This Data Processing Addendum (“DPA” or “Addendum”) forms a part of the Agreement under which Truffle provides the Services, and is entered into by and between Truffle and Customer. This DPA reflects the parties’ agreement with respect to the Processing of Personal Data submitted to the Services by Customers and is subject to all of the terms of the Agreement.
In the event of any conflict between the terms of this DPA and the terms of the Agreement with respect to the subject matter herein, this DPA will control. Any data processing agreements that may already exist between parties are superseded and replaced by this DPA in their entirety.
All capitalized terms not defined in this DPA will have the meaning given to them in other parts of the Agreement.
1. “Affiliates” means any entity that Controls, is Controlled by, or is under common control with a party, where “Control” means the ability to direct the management and policies of an entity.
2. “Agreement” means the Order Form or other signed ordering document, as applicable, between Truffle and Customer and the signed master subscription agreement (if any) for the purchase of the Services.
3. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
4. “Customer” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data. For purposes of this DPA, Customer is Customer and, where applicable, its Affiliates either permitted by Customer to submit Personal Data to the Services or whose Personal Data is Processed in the Services.
5. “Data Protection Laws” means all applicable laws and regulations regarding the Processing of Personal
6. “Data Subject” means an identified or identifiable natural person to whom Personal Data pertains.
7. “GDPR” means the European Union’s General Data Protection Regulation (2016/679).
8. “Instructions” means Customer’s documented data Processing instructions issued to Truffle in compliance with this DPA.
9. “Personal Data” means any Customer Data that is “personal data,” “personal information,” “personally identifiable information,” or an equivalent term, as defined by Data Protection Laws.
10. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
11. “Sub-Processor” means any legal person or entity engaged in the Processing of Personal Data by Truffle.
12. “Services” means the services ordered by Customer under an Order Form or otherwise provided by Truffle and used by Customer under the Agreement, and any required, usual, appropriate or acceptable activities relating to the Services, including without limitation to (a) carry out the Services or the business of which the Services are a part, (b) carry out any benefits, rights and obligations relating to the Services, and establish, exercise or defend legal claims in respect of the Agreement, (c) maintain records relating to the Services, and (d) comply with any legal or self-regulatory obligations relating to the Services.
13. “Standard Contractual Clauses” means the annex found in EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (available as of the Effective Date at http://data.europa.eu/eli/dec/2010/87/oj). Attached hereto are Appendices 1 and 2 to the Standard Contractual Clauses and such Appendices are hereby incorporated by reference to the Standard Contractual Clauses. The parties agree that Standard Contractual Clauses shall be governed by the law of a Member State where EU Data Protection Laws apply. As of December 27, 2022 “Standard Contractual Clauses” will instead mean the annex found in EU Commission Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available as of the Effective Date at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) (“New Standard Contractual Clauses”) and the relevant Appendices will be posted to www.trufflesecurity.com/data-processing-agreement and are hereby incorporated by reference into the New Standard Contractual Clauses.
14. “Subscription Term” means the term of authorized use of the Services as set forth in the Order Form or other ordering document signed by Customer and Truffle.
2. SCOPE OF THE PROCESSING
1. COMMISSIONED PROCESSOR. Customer appoints Truffle to Process Personal Data described in Appendix 1 to the Standard Contractual Clauses on behalf of Customer to the extent necessary to provide the Services described in the Agreement and in accordance with the Instructions.
2. INSTRUCTIONS. The Agreement and this DPA constitute Customer’s complete written Instructions to Truffle for Processing of Personal Data.
3. NATURE, SCOPE AND PURPOSE OF THE PROCESSING. Truffle will only Process Personal Data in accordance with Customer’s Instructions, to the extent necessary for providing the Services, as described in the Agreement and this DPA.
4. DURATION OF THE PROCESSING. Truffle will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
5. CATEGORIES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS. Customer may submit Personal Data to the Services as Customer Data, the extent of which is determined and controlled by Customer in its sole discretion and is further described in Appendix 1 to the Standard Contractual Clauses.
3.1 COMPLIANCE WITH DATA PROTECTION LAWS. Customer will comply with all of its obligations under Data Protection Laws when Processing Personal Data.
