Data Processing Agreement
Effective: February 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between True North Technology ("Processor") and the customer ("Controller") who uses True North Mail ("the Service").
This DPA sets out the terms under which the Processor processes personal data on behalf of the Controller in connection with the Service, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Data Controller: The entity that determines the purposes and means of processing personal data (the customer)
- Data Processor: The entity that processes personal data on behalf of the controller (True North Technology)
- Data Subject: An identified or identifiable natural person whose personal data is processed
- Processing: Any operation performed on personal data, including collection, storage, use, and deletion
- Sub-processor: A third party engaged by the processor to process personal data on behalf of the controller
3. Data Processing Details
Categories of Data Subjects
- End users of the Service (account holders)
- Email recipients and senders who communicate with end users
Types of Personal Data Processed
- Email content (message body, subject lines, attachments)
- Email metadata (sender, recipients, timestamps, message IDs)
- Contact information (names, email addresses)
- IP addresses and device information
- Account and authentication data
Purposes of Processing
- Email delivery, sending, and receiving
- AI-powered features (semantic search, smart compose, smart replies)
- Spam filtering and security
- Service analytics and performance monitoring
- Account management and billing
Duration of Processing
Personal data is processed for the duration of the service agreement. Upon termination, data is deleted within 30 days unless retention is required by law.
4. Obligations of the Processor
True North Technology, as the Data Processor, commits to:
- Process personal data only on documented instructions from the Controller
- Ensure that all personnel authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures, including encryption and access control
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
- Assist the Controller in ensuring compliance with breach notification obligations
- Delete or return all personal data upon termination of services, at the Controller's choice
- Make available all information necessary to demonstrate compliance and allow for audits
5. Sub-processors
The following sub-processors are authorized to process personal data in connection with the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and data storage | US (us-east-1) |
| Clerk | User authentication and identity management | United States |
| Stripe | Payment processing and subscription management | United States |
| OpenAI | AI features (semantic search, email composition) | United States |
The Controller will be notified in advance of any changes to sub-processors and may object to such changes within 30 days.
6. International Transfers
Personal data may be transferred to and processed in the United States. For transfers of personal data from the European Economic Area, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Adequacy decisions where applicable
- Additional supplementary measures to ensure adequate data protection
7. Data Subject Rights
True North Technology assists Controllers in fulfilling data subject requests, including:
- Right of access: Providing copies of personal data being processed
- Right to rectification: Correcting inaccurate or incomplete data
- Right to erasure: Deleting personal data upon valid request
- Right to portability: Exporting data in a structured, machine-readable format via our data export feature
- Right to restriction: Limiting processing activities as requested
- Right to object: Ceasing processing where the legal basis is legitimate interests
Data subjects can initiate export requests through the Service's built-in data export page.
8. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption at rest: AES-256 encryption for all stored personal data
- Encryption in transit: TLS 1.3 for all data transmitted between services
- Access control: Role-based access control (RBAC) with principle of least privilege
- Security audits: Regular security assessments and vulnerability scanning
- Incident response: Documented incident response procedures with defined escalation paths
- Employee training: Regular data protection and security awareness training
- Infrastructure: SOC 2 compliant hosting with AWS
9. Data Breach Notification
In the event of a personal data breach, True North Technology will:
- Notify the Controller without undue delay, and no later than 72 hours after becoming aware of the breach
- Provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
- Cooperate with the Controller in notifying the relevant supervisory authority and affected data subjects where required
- Document all breaches, including facts, effects, and remedial actions taken
10. Term and Termination
This DPA is effective for the duration of the service agreement between the Controller and the Processor.
Upon termination of the service agreement, the Processor will, at the Controller's election, delete or return all personal data within 30 days. The Processor may retain data where required by applicable law, subject to the confidentiality and security obligations of this DPA.
11. Contact
For inquiries regarding this Data Processing Agreement, contact us at dpa@truenorth.technology