustSafeMod to the Controller as described in the Terms.

3. Processing of Personal Data

3.1 Roles of the Parties

The parties acknowledge and agree that with regard to the processing of Personal Data, the Controller is the controller and TrustSafeMod is the processor.

3.2 Controller's Processing of Personal Data

The Controller shall, in its use of the Services, process Personal Data in accordance with the requirements of Data Protection Laws. The Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Controller acquired Personal Data.

3.3 TrustSafeMod's Processing of Personal Data

TrustSafeMod shall treat Personal Data as confidential and shall only process Personal Data on behalf of the Controller and in accordance with the Controller's documented instructions for the following purposes:

  • Processing in accordance with the Terms and this DPA
  • Processing initiated by users in their use of the Services
  • Processing to comply with other documented reasonable instructions provided by the Controller where such instructions are consistent with the Terms

4. Scope of Processing

4.1 Subject Matter

The subject matter of the processing under this DPA is the Personal Data.

4.2 Duration

The duration of the processing under this DPA is until the termination of the Terms in accordance with its terms.

4.3 Nature and Purpose

The nature and purpose of the processing under this DPA is the provision of the Services to the Controller as specified in the Terms, particularly to facilitate DSA compliance, content moderation, and related reporting requirements.

4.4 Types of Personal Data

The types of Personal Data processed under this DPA may include, but are not limited to:

  • Identification and contact data (e.g., name, email address, IP address)
  • Content data (e.g., flagged content, reported content)
  • Moderation decisions and related data
  • User account information
  • Platform usage data

4.5 Categories of Data Subjects

The categories of Data Subjects to whom the Personal Data relates may include, but are not limited to:

  • Controller's end users
  • Controller's employees and contractors
  • Individuals whose content is processed through the Services
  • Individuals who are the subject of processed content

5. Data Subject Rights

TrustSafeMod shall, to the extent legally permitted, promptly notify Controller if TrustSafeMod receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing, or its right not to be subject to an automated individual decision making ("Data Subject Request").

Taking into account the nature of the processing, TrustSafeMod shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Controller's obligation to respond to a Data Subject Request under Data Protection Laws.

To the extent Controller, in its use of the Services, does not have the ability to address a Data Subject Request, TrustSafeMod shall, upon Controller's request, provide commercially reasonable efforts to assist Controller in responding to such Data Subject Request, to the extent TrustSafeMod is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws.

6. TrustSafeMod Personnel

TrustSafeMod shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements.

TrustSafeMod shall take commercially reasonable steps to ensure the reliability of any TrustSafeMod personnel engaged in the processing of Personal Data.

TrustSafeMod shall ensure that TrustSafeMod's access to Personal Data is limited to those personnel performing Services in accordance with the Terms.

7. Security

TrustSafeMod shall maintain appropriate technical and organizational measures for protection of the security, confidentiality, and integrity of Personal Data. TrustSafeMod regularly monitors compliance with these measures.

TrustSafeMod's security measures are subject to technical progress and development. TrustSafeMod may update or modify the security measures provided that such updates and modifications do not result in the degradation of the overall security of the Services.

8. Sub-processors

Controller acknowledges and agrees that TrustSafeMod may engage third-party Sub-processors in connection with the provision of the Services. TrustSafeMod has entered into a written agreement with each Sub-processor containing data protection obligations no less protective than those in this DPA with respect to the protection of Controller Data to the extent applicable to the nature of the Services provided by such Sub-processor.

TrustSafeMod shall make available to Controller a current list of Sub-processors for the Services. TrustSafeMod shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to process Personal Data in connection with the provision of the Services.

Controller may object to TrustSafeMod's use of a new Sub-processor by notifying TrustSafeMod promptly in writing within ten (10) business days after receipt of TrustSafeMod's notice. In the event Controller objects to a new Sub-processor, TrustSafeMod will use reasonable efforts to make available to Controller a change in the Services or recommend a commercially reasonable change to Controller's configuration or use of the Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Controller.

9. Data Transfers

TrustSafeMod may process Personal Data in countries outside the European Economic Area (EEA) or Switzerland. Where such processing involves a transfer of Personal Data that is subject to Data Protection Laws, the parties shall ensure that such transfers are conducted in accordance with Data Protection Laws, which may include:

  • Transfers to countries that have been deemed to provide an adequate level of protection by the European Commission;
  • Transfers pursuant to the EU-US and Swiss-US Privacy Shield Framework;
  • Transfers subject to appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Data Breach Notification

TrustSafeMod shall notify Controller without undue delay upon TrustSafeMod becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller. TrustSafeMod shall provide Controller with sufficient information to allow Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws.

Such notification shall at minimum:

  • Describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
  • Communicate the name and contact details of TrustSafeMod's data protection officer or other relevant contact from whom more information may be obtained;
  • Describe the likely consequences of the Personal Data Breach;
  • Describe the measures taken or proposed to be taken to address the Personal Data Breach.

11. Return and Deletion of Data

Upon termination of the Services, TrustSafeMod shall, at the choice of Controller, delete or return all Personal Data to Controller, and delete existing copies unless applicable law requires storage of the Personal Data.

12. Audit Rights

TrustSafeMod shall make available to Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller.

Any audit shall be subject to the following conditions:

  • Controller shall provide TrustSafeMod with at least 30 days' prior written notice of any audit;
  • Audits shall be conducted during normal business hours, not more than once per year;
  • Controller shall bear the costs of any audit unless such audit reveals a material breach by TrustSafeMod of this DPA, in which case TrustSafeMod shall bear its own expenses of such audit;
  • Controller shall use a mutually agreeable third-party auditor and both parties shall execute appropriate confidentiality provisions with the auditor.

13. General Terms

13.1 Entire Agreement; Order of Precedence

This DPA forms an integral part of the Terms. With respect to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Terms, the provisions of this DPA shall prevail.

13.2 Changes

If any variation to this DPA is required due to a change in Data Protection Laws, then either party may provide written notice to the other party of that change. The parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as is reasonably practicable.

13.3 Liability

Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability section of the Terms.

14. Contact Information

For questions or concerns regarding this Data Processing Addendum, please contact:

TrustSafeMod Data Protection Officer
Email: dpo@trustsafemod.com