3.2 SECURITY RISK ASSESSMENT. Customer agrees that in accordance with Data Protection Laws and before submitting any Personal Data to the Services, Customer will perform an appropriate risk assessment to determine whether the security measures within the Services provide an adequate level of security, taking into account the nature, scope, context and purposes of the processing, the risks associated with the Personal Data and the applicable Data Protection Laws. Truffle will provide Customer reasonable assistance by providing Customer with information requested by Customer to conduct Customer’s security risk assessment. Customer is solely responsible for determining the adequacy of the security measures within the Services in relation to the Personal Data Processed.
3.3 CUSTOMER’S AFFILIATES. The obligations of Truffle set forth herein will extend to Customer’s Affiliates to which Customer provides access to the Services or whose Personal Data is Processed within the Services, subject to the following conditions:
3.3.1. COMPLIANCE. Customer will at all times be liable for its Affiliates’ compliance with this DPA and all acts and omissions by a Customer Affiliate are considered acts and omissions of Customer; and
3.3.2. CLAIMS. Customer’s Affiliates will not bring a claim directly against Truffle. In the event a Customer Affiliate wishes to assert a valid legal action, suit, claim or proceeding against Truffle (a “Customer Affiliate Claim”): (a) Customer must bring such Customer Affiliate Claim directly against Truffle on behalf of such Customer Affiliate, unless Data Protection Laws require that Customer Affiliate be party to such Customer Affiliate Claim; and (b) all Customer Affiliate Claims will be considered claims made by Customer and are at all times subject to any aggregate limitation of liability set forth in the Agreement.
3.3.3. CUSTOMER AFFILIATE ORDERING. If a Customer Affiliate purchased a separate instance of the Services under the terms of the signed master agreement between Truffle and Customer, then such Customer Affiliate will be deemed a party to this DPA and will be treated as Customer under the terms of this DPA.
3.4 COMMUNICATION. Unless otherwise provided in this DPA, all requests, notices, cooperation, and communication, including Instructions issued or required under this DPA (collectively, “Communication”), must be in writing and between Customer and Truffle only and Customer will inform the applicable Customer Affiliate of any Communication from Truffle pursuant to this DPA. Customer will be solely responsible for ensuring that any Communications (including Instructions) it provides to Truffle relating to Personal Data for which a Customer Affiliate is Customer reflect the relevant Customer Affiliate’s intentions. Customer warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give Instructions on behalf of each relevant Customer Affiliate.
4.1 CUSTOMER’S INSTRUCTIONS. Truffle will have no liability for any harm or damages resulting from Truffle’s compliance with Instructions received from Customer. Where Truffle believes that compliance with Customer’s Instructions could result in a violation of Data Protection Laws or is not in the ordinary course of Truffle’s obligations in operating the Services, Truffle will promptly notify Customer thereof. Customer acknowledges that Truffle is reliant on Customer’s representations regarding the extent to which Customer is entitled to Process Personal Data.
4.2 TRUFFLE PERSONNEL. Access to Personal Data by Truffle will be limited to personnel who require such access to perform Truffle’s obligations under the Agreement and who are bound by obligations to maintain the confidentiality of such Personal Data at least as protective as those set forth herein and in the Agreement.
4.3 DATA SECURITY MEASURES. Without prejudice to Customer’s security risk assessment obligations under Section 3.2 (Security Risk Assessment) above, Truffle will maintain technical and organizational safeguards designed to protect the security, confidentiality and integrity of Personal Data contained therein as described in Appendix 2 to the Standard Contractual Clauses, and as may be further described in the Documentation. Such measures are designed to protect Personal Data from loss, alteration, unauthorized access, acquisition, use, disclosure, or accidental or unlawful destruction. Customer is solely responsible for consequences of Customer’s decision not to adopt updates or best practices that Truffle makes available to Customer.
4.4 DELETION OF PERSONAL DATA. Truffle will delete Personal Data from the Services and fully delete Personal Data from back-up systems within 60 days of the expiration or termination of the Agreement, or as described in the Agreement.
