Data Processing Agreement (DPA)
Last Updated: 01/14/2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Truevail (“Processor”) and the Client (“Controller”) and governs the processing of personal data in connection with the Client’s use of Truevail’s services (the “Services”).
Capitalized terms not defined in this DPA have the meanings set forth in the Terms of Use.
1. Roles of the Parties
The Client acts as the Data Controller and determines the purposes and means of processing personal data.
Truevail acts as the Data Processor and processes personal data solely on documented instructions from the Client, including as necessary to provide the Services.
2. Scope of Processing
Truevail processes personal data solely to provide the Services requested by the Client, including but not limited to:
- Email marketing campaigns
- Social media scheduling and publishing
- Website hosting and management
- Analytics and reporting
- Customer support and troubleshooting
3. Types of Personal Data
Personal data processed may include:
- Names
- Email addresses
- Business contact information
- Marketing content
- Campaign performance data
- Website interaction data
Truevail does not require or intend to process sensitive personal data unless expressly provided by the Client.
4. Client Responsibilities
The Client confirms that:
- They have the legal right to collect and use the personal data they upload
- Their contact lists are obtained lawfully
- They are responsible for notices and consent required under applicable law
5. Authorized Access by Truevail Personnel
Authorized Truevail personnel may access Client accounts solely as necessary to provide the Services, including for:
- Account setup
- Data formatting and list uploads
- Technical support
- Troubleshooting and service improvement
All access is subject to confidentiality obligations and limited to what is reasonably necessary.
6. Data Retention and Deletion
Client data is retained following account cancellation to allow account reactivation and continuity of service.
The Client may request deletion of its data at any time. Upon a verified deletion request, Truevail will delete or anonymize the Client’s personal data within thirty (30) days, unless retention is required by applicable law.
7. Security Measures
Truevail implements reasonable administrative, technical, and organizational measures to protect personal data, including:
- Encrypted data transmission (HTTPS)
- Access controls and permission management
- Secure infrastructure hosted in the United States
- Vendor and sub-processor security reviews
8. Sub-Processors
Truevail may engage sub-processors to perform services. A current list of sub-processors is available at: https://truevail.com/subprocessors/
Truevail remains responsible for its sub-processors’ compliance with this DPA.
9. Data Subject Rights
Taking into account the nature of the processing, Truevail will assist the Client, where reasonably possible, in responding to requests from data subjects to exercise their rights, including:
- Data access
- Data correction
- Data deletion
- Data portability
10. Personal Data Breach
In the event of a personal data breach affecting Client data, Truevail will:
- Investigate the incident promptly
- Notify affected Client without undue delay
- Provide information reasonably necessary for the Client to comply with applicable legal obligations
11. Compliance with Laws
This DPA is intended to comply with applicable data protection laws, including GDPR, UK GDPR, and U.S. state privacy laws where applicable.