Data Processing Agreement
Effective date: January 1, 2026
This Data Processing Agreement ("DPA") is entered into between TrueCheck Inc. ("TrueCheck," "Processor") and the customer ("Controller") and supplements the Terms of Service. This DPA sets out the terms under which TrueCheck processes personal data on behalf of the Controller.
Definitions
In this Data Processing Agreement ("DPA"), "Controller" means the customer who determines the purposes and means of processing personal data; "Processor" means TrueCheck Inc., which processes personal data on behalf of the Controller; "Data Subject" means an identified or identifiable natural person whose personal data is processed; "Personal Data" means any information relating to a Data Subject; "Processing" means any operation performed on personal data; "Sub-processor" means any third party engaged by TrueCheck to process personal data; and "Applicable Data Protection Laws" means all laws and regulations relating to data protection, including the GDPR, UK GDPR, and CCPA.
Scope and Applicability
This DPA applies to the processing of personal data by TrueCheck on behalf of the Customer in connection with the provision of our SMS verification API and related services. This DPA supplements and forms part of the Terms of Service between TrueCheck and the Customer. In the event of any conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail.
Data Processing Details
TrueCheck processes personal data solely for the purpose of providing SMS verification services as instructed by the Controller. The categories of personal data processed include phone numbers, verification codes, IP addresses, and device identifiers. The categories of data subjects include the Controller’s end users who undergo phone verification. Processing activities include receiving verification requests, generating and sending OTP codes via SMS, validating submitted codes, and returning verification results to the Controller via API response.
Security Measures
TrueCheck implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: encryption of personal data in transit using TLS 1.3 and at rest using AES-256; pseudonymization of personal data where feasible; measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems; regular testing, assessing, and evaluating the effectiveness of security measures; access controls and authentication mechanisms; employee security awareness training; and incident detection and response procedures. TrueCheck maintains SOC 2 Type II certification.
Sub-processors
TrueCheck may engage Sub-processors to assist in providing the Services, subject to the following conditions: TrueCheck will maintain an up-to-date list of Sub-processors on our website; TrueCheck will notify the Controller at least 30 days before engaging a new Sub-processor; the Controller may object to a new Sub-processor by providing written notice within 14 days of notification; TrueCheck will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA; and TrueCheck remains fully liable for the acts and omissions of its Sub-processors.
Data Subject Rights
TrueCheck will assist the Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction of processing, data portability, and objection to processing. TrueCheck will promptly notify the Controller upon receiving a request directly from a Data Subject and will not respond to such requests directly unless authorized by the Controller or required by law.
Data Breach Notification
TrueCheck will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification will include: a description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected; the name and contact details of TrueCheck’s data protection point of contact; a description of the likely consequences of the breach; and a description of the measures taken or proposed to address the breach and mitigate its effects.
Audits
TrueCheck will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller. Audits may be conducted no more than once per year, with at least 30 days’ prior written notice, and shall be conducted during normal business hours in a manner that minimizes disruption to TrueCheck’s operations. TrueCheck may satisfy audit requests by providing relevant SOC 2 Type II reports and certifications.
International Transfers
TrueCheck will not transfer personal data to a country outside the European Economic Area (EEA) unless appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, binding corporate rules, or an adequacy decision by the European Commission. Where Standard Contractual Clauses are used, they are hereby incorporated by reference into this DPA. TrueCheck offers data residency options allowing Controllers to specify the geographic region where their data is processed and stored.
Term and Termination
This DPA shall remain in effect for the duration of TrueCheck’s processing of personal data on behalf of the Controller. Upon termination of the Services, TrueCheck will, at the Controller’s election, return or delete all personal data processed on behalf of the Controller within 30 days, unless retention is required by applicable law. TrueCheck will provide written certification of deletion upon the Controller’s request.