4.5 DATA PROTECTION IMPACT ASSESSMENTS (DPIA). Truffle will, on request, provide Customer with reasonable information required to fulfill Customer’s obligations under applicable Data Protection Laws to carry out data protection impact assessments or consult with relevant regulators.
4.6 DATA PROTECTION CONTACT. Truffle will maintain a dedicated data protection team to respond to data protection inquiries throughout the duration of this DPA and can be contacted at [email protected].
5. REQUESTS MADE FROM DATA SUBJECTS AND AUTHORITIES
5.1 REQUESTS FROM DATA SUBJECTS. During the Subscription Term, Truffle will provide Customer with the ability to access, correct, rectify, erase or block Personal Data, or to transfer or port such Personal Data, within the Services, as may be required under Data Protection Laws (collectively, “Data Subject Requests”).
5.2 RESPONSES. Customer will be solely responsible for responding to any Data Subject Requests, provided that Truffle will reasonably cooperate with the Customer to respond to Data Subject Requests to the extent Customer is unable to fulfill such Data Subject Requests using the functionality in the Services. Truffle will instruct the Data Subject to contact the Customer in the event Truffle receives a Data Subject Request directly.
5.3 REQUESTS FROM AUTHORITIES. In the case of a notice, audit, inquiry or investigation by a government body, data protection authority or law enforcement agency regarding the Processing of Personal Data, Truffle will promptly notify Customer unless prohibited by applicable law. Customer will keep records of the Personal Data Processed by Truffle, and will cooperate and provide all necessary information to Truffle in the event Truffle is required to produce such information to a data protection authority.
5.4 COOPERATION WITH SUPERVISORY AUTHORITIES. In accordance with Data Protection Laws, Customer and Truffle will cooperate, on request, with a supervisory authority in the performance of such supervisory authority’s task. Provided, however, that Truffle will not identify Customer as a Truffle customer to authorities unless Customer authorized such disclosure in writing.
6. BREACH NOTIFICATION
6.1 NOTIFICATION. Truffle will report to Customer any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data (“Breach”) that it becomes aware of without undue delay following determination by Truffle that a Breach has occurred.
6.2 REPORT. The initial report will be made to Customer’s security or privacy contact(s) designated by Customer via email to [email protected] (or if no such contact(s) are designated, to the primary contact designated by Customer). As information is collected or otherwise becomes available, Truffle will provide without undue delay any further information regarding the nature and consequences of the Breach to allow Customer to notify relevant parties, including affected Data Subjects, government agencies and data protection authorities in accordance with Data Protection Laws. The report will include the name and contact information of the Truffle contact from whom additional information may be obtained. Truffle will inform Customer of the measures that it will adopt to mitigate the cause of the Breach and to prevent future Breaches.
6.3 CUSTOMER OBLIGATIONS. Customer will cooperate with Truffle in maintaining accurate contact information by emailing [email protected] and by providing any information that is reasonably requested to resolve any security incident, including any Breaches, identify its root cause(s) and prevent a recurrence. Customer is solely responsible for determining whether to notify the relevant supervisory or regulatory authorities and impacted Data Subjects and for providing such notice.
7. CUSTOMER MONITORING RIGHTS
7.1 AUDIT. Solely for the purpose of meeting its audit requirements under Article 28, section 3(h) of the GDPR or its obligations under 5(f) and 12(2) of the Standard Contract Clauses, Customer may request an audit in writing. Truffle will then permit Customer or (or its appointed third-party auditors) to review Truffle’s SOC-2, Type II report or relevant security and compliance documentation, including but not limited to self-assessment questionnaires and security testing results. Truffle will also respond to any written audit questions submitted to it by Customer. Customer will be entitled to this information once in any twelve (12) calendar month period, except if and when required by the instruction of a competent data protection authority. Customer agrees that these reports and other documentation will be used as the primary and only mechanism to audit and inspect Truffle’s processing activities, unless Customer is required to perform an on-site audit by the applicable data protection authority, or if Truffle determines, in its sole discretion, that applicable Data Protection Laws require it to provide additional audit rights to Customers, in which case such audits must meet the following requirements:
7.2 Any audit must be requested with at least thirty (30) days prior notice and include a detailed audit plan that describes the proposed scope, duration, reimbursement rates, and start date of the audit which the parties must mutually agree upon prior to the commencement of an audit. Audit requests must be sent to [email protected].
