Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you and Trueleveler. If you need this document in another language, please contact us at support@trueleveler.com.

Parties

This DPA is entered into between: the Customer (“Controller”) who has agreed to the Trueleveler Terms of Service, and Trueleveler (“Processor”), the operator of the AI procurement analysis platform at trueleveler.com.

This DPA is incorporated into and supplements the Trueleveler Terms of Service (“Agreement”). This DPA applies to the extent that Trueleveler processes Personal Data on behalf of the Customer in the course of providing the Service, as required by Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

Definitions

Unless otherwise defined herein, capitalised terms have the meanings given to them in the GDPR:

“Personal Data” means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
“Processing” means any operation performed on Personal Data, as defined in GDPR Article 4(2).
“Controller” means the Customer, who determines the purposes and means of Processing Personal Data.
“Processor” means Trueleveler, which processes Personal Data on behalf of the Controller.
“Sub-processor” means a third party engaged by the Processor to carry out specific Processing activities on behalf of the Controller.
“Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
“Service” means the Trueleveler platform, including all AI-powered procurement document analysis features.

Subject Matter & Duration of Processing

The Processor shall process Personal Data for the duration of the Agreement, unless otherwise agreed in writing. Processing shall commence on the date the Controller first uses the Service and shall continue until the Agreement is terminated or expires.

Upon termination, the Processor shall delete or return all Personal Data in accordance with Section 12 of this DPA.

Nature, Purpose, and Data Details

Nature and Purpose of Processing

Trueleveler provides AI-powered procurement document analysis for the construction industry. Processing activities include:

Receiving and analysing procurement documents (bids, contracts, RFQs, invoices, change orders) uploaded by the Controller’s authorised users
Transmitting document content to AI models for analysis (in-memory processing only; documents are never persisted to storage)
Storing analysis results, project metadata, and vendor records associated with the Controller’s account
Sending transactional emails (analysis results, account notifications) to the Controller’s users
Maintaining audit logs of platform activity for security and compliance purposes

Types of Personal Data Processed

Account data: Name, email address, company name, hashed password
Document content: Names, contact details, company information, and other personal data that may appear within procurement documents uploaded by the Controller. Document content is processed in memory only and is not stored after analysis.
Vendor contact data: Names, email addresses, phone numbers, and company affiliations of vendor contacts entered by the Controller
Usage and audit data: IP addresses, session timestamps, and activity logs

Categories of Data Subjects

Customer employees and authorised users: Individuals with accounts on the Trueleveler platform
Vendor contacts: Individuals whose contact information appears in procurement documents or is entered into the vendor database by the Controller
Third parties referenced in documents: Individuals whose names or contact details may incidentally appear in uploaded procurement documents

Obligations of the Processor

Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such disclosure.

The Controller’s instructions are documented in this DPA, the Agreement, and the Controller’s use of the Service features (e.g., uploading documents for analysis, configuring project settings).

Confidentiality

The Processor shall ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require such access to perform the Service.

Cooperation

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights as laid down in GDPR Chapter III.

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of Processing and the information available to the Processor.

Security Measures

Trueleveler implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32.

Security measures include, but are not limited to:

Encryption in transit: All data is transmitted using TLS 1.3 encryption
In-memory document processing: Uploaded documents are processed entirely in server memory and are never written to persistent storage, databases, or log files
Row-level security (RLS): Supabase row-level security policies ensure that each user can only access their own data
Server-side API key management: AI analysis requests are proxied server-side; API keys are never exposed to the client browser
Access controls: Personnel access to production systems is limited to authorised individuals and follows the principle of least privilege
Authentication security: Passwords are stored as one-way hashes; authentication tokens are securely managed via Supabase Auth
Incident response: The Processor maintains an incident response procedure for detecting, reporting, and responding to security incidents

The Processor regularly reviews and updates these measures to address evolving threats and industry best practices.

Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within 30 days of notification.

The Processor shall impose the same data protection obligations as set out in this DPA on any Sub-processor by way of a contract, in accordance with GDPR Article 28(4).

Current Sub-processors

The following table lists all third-party Sub-processors currently engaged by Trueleveler, their processing purposes, and locations. This list was last updated on March 28, 2026.

Sub-processor	Purpose	Location	Data processed
Vercel Inc.	Application hosting, serverless compute, edge network	United States (global edge)	HTTP requests, server-side function execution
Supabase Inc.	Database, authentication, storage infrastructure (hosted on AWS)	United States (AWS us-east-1)	Account data, session data, project data, vendor data, audit logs
Stripe Inc.	Payment processing, subscription billing	United States	Name, email, payment method tokens (Trueleveler does not store card numbers)
Google LLC (Gemini)	AI model inference for document analysis	United States	Document content in transit only; not stored or used for model training per API terms
Anthropic PBC (Claude)	AI model inference for document analysis	United States	Document content in transit only; not stored or used for model training per API terms
Resend Inc.	Transactional email delivery	United States	Recipient email addresses and email content. Retention: 30 days for deliverability
Sentry (Functional Software Inc.)	Error monitoring, performance tracking	United States	Error stack traces, browser metadata, IP addresses (anonymised)

The Processor will notify the Controller at least 30 days in advance of any changes to this Sub-processor list. An up-to-date list is also available upon request by emailing support@trueleveler.com.

