DATA PROCESSING ADDENDUM (DPA)

Last Updated: April 13, 2026

A wave pattern that splits two sections

This Data Processing Addendum ("Addendum") forms part of the Terms of Service or other agreement between DNA SAAS LABS, LLC (t/a TrustNinja) ("Processor") and the entity agreeing to these terms ("Client" or "Controller") (together, the "Parties").

  1. DEFINITIONS
    1. "Data Protection Laws" means all laws applicable to the processing of Personal Data, including EU GDPR, UK GDPR, and CCPA/CPRA.
    2. "Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on behalf of Client.
    3. "Sub-processor" means any third party appointed by Processor to process Personal Data.
  2. SCOPE AND ROLE OF PARTIES
    1. Roles: Client is the Controller and TrustNinja is the Processor. In a white-label context, Client remains the Controller regarding its own customers' data.
    2. Instructions: Processor shall process Personal Data only on written instructions from Client for the purpose of providing feedback collection and rating services.
  3. DATA PROTECTION OBLIGATIONS
    1. Confidentiality: Processor ensures personnel have committed themselves to confidentiality.
    2. Security: Processor shall implement appropriate technical and organizational measures (Annex II).
    3. Data Subject Rights: Processor shall assist Client in fulfilling obligations to respond to individuals exercising their rights.
  4. SUB-PROCESSORS
    1. Authorization: Client grants a general authorization to Processor to engage Sub-processors (Annex III).
    2. Notification: Processor shall notify Client of any intended changes concerning Sub-processors via website or email.
    3. Liability: Processor remains fully liable for the performance of the Sub-processor's obligations.
  5. INTERNATIONAL TRANSFERS
      If Processor transfers Personal Data from the EEA or UK to a country without adequate protection, the Parties agree that the EU SCCs and/or the UK International Data Transfer Addendum are hereby incorporated by reference.
  6. BREACH NOTIFICATION
      Processor shall notify Client without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach.
  7. DELETION OR RETURN OF DATA
      Upon termination of the Services, Processor shall, at the choice of Client, delete or return all Personal Data, unless applicable law requires continued storage.
  8. CALIFORNIA SPECIFIC TERMS (CCPA/CPRA)
      Processor shall not sell Personal Data; nor retain, use, or disclose Personal Data for any purpose other than the specific business purpose of providing the Services.

ANNEX I: DETAILS OF PROCESSING

  • Subject Matter: Feedback collection, rating software, and dashboard management services.
  • Duration: Term of Agreement plus period until all data is deleted.
  • Categories of Data Subjects: Client's customers and Client's employees/staff members.
  • Categories of Personal Data: Names, Email addresses, feedback ratings, technical data (IP, device info), and profile photos.

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES

  • Encryption: Data encrypted at rest and in transit (SSL/TLS).
  • Access Control: "Need-to-know" access; use of multi-factor authentication (MFA).
  • Availability: Industry-standard backup and disaster recovery protocols.
  • Vulnerability Management: Regular software updates and security patching.

ANNEX III: APPROVED SUB-PROCESSORS

  • Google Cloud/APIs: Authentication & Data Import (USA/Global)
  • Microsoft Azure: Authentication & Data Import (USA/Global)
  • Stripe: Payment Processing (USA)
  • Mandrill/Mailchimp: Email Delivery (USA)
  • Outscraper: Review Aggregation (Global)
  • Tawk.to: Customer Support Chat (USA)