- 7.3 The auditor must execute a written Truffle form nondisclosure agreement prior to conducting the audit.
- 7.4 The audit must be conducted during Truffle’s regular business hours, subject to Truffle’s policies, and
may not unreasonably interfere with Truffle’s business activities.
7.5 Customer will reimburse Truffle for any time expended at its then-current professional services rates, made available to Customer upon request. All reimbursement rates will be reasonable and take into account the resources expended by Truffle.
7.6 For all audits, Customer must promptly notify Truffle with information regarding any suspected or actual non-compliance revealed during an audit. Any information resulting or derived from any audit under this Section 7 including any analyses, notes, assessments or other materials in whatever form or media constitute Truffle Confidential Information subject to applicable protections defined in the Agreement.
7.7 Truffle reserves the right to refuse to provide Customer (or its representatives) with any information which would pose a security risk to Truffle or its customers, or which Truffle is prohibited to provide or disclose under applicable law or contractual obligation.
8.1 USE OF SUB-PROCESSORS. Truffle will not subcontract any processing of Personal Data to a Sub-Processor without the prior written consent of Customer. Notwithstanding this, Customer consents to Truffle engaging Sub-Processors to process the Personal Data provided that: (i) Truffle provides at least 7 days’ notice (unless in the event of an emergency situation in which case Truffle will provide notice as soon as possible) prior to the addition of any Sub-Processor (including details of the processing it performs or will perform), which may be given by posting details of such addition at the following URL: www.trufflesecurity.com/sub-processors; and (ii) Truffle imposes data protection terms on any Sub-Processor it appoints that protect the Personal Data to the same standard provided for by this DPA. Customers must sign up to receive notification of new potential Sub-Processors by emailing [email protected]. Customer specifically authorizes the engagement of Sub-Processors of those entities listed at www.trufflesecurity.com/sub-processors as of the Effective Date of this DPA and all other Truffle Affiliates from time to time. Customer may object to Truffle’s proposed use of a new Sub-Processor by notifying Truffle within seven (7) days after receipt of Truffle’s notice if Customer reasonably determines that such Sub-Processor is unable to Process Personal Data in accordance with the terms of this DPA (“Controller Objection Notice”). Truffle will notify Customer within thirty (30) days from receipt of the Controller Objection Notice if Truffle intends to provide the applicable Services with the use of the Sub-Processor at issue, and Customer may terminate the applicable Order Form(s) with respect to the Services that require use of the Sub-Processor at issue upon thirty (30) days’ written notice to Truffle, within forty-five (45) days of the date of Controller Objection Notice.
9. INTERNATIONAL DATA TRANSFERS
9.1 TRANSFERS. Customer agrees that Truffle may transfer Personal Data to jurisdictions in which its Affiliates, Sub-Processors or other third parties may be located, as reasonably necessary to perform the Services. Where Truffle determines that applicable Data Protection Laws require a data transfer mechanism to transfer Personal Data among jurisdictions, Truffle and Customer will cooperate in good faith in establishing such a mechanism to the extent the cross-border transfer is between Truffle and Customer.
9.2 STANDARD CONTRACTUAL CLAUSES. To the extent that Personal Data originating from the European Economic Area (EEA) will be processed in a territory which has not been designated by the European Commission as providing an adequate level of data protection or a territory that is not subject to a bilateral arrangement that provides a legal basis for Personal Data transfers and with which Truffle complies, both parties will comply with the obligations in the Standard Contractual Clauses (including its Appendices), which will form an integral part of this Addendum. In the event of any conflict between the Standard Contractual Clauses and this Addendum, the Standard Contractual Clauses shall control and supersede. Customer consent to Truffle’s Processing of Personal Data in the United States. If in Truffle’s opinion, the New Standard Contractual Clauses (or subsequent revisions or regulatory guidance related thereto) require changes to this DPA in order for Truffle to continue complying with the Data Protection Laws and the other terms of this DPA and the Agreement, the parties agree to negotiate such changes in good faith.
