How we process data on your behalf.

This DPA applies when TrueNext Global processes personal data on behalf of a client ("Customer") under a Master Services Agreement or Statement of Work. The Customer is the controller (or processor, where it acts on behalf of its own customers) and TrueNext Global is the processor (or sub-processor).

Where the Customer is itself a processor and TrueNext Global acts as sub-processor, references in this DPA to "controller" should be read as references to the relevant controller, and the Customer warrants it has authority to engage us on that controller's instructions.

The subject matter, duration, nature, purpose, categories of data subjects, and categories of personal data are described in Annex 1 and in the applicable Statement of Work. Processing continues for the term of the engagement and any agreed wind-down period.

TrueNext Global will process personal data only on the Customer's documented instructions, including those set out in the agreement and any subsequent written instructions, except where required to do so by applicable law. If we believe an instruction infringes data protection law, we will inform the Customer without undue delay.

We ensure that personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to those who need it to perform their duties.

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The measures in place are summarized in Annex 2. We review and update these measures regularly to reflect the state of the art and the risks of processing.

The Customer provides general authorization for TrueNext Global to engage subprocessors to assist in delivering the services. The current list of approved subprocessors is set out in Annex 3 and at truenextglobal.com/data-processing#annex-3.

We will notify the Customer at least 30 days before adding or replacing a subprocessor and give the Customer an opportunity to object on reasonable data protection grounds. We impose data protection terms on each subprocessor that are no less protective than those set out in this DPA.

Taking into account the nature of processing, we assist the Customer with appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights under applicable law (access, rectification, erasure, restriction, portability, objection).

We notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Customer data. The notification includes the nature of the breach, the categories and approximate number of affected records, the likely consequences, and the measures taken or proposed to address it.

We may process personal data from locations outside the Customer's region. Where personal data is transferred from the EEA, UK, or Switzerland to a country not covered by an adequacy decision, the parties incorporate the European Commission Standard Contractual Clauses (Module 2 or Module 3 as applicable) and the UK International Data Transfer Addendum into this DPA. The clauses are deemed completed with the details set out in the agreement and Annexes.

We make available to the Customer the information necessary to demonstrate compliance with the obligations laid down in applicable data protection law and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. To minimize disruption, audits will be conducted no more than once per calendar year (unless required by a regulator or following a breach), on at least 30 days' written notice, during business hours, and subject to confidentiality. Recent third-party reports (e.g. SOC 2 Type II where available) may be provided to satisfy audit requests.

On termination or expiry of the agreement, at the Customer's choice, we will return or delete all personal data processed on its behalf and delete existing copies, unless applicable law requires storage of the personal data. Where deletion would be technically infeasible (for example, in routine backups), we will isolate and securely overwrite the data on a defined retention cycle.

Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the agreement. Nothing in this DPA limits any liability that cannot be limited under applicable law.

Categories of data subjects

• Customer's employees and contractors.
• Customer's end users, patients, leads, candidates, or customers (as applicable to the engagement).
• Other individuals whose data is provided by the Customer.

Categories of personal data

• Identity and contact details (name, email, phone, address).
• Employment or engagement data (role, employer, account credentials provisioned by the Customer).
• Service interaction data (ticket content, call recordings, chat transcripts).
• Industry-specific data, where included in the scope (e.g. PHI in a HIPAA-covered healthcare engagement, financial data in a finance engagement).

Special category data

Special category data (including health data) is processed only where the engagement expressly contemplates it and appropriate safeguards are in place.

Nature and purpose of processing

Delivery of the outsourcing services described in the SOW, including but not limited to: contact center operations, back office processing, technical support, content moderation, marketing operations, and executive assistance.

Duration

For the term of the SOW plus any agreed wind-down or retention period; thereafter as set out in section 11.

• Access control: least-privilege role-based access, mandatory MFA for staff systems, periodic access reviews, formal joiner-mover-leaver process.
• Encryption: TLS 1.2+ for data in transit; AES-256 (or equivalent) for sensitive data at rest in production data stores; encrypted laptops for staff handling personal data.
• Network security: segmented production networks, restricted egress, managed endpoints, centralized logging, monitored intrusion detection.
• Application security: secure SDLC, peer code review, dependency scanning, vulnerability scanning of production systems, time-bound remediation SLAs.
• Physical security: badge-controlled access to delivery floors, CCTV in shared areas, clean-desk policies, and prohibition of unauthorized recording devices in regulated engagements.
• Personnel: background checks (where lawful and with consent), confidentiality agreements, annual security and privacy training, attestation of training completion.
• Resilience: production backups with geo-redundancy, documented recovery objectives, periodic restore testing, and incident response runbooks.
• Governance: designated Data Protection Officer, data inventory, vendor risk reviews, and a documented incident response plan aligned with GDPR Article 33 timelines.

The following categories of subprocessors are currently engaged to deliver services. Specific vendors used for an engagement depend on the SOW; the current list is available on request and updated on this page.

• Cloud infrastructure: Amazon Web Services (United States, Asia Pacific regions).
• Productivity and email: Google Workspace (United States).
• Communications: Zoom, Slack (United States).
• Identity and security: identity provider and endpoint management vendors (United States).
• Customer-directed tools:any platform the Customer asks our staff to use to deliver the services (e.g. the Customer's helpdesk or CRM).

To request the current named list of subprocessors or subscribe to change notifications, email privacy@truenextglobal.com.