Data processing addendum

Last updated 2026-05-26.

1. Parties and scope

This Data Processing Addendum (DPA) supplements the TruForms Terms of service and governs our processing of personal data submitted through your forms ("submitter data"). You are the controller of that data; TruenoTech (operating TruForms) is the processor. This DPA applies automatically to every TruForms account — no signature required.

2. Subject matter and duration

Subject matter: providing the TruForms service. Duration: for as long as you have an active TruForms account and for the period required to honour your plan's retention window after submissions are received. Nature: spam scoring, deduplication, email notification, integration fan-out, and storage.

3. Categories of data and data subjects

Categories: whatever fields you choose to include in your forms (typically name, email, message, optional file uploads), plus IP address, user-agent, and timestamp captured at submission. Data subjects: the visitors who submit your forms. You are responsible for ensuring you have lawful basis to collect this data and for displaying any notices required in your jurisdiction.

4. Sub-processors

Current sub-processors: Razorpay (billing — account holder data only, no submitter data), Microsoft Graph (outbound email delivery), Cloudflare R2 (object storage for file uploads), and our infrastructure host. We will give at least 14 days notice via the dashboard before adding a new sub-processor; you may terminate if you object in good faith.

5. Security measures

Encryption at rest (AES-256-GCM with per-instance keys), TLS 1.2+ in transit, Argon2id for credentials, opaque 32-byte session tokens stored as SHA-256 hashes, HMAC-signed webhooks with replay protection, rate limits, audit logging, and least-privilege access for our staff. Full list on the Security page.

6. Data subject requests

If a submitter contacts you exercising rights (access, rectification, erasure, portability, objection), you can fulfil them directly from the dashboard. If they contact us first, we will refer them to you and not respond on your behalf, except to confirm we are a processor. We will assist you with technical means to honour valid requests within a reasonable time.

7. Breach notification

We will notify you without undue delay — and in any case within 48 hours of confirmation — of a personal data breach affecting your submitter data, with whatever details we have at that point and ongoing updates as we investigate. The notification will go to the workspace owner's registered email.

8. International transfers

Default storage region is Mumbai (ap-south-1). EU-region storage available on Business plans. For transfers outside the data subject's jurisdiction, we rely on Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework (where applicable), and equivalent safeguards.

9. Audit

We provide SOC-2-style controls documentation on request for Business-plan customers. Where a customer requires a physical audit, we will work in good faith to scope a reasonable engagement, with reasonable notice and at the customer's expense. The Security page is our standing public attestation.

10. Return and deletion

On termination of the underlying Terms, and at your written instruction, we will return or delete all submitter data within 30 days, except where applicable law requires longer retention. Backups expire on their normal rotation (no longer than 90 days).

11. Contact

DPA-related questions and data subject request escalations: [email protected].