10. CCPA COMPLIANCE
10.1 NO CCPA SALE. The parties agree that for the purposes of the CCPA, Truffle acts as a CCPA Service Provider for Personal Data. Customer does not sell Personal Data to Truffle because Truffle will only use Customer Personal Data for the purposes specified in this DPA and the Agreement. Truffle will avoid any action that would cause Customer to be deemed to have sold Personal Data under the CCPA. “Service Provider” will have the meaning given to it under the CCPA.
11. GENERAL PROVISIONS
11.1 LIMITATION OF LIABILITY. Customer’s remedies with respect to any breach by Truffle of the terms of this DPA will be subject to any aggregate limitation of liability under the Agreement.
11.2 TERMINATION. This DPA will be effective as of the Agreement Effective Date and will terminate simultaneously and automatically with the termination of the Agreement. Notwithstanding the foregoing, Truffle will continue to secure Personal Data in accordance with the terms herein for so long as Truffle has access to such Personal Data.
11.3 WAIVERS AND MODIFICATIONS. A waiver of any right is only effective if it is in writing and only against the party who signed such writing and for the circumstances given. Any modification of this DPA must be in writing and signed by authorized representatives of both parties.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties. All capitalized terms not defined in this Appendix will have the meaning given to them in the DPA which references the Standard Contractual Clauses, including this Appendix 1.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is the Customer entering into the DPA.
Each data exporter wishes to appoint the data importer to provide it with data processing services. The role of the data importer, the nature of the data processing services it will provide, the categories of data that it will process, and the protections it will apply to protect those data are set out in these Clauses.
The data importer is (please specify briefly activities relevant to the transfer):
A service provider which processes personal data upon the instruction of the data exporter in accordance with the terms of the Agreement between data exporter and data importer relating to the provision of Services by data importer to data exporter.
The Personal Data transferred concern the following categories of data subjects (please specify):
Customer may submit Personal Data to the Services, the extent of which is solely determined by Customer, and may include Personal Data relating to end users of its Third-Party Services (which may include employees, contractors and/or vendors) as well as Authorized Users of the Services.
Categories of Personal Data
Customer may submit Personal Data to the Services, the extent of which is solely determined by Customer, and may include the following categories:
- business and personal contact details;
- professional life data and personal life data;
- user names and handles;
- and other Personal Data submitted to the Services.
Special Categories of Personal Data
Customer may submit Special Categories of Personal Data to the Services, the extent of which is solely determined by Customer in compliance with Data Protection Law, and may include the following categories, if any:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data or biometric data;
- health information; and
- sex life or sexual orientation.
Processing Operations The Personal Data transferred will be subject to the following basic processing activities: All activities necessary for the performance of the Agreement.
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Truffle Security is founded and staffed by career security experts with specializations in application, infrastructure, and offensive security. Those experienced perspectives inform all of our products and platform features.
01 — Security-first development
TruffleHog is developed by a team entirely comprised of career security experts. Security is our passion and our primary concern. All features are developed with best practices in mind.
02 — Single sign-on
Authenticate with secure OAuth workflows for users and never worry about username and password breaches.
03 — Isolated environments
Each customer’s installation of TruffleHog is hosted in its own private environment with an isolated database instance, which is encrypted at rest.
04 — Your infra, or ours?
TruffleHog runs on nearly any system, so you can run from our secure and isolated hosts, or choose your own. With our on-premise offering, you can scan sources on your internal network, scan in-region to reduce bandwidth costs, and ensure your source credentials never leave your infrastructure with a local configuration.
05 — Randomly generated credentials
Every deployment of TruffleHog receives randomly generated and securely stored infrastructure credentials.
06 — No 3rd-party communication
There is never any external communication of analyzed or found data outside the TruffleHog instance.
07 — In-memory scanning
Scanning for secrets occurs in memory so that the scanned data is never persisted to storage.
08 — Secret references
Discovered secrets have a link to the location and platform where secrets are found rather than the secret itself. No found secrets are ever stored on TruffleHog.
09 — Automated deployments and updates
Deployments and updates are automatic and behind the scenes.