Skip to main content

GDPR Data Processing Agreement

GDPR Data Processing Agreement

Last updated: September 24, 2025

IMPORTANT NOTICE: This German version constitutes the legally binding document. The English version serves only as a reference. In case of conflicts between versions, the German version takes precedence.

German Version: DSGVO-Datenverarbeitungsvereinbarung

Introduction

Related Documents:

This Data Processing Agreement ("DPA") is part of the Terms of Service between:

Data Controller: You (the customer using Trusted Accounts services)
Data Processor: Trusted Accounts SW FlexCo, Vorarlberger Wirtschaftspark 1, 6840 Götzis, Austria

Company Details:

  • Legal Form: Flexible Company (FlexCo / Flexible Kapitalgesellschaft)
  • Registered Office: Götzis, Austria
  • Business Address: Vorarlberger Wirtschaftspark 1, 6840 Götzis, Austria

About Trusted Accounts SW FlexCo: Trusted Accounts SW FlexCo is a Flexible Company (FlexCo) registered in Austria under Austrian corporate law. As a Flexible Company, Trusted Accounts SW FlexCo operates under the Austrian legal framework while maintaining the flexibility to adapt its corporate structure to meet business needs. The registered office of Trusted Accounts SW FlexCo is located in Götzis, Austria, and Trusted Accounts SW FlexCo conducts its business operations from its facilities at Vorarlberger Wirtschaftspark 1, 6840 Götzis, Austria.

This DPA ensures compliance with the General Data Protection Regulation (GDPR) and related EU data protection laws.

1. Definitions

"GDPR" means Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data.

"Data Protection Laws" means all applicable data protection and privacy legislation in force from time to time, including the GDPR, national implementing laws, and any amendments or replacements thereof.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Supervisory Authority" means an independent public authority responsible for monitoring the application of Data Protection Laws.

"Data Controller" within the meaning of Art. 4(7) GDPR means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Data Processor" within the meaning of Art. 4(8) GDPR means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

"Trusted Accounts" means Trusted Accounts SW FlexCo.

"Affiliate" means any entity that directly or indirectly owns, is owned by, or is under common ownership with another entity, where ownership represents a controlling interest of fifty percent (50%) or more of the voting power or equity interests.

"Authorized Affiliate" means any customer affiliate that is permitted to use the services or otherwise benefit from the services under the agreement, subject to the conditions set forth therein.

"Control" means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise, including but not limited to the possession of fifty percent (50%) or more of the voting power or equity interests of such entity.

"Security Incident" means any unauthorized or unlawful security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.

"Standard Contractual Clauses" means the contractual clauses adopted by the European Commission for the transfer of Personal Data to third countries, as set out in Commission Implementing Decision (EU) 2021/914, including the relevant modules for Controller-to-Processor and Controller-to-Controller transfers, as applicable to the specific data transfer scenario.

2. Scope and Applicability of this DPA

2.1 Scope and Applicability This DPA governs the processing of Personal Data by Trusted Accounts SW FlexCo (the "Processor") on behalf of the customer (the "Controller") in connection with the provision of Trusted Accounts' services, where such Personal Data is subject to EU data protection law, UK data protection law or Swiss data protection laws. The parties acknowledge and agree to comply with all terms set forth in this DPA regarding such processing activities for Personal Data.

2.2 Role of the Parties The parties confirm and acknowledge that in the context of this DPA, the customer shall act as Controller for Personal Data, while Trusted Accounts processes Personal Data exclusively in the capacity of a Processor on behalf of the customer. This agreement therefore does not apply in circumstances where Trusted Accounts may act as Controller for its own legitimate business purposes, which shall be clearly communicated to the customer in advance.

2.3 Customer Obligations The customer acknowledges and agrees to fulfill its obligations as Controller under applicable data protection laws regarding the processing of Personal Data. Furthermore, the customer ensures that all processing instructions given to Trusted Accounts regarding processing activities for Personal Data comply with the relevant provisions of applicable data protection laws and are consistent with the purposes for which the Personal Data was originally collected.