Data Subject Rights

The Processor shall, to the extent legally permitted, promptly notify the Controller if the Processor receives a request from a Data Subject to exercise their rights under GDPR Chapter III (including access, rectification, erasure, restriction, portability, and objection).

The Processor shall not respond to such requests directly unless authorised by the Controller. The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests by providing:

Technical mechanisms for data export in machine-readable JSON format
Account deletion functionality that removes all Personal Data associated with a user
The ability to rectify account information through account settings

These self-service capabilities are available to the Controller’s authorised users directly through the Service.

International Data Transfers

The Processor may transfer Personal Data to countries outside the European Economic Area (“EEA”) and the United Kingdom in order to provide the Service. Such transfers are made to the United States, where the Processor’s Sub-processors are located.

For transfers to countries that have not received an adequacy decision from the European Commission or the UK Secretary of State, the Processor relies on the following transfer mechanisms:

Standard Contractual Clauses (SCCs): The Processor has entered into the European Commission’s Standard Contractual Clauses (Module 2: Controller to Processor) with its Sub-processors, as approved by Commission Implementing Decision (EU) 2021/914.
UK International Data Transfer Addendum: For transfers subject to UK GDPR, the Processor applies the UK Addendum to the EU SCCs as approved by the UK Information Commissioner’s Office.
Supplementary measures: In addition to SCCs, the Processor implements technical supplementary measures including encryption in transit (TLS 1.3) and in-memory-only document processing to minimise data exposure.

The Processor shall inform the Controller if it becomes aware that any transfer mechanism relied upon is invalidated or materially impacted by a change in law.

Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach, in accordance with GDPR Article 33.

The notification shall include, to the extent available:

A description of the nature of the Personal Data breach, including the categories and approximate number of Data Subjects and records concerned
The name and contact details of the Processor’s point of contact for further information
A description of the likely consequences of the breach
A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

Where it is not possible to provide all information at the same time, the Processor shall provide the information in phases without further undue delay. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

Breach Response SLA

The Processor commits to the following breach response timeline:

Detection to triage: Within 4 hours of detection, the Processor will assess the scope and severity of the incident
Initial notification: Within 72 hours of becoming aware of a confirmed Personal Data breach, the Controller will receive written notification via email to the address on file
Follow-up report: Within 5 business days of the initial notification, the Processor will provide a detailed incident report including root-cause analysis, full scope assessment, and remediation actions taken or planned
Ongoing updates: The Processor will provide status updates every 48 hours until the incident is resolved

Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audit requests are subject to the following conditions:

The Controller shall provide at least 30 days’ written notice of an audit request
Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor’s business operations
The Controller shall bear its own costs associated with any audit
Audit findings and any information obtained shall be treated as confidential
The Processor may satisfy audit requests by providing relevant compliance documentation, certifications, or third-party audit reports (e.g., SOC 2 Type II when available)

Audit Scope and Frequency

The Controller may exercise audit rights as follows:

Documentation audit (annual): The Controller may request audit documentation once per calendar year. The Processor will make available information necessary to demonstrate compliance with the obligations set out in this DPA, including security policies, Sub-processor agreements, and data processing records.
On-site audit (by arrangement): The Controller or its mandated independent auditor may conduct an on-site inspection with at least 30 days’ written notice. On-site audits are limited to one per calendar year unless required by a supervisory authority or triggered by a confirmed data breach.
Supervisory authority audits: The Processor will cooperate with any audit or inspection by a data protection supervisory authority to the extent required by law.

The Processor shall respond to documentation audit requests within 15 business days. All audit-related communications should be directed to support@trueleveler.com.

The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data protection provisions.

Deletion & Return of Data

Upon termination or expiration of the Agreement, the Processor shall, at the Controller’s choice:

Delete all Personal Data processed on behalf of the Controller, including all copies, backups, and replicas, within 30 days of termination; or
Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (JSON) before deletion.

The Controller may request a data export at any time during the term of the Agreement through the Service’s built-in data export functionality or by contacting support@trueleveler.com.

The Processor shall certify in writing that all Personal Data has been deleted upon the Controller’s request. The Processor may retain Personal Data to the extent required by applicable law, provided that such retention is limited to the extent and duration required by the applicable legal obligation, and the Processor ensures the confidentiality of such data.

Term & Termination

This DPA shall remain in effect for the duration of the Agreement. The DPA shall automatically terminate when the Agreement terminates or expires, subject to the Processor’s obligations regarding deletion or return of Personal Data as described in Section 12.

Either party may terminate this DPA if:

The other party materially breaches its obligations under this DPA and fails to remedy the breach within 30 days of written notice
The other party becomes subject to insolvency proceedings or ceases to operate
A supervisory authority or court orders the termination of the Processing

Termination of this DPA shall not affect any rights or obligations that have accrued prior to termination, including the obligations regarding data deletion, breach notification, and confidentiality, which shall survive termination.

Contact

For questions or requests related to this Data Processing Agreement:

Privacy matters: support@trueleveler.com
Security matters: support@trueleveler.com
General enquiries: support@trueleveler.com

Trueleveler · trueleveler.com · Data Processing Agreement · Effective March 18, 2026 · Last updated March 28, 2026