1. Purpose and how to execute
This Data Processing Agreement ("DPA") sets out the terms under which TrustDeck (the "Processor") processes personal data on behalf of the customer organisation (the "Controller") in the course of providing the Service described in the Terms of Service.
These terms apply to every workspace by default. If your procurement or compliance process requires a countersigned copy, request execution via the contact form and we will arrange signature.
2. Roles and scope
For personal data contained in workspace content — documents, folders, Q&A threads, member lists, diligence checklists, NDA templates and acceptances — the customer is the Controller and TrustDeck is the Processor. This DPA does not cover data for which TrustDeck is itself the controller (account, billing, and website data), which is governed by the Privacy Policy.
3. Details of processing
- Subject matter — provision of virtual data room services.
- Duration — the subscription term, plus the post-termination retention periods described below.
- Nature and purpose — hosting, storage, transmission, access control, watermarking, audit logging, and display of Controller content to authorised users.
- Categories of data subjects — the Controller’s personnel, advisors, and the external counterparties it invites (lenders, investors, bidders, auditors).
- Categories of personal data — names, business contact details, IP addresses, user agents, access records, NDA acceptance records, and any personal data the Controller includes in uploaded documents.
- Special categories — the Service is not designed for special-category data; the Controller is responsible for what it uploads.
4. Processor obligations
TrustDeck will:
- Process personal data only on the Controller’s documented instructions — given through the Service’s controls and configuration — unless the law requires otherwise, in which case we inform the Controller before processing where permitted.
- Ensure persons authorised to process the data are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures, as described on the security page: database-level workspace isolation, multi-factor authentication, encryption in transit and at rest, short-lived signed URLs, server-side watermarking, and append-only audit logging.
- Notify the Controller without undue delay after becoming aware of a personal data breach affecting its data, with the information needed to meet the Controller’s own notification obligations.
- Assist the Controller, taking into account the nature of processing, with data subject requests and with data protection impact assessments and consultations.
- Make available the information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits — starting with documentation and, for Enterprise customers, audit and penetration-test reports under NDA.
- At the end of the Service, delete or return personal data at the Controller’s choice — the 48-hour export applies — subject to the evidentiary retention below and any legal retention duties.
5. Audit and acceptance evidence
Audit logs and NDA acceptance records are append-only by design and exist to give the Controller tamper-evident evidence. They are retained for the life of the workspace plus up to 7 years after termination, then deleted. The Controller instructs this retention by using the Service; where the Controller requires earlier deletion and the law permits it, we will work with the Controller to give effect to that instruction.
6. Sub-processors
The Controller grants general authorisation for the sub-processors that operate the Service, in these categories:
- Cloud database, authentication, and hosting infrastructure
- Object storage for documents
- Transactional email delivery
- Error and performance monitoring
- Background job scheduling
- Payment processing
The current list — names and processing regions — is available on request. We give notice of intended sub-processor changes, and the Controller may object on reasonable data-protection grounds; if we cannot resolve the objection, the Controller may terminate the affected services and receive a pro-rata refund of prepaid fees. Each sub-processor is bound by data-protection obligations no less protective than this DPA.
7. International transfers
Workspace content is hosted in the EU (Ireland) by default, with alternative residency options on the Enterprise tier. Where processing involves a transfer of personal data to a country without an adequacy decision, the transfer is protected by appropriate safeguards such as the European Commission’s standard contractual clauses or equivalent mechanisms.
8. Liability and precedence
Liability under this DPA is subject to the limitations in the Terms of Service. If this DPA conflicts with the Terms on a data-protection matter, this DPA prevails. An executed copy of this DPA, or an Enterprise agreement, prevails over the published version where they differ.