3. Subject Matter and Duration

3.1 Subject Matter This DPA governs the processing of Personal Data by Trusted Accounts on behalf of the Controller in connection with the provision of our services.

3.2 Duration This DPA remains in effect for the duration of the service agreement and until all Personal Data has been returned or deleted.

4. Nature and Purpose of Processing

4.1 Processing Activities Trusted Accounts processes Personal Data for the following purposes: (i) processing that is necessary for the provision of services in accordance with the agreement; and (ii) processing that is necessary for taking steps that are essential for the performance of the agreement, in each case, unless such processing is required by applicable law in the United Kingdom, Switzerland, the European Union or any of its member states to which Trusted Accounts is subject. This includes in particular:

Service Provision: Provision of our comprehensive suite of security and verification services, including but not limited to Trusted Captcha, Trusted SDK, Trusted Verify, Developer Console and other related services offered by Trusted Accounts, in accordance with the agreement and all applicable Statements of Work or Service Level Agreements.

Security & Fraud Prevention: Implementation of comprehensive security measures to detect and prevent abuse, fraud and security threats, including but not limited to bot detection, monitoring of suspicious activities and threat analysis.

Performance Monitoring: Ensuring optimal service availability and performance through continuous monitoring, analysis and system optimization while maintaining data protection standards.

Support & Maintenance: Provision of technical support, troubleshooting assistance and service maintenance activities required for the continued operation and improvement of our services.

Compliance: Fulfillment of legal and regulatory obligations, including data protection requirements, audit requests and regulatory reporting, as required by applicable law.

4.2 Processing Categories Trusted Accounts processes the following categories of Personal Data in accordance with the documented instructions of the Controller:

5. Types of Personal Data and Categories of Data Subjects

5.1 Types of Personal Data Trusted Accounts processes on behalf of our customers (Processor role) exclusively the following types of Personal Data for bot protection and security detection:

Technical Device Data (for Bot Detection): Browser type and version, device type (Desktop, Mobile, Tablet), operating system and version, screen resolution and color depth, device IDs (anonymized).

Connection Data (for Threat Analysis): IP address (where possible anonymized), Geographic location (country level only)

Interaction Data (for Human vs. Bot Detection): Mouse movements and clicks, keyboard patterns and speed, scroll behavior, time between actions, touch gestures (on mobile devices).

Session Data (for Security Tracking): Temporary session IDs, security tokens, timestamps of interactions, service response times.

Verification Data (only for Trusted Verify): Email addresses and phone numbers used exclusively for identity verification and security purposes.

What we do NOT collect for end users:

  • Personal names (except for Trusted Verify)
  • Financial information or payment details
  • Location data beyond country level
  • No data for user identification (except for verification)
  • No data for profiling or tracking
  • No marketing or advertising purposes

5.3 Minimal Data Approach for End Users (Processor Role)

Security Focus: Trusted Accounts collects only data necessary to detect genuine users vs. threats.

Specific Data Categories for End Users:

  • Technical Device Data (for Bot Detection): Browser type and version, device type, operating system, screen resolution, device IDs (anonymized)
  • Connection Data (for Threat Analysis): IP address (where possible anonymized), Geographic location (country level only), Network provider information
  • Interaction Data (for Human vs. Bot Detection): Mouse movements, keyboard patterns, scroll behavior, time between actions, touch gestures
  • Session Data (for Security Tracking): Temporary session IDs, security tokens, timestamps

What we do NOT collect for end users:

  • Personal names (except for Trusted Verify)
  • Email addresses (except for Trusted Verify)
  • Phone numbers (except for Trusted Verify)
  • Financial information or payment details
  • Location data beyond country level
  • No data for user identification
  • No data for profiling or tracking

Data Minimization Principles:

  • Security Focus: Only data necessary to detect genuine users vs. threats
  • Verification Purpose: Email addresses and phone numbers only for Trusted Verify verification
  • No Identification: No user identification or tracking (except for verification)
  • Threat Tracking: We store necessary data also in non-anonymized format (e.g. IP address) from detected threats for recognition and protection of our customer platforms
  • Automatic Deletion: Data is deleted as soon as no longer needed
  • No Data Combination: End user data is not combined with other data sources
  • No Profiling: No use for profiling, marketing or other purposes
  • Anonymization: All stored data is anonymized (by hashing) to protect privacy (except verification data and threat tracking)

5.4 Processing Limitations for End Users

Trusted Accounts processes end user data exclusively for:

  • Security Detection: Detection of genuine users vs. automated systems
  • Threat Prevention: Identification and prevention of security risks
  • Service Delivery: Technical functionality of security services
  • Identity Verification: Email addresses and phone numbers only for Trusted Verify verification

Note: Platform administrators, billing and support contacts who are direct customers of Trusted Accounts are covered by our Privacy Policy, as we act as Data Controller in this case. This DPA focuses exclusively on data processing on behalf of our customers (Processor role), particularly the processing of end user data.

5.2 Categories of Data Subjects Trusted Accounts' services process on behalf of our customers (Processor role) data of the following categories of Data Subjects:

End Users: Persons who use platforms that use our services, whose data is processed in accordance with the instructions of the Controller and applicable data protection policies.

Note: Platform administrators, billing and support contacts who are direct customers of Trusted Accounts are covered by our Privacy Policy, as we act as Data Controller in this case.

6. Obligations and Rights of the Controller

6.1 Controller Obligations The Controller acknowledges and agrees that it is responsible for compliance with all applicable data protection laws regarding its processing of Personal Data, including but not limited to obtaining all necessary consents, approvals and authorizations from Data Subjects, as required by applicable law. The Controller provides Trusted Accounts with accurate, complete and current Personal Data and notifies Trusted Accounts immediately of any requests, objections or restrictions from Data Subjects that may affect our processing activities. Furthermore, the Controller ensures appropriate technical and organizational security measures to protect Personal Data and ensures that its processing instructions comply with applicable data protection laws.

6.2 Controller Rights The Controller retains all rights granted under applicable data protection laws, including the right to request comprehensive information about our processing activities, security measures and compliance practices. The Controller may access, review and audit Personal Data processed on its behalf, request correction or deletion of inaccurate or outdated Personal Data, object to processing based on legitimate interests, where applicable, and exercise data portability rights in accordance with GDPR requirements. The Controller may also request information about our sub-processors and their compliance with data protection obligations.

7. Obligations and Rights of the Processor

7.1 Processing Instructions Trusted Accounts SW FlexCo (the "Processor") acknowledges and agrees that it will process Personal Data exclusively in accordance with the documented instructions of the Controller, including documented instructions regarding the transfer of Personal Data to third countries or international organizations, unless such processing is required by applicable law to which Trusted Accounts is subject. In such circumstances, Trusted Accounts will notify the Controller of the legal requirement before processing, unless such notification is prohibited by law for important reasons of public interest.

7.2 Confidentiality Obligations Trusted Accounts ensures that all employees authorized to process Personal Data are bound by confidentiality obligations or subject to appropriate legal confidentiality requirements.

7.3 Security Measures Trusted Accounts implements appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, including the measures detailed in Annex II of this DPA.

7.4 Data Subject Rights Support Trusted Accounts provides appropriate support for the Controller in responding to Data Subject requests.

7.5 Breach Notification

Trusted Accounts as a data processor informs the Controller without undue delay, at the latest within 72 hours of becoming aware of a personal data breach. Awareness exists as soon as the data processor has sufficient certainty about the occurrence of an incident. The initial report contains at least: (i) nature of the breach, (ii) affected data categories and estimated number of records/data subjects, (iii) likely consequences, (iv) measures taken or proposed to remedy. The data processor transmits further information as soon as it is available and validated and names a contact person for coordination. Cooperation takes place to an appropriate extent to fulfill the Controller's obligations under Art. 33, 34 GDPR.

7.6 Detailed Security Measures Trusted Accounts has implemented appropriate technical and organizational security measures to ensure a level of security appropriate to the risk of processing Personal Data. Trusted Accounts' security program includes:

Encryption: All Personal Data is encrypted during transmission and at rest using industry-standard encryption protocols. Trusted Accounts implements secure key management practices and ensures that encryption keys are stored separately from encrypted data.

Access Control: Trusted Accounts implements role-based access control (RBAC) with the principle of least privilege, multi-factor authentication (MFA) for all administrative access and regular access reviews to ensure appropriate access levels. All access attempts are logged and monitored for suspicious activity.

Monitoring and Detection: Trusted Accounts conducts security monitoring through Intrusion Detection and Prevention Systems, threat intelligence feeds and alerting for security events. Trusted Accounts' Security Operations Center monitors potential threats and responds to incidents according to documented procedures.

Incident Response: Trusted Accounts implements incident response procedures that include immediate containment, investigation, notification of affected parties as required by law and post-incident analysis to prevent recurrences. All security incidents are documented and tracked until resolution.

Vulnerability Management: Trusted Accounts conducts regular security assessments, including vulnerability scans, security testing and monitoring of security recommendations. Critical and high-risk vulnerabilities are remediated within defined timeframes according to Trusted Accounts' risk management framework.

7.7 Sub-processors. Trusted Accounts as a data processor may engage sub-processors to assist in providing the services, provided that Trusted Accounts maintains an up-to-date list of all sub-processors and gives the Controller at least 30 days' prior written notice of proposed changes regarding the addition or replacement of sub-processors. The Controller may object in writing for legitimate, substantiated data protection reasons. The parties will work to find a solution (e.g. alternative processing). If no solution is possible, the Controller may terminate or suspend the affected processing. This does not create a right to terminate the entire contract.

The data processor remains liable to the Controller for the fulfillment of the obligations of its sub-processors as if it had performed their actions or omissions itself (Art. 28(4) GDPR). Claims of the Controller due to breaches of obligations by sub-processors are subject to the liability provisions in point 14 (including the liability cap set there and the exceptions mentioned there). No liability exists insofar as the breach was predominantly caused by instructions from the Controller, its breaches of obligations or the breaches of obligations of its data processors/agents or is based on unavoidable events outside the data processor's sphere of influence. Claims under Art. 82 GDPR remain unaffected.

All sub-processors must be bound by data protection obligations that are equivalent and substantially correspond to the requirements of this DPA.

8. Data Subject Rights

8.1 Right to Access Trusted Accounts provides appropriate support for the Controller in responding to access requests from Data Subjects by providing Personal Data in a structured, commonly used, machine-readable format that supports data portability requirements. Trusted Accounts ensures timely response within GDPR timeframes and maintains audit trails of all access requests and responses. Trusted Accounts' systems are designed to efficiently retrieve and format Personal Data while maintaining security and data protection standards.

8.2 Right to Rectification Trusted Accounts provides appropriate support for the Controller in correcting inaccurate Personal Data from Data Subjects by processing rectification requests promptly and maintaining audit trails of all corrections made. Trusted Accounts confirms to the Controller the completion of rectification requests. All rectification activities are logged and tracked for compliance and audit purposes.

8.3 Right to Erasure Trusted Accounts provides appropriate support for the Controller in deleting Personal Data from Data Subjects by having secure deletion procedures that ensure complete removal from all Trusted Accounts systems, including backups and archives, where technically feasible. Trusted Accounts confirms deletion to the Controller in writing and maintains deletion records for compliance purposes. Trusted Accounts' deletion procedures comply with GDPR requirements and industry best practices for secure data disposal.

8.4 Right to Restriction Trusted Accounts provides appropriate support for the Controller in restricting processing by implementing technical restrictions as requested, including data access controls, processing limitations and system modifications where required. Trusted Accounts maintains restriction records and ensures that processing is only resumed when restrictions are lifted by the Controller. All restriction activities are documented and tracked for compliance verification.

9. Data Breach Notification

9.1 Breach Detection Trusted Accounts implements systems and procedures for detecting breaches of Personal Data, including unauthorized access to Personal Data, accidental loss or destruction of Personal Data, unauthorized disclosure of Personal Data and alteration of Personal Data without authorization. Trusted Accounts' security monitoring systems include Intrusion Detection Systems, Security Information and Event Management tools, log analysis and alerting mechanisms for potential security incidents. Trusted Accounts conducts security operations monitoring to ensure detection and response to potential breaches.

9.2 Notification Process Upon becoming aware of a breach of Personal Data, Trusted Accounts will notify the Controller immediately and in any case within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Trusted Accounts' notification contains information about the nature of the breach, including the categories and approximate number of affected Data Subjects, the categories and approximate number of affected Personal Data, the likely consequences of the breach and the measures taken or proposed to address the breach. Trusted Accounts provides appropriate cooperation with the Controller in breach investigations and response activities and implements corrective measures to prevent recurrences.

9.3 Breach Documentation Trusted Accounts maintains records of all breaches of Personal Data, including documentation of the facts surrounding each breach, the impacts and potential consequences for affected Data Subjects, remedial measures taken to address the breach and lessons learned to prevent future occurrences. This documentation is maintained in accordance with GDPR requirements and is available for review by the Controller and relevant supervisory authorities as required by law.

10. Data Protection Impact Assessment

10.1 Assessment Support Trusted Accounts provides appropriate support for the Controller upon request in conducting Data Protection Impact Assessments by providing information about Trusted Accounts' processing activities performed for the Controller, including the nature, scope, context and purposes of processing. Trusted Accounts describes its technical and organizational security measures and safeguards, identifies potential risks to the rights and freedoms of Data Subjects and provides documentation to support risk assessment activities. Trusted Accounts' team works with the Controller to ensure that necessary information for the impact assessment is available.

10.2 Risk Mitigation Trusted Accounts has implemented measures to address identified risks, including enhanced security controls. Trusted Accounts has, where required, additional monitoring and logging capabilities and conducts regular internal security assessments and testing and adapts security measures based on threat intelligence and industry best practices. Trusted Accounts' risk mitigation strategies are designed to ensure that identified risks are addressed promptly and effectively, with regular review and updates to maintain appropriate protection levels.

11. Compliance Verification

11.1 Compliance Verification Trusted Accounts may provide relevant documentation to demonstrate compliance with this DPA when requested by the Controller.

11.2 Verification Process Compliance verification requests are made during normal business hours with appropriate advance notice, typically not less than 30 days, to allow for proper preparation and coordination. Trusted Accounts ensures that verification requests are handled without disruption to business operations or compromise of the security of its systems. All verification requests are handled in accordance with Trusted Accounts' security policies and procedures.

11.3 Verification Cooperation Trusted Accounts provides appropriate cooperation with compliance verification requests by providing access to relevant documentation, facilitating interviews with relevant employees and conducting security measures and controls in operation. Trusted Accounts maintains documentation to support verification activities and ensures that all verification requirements are met promptly and professionally.

12. Data Transfers

12.1 Transfer Mechanisms For transfers of Personal Data outside the European Economic Area (EEA), Trusted Accounts implements appropriate safeguards in accordance with GDPR requirements. Trusted Accounts maintains Standard Contractual Clauses (SCCs) approved by the European Commission, including Module Two (Controller to Processor) and Module One (Controller to Controller), where applicable. For jurisdictions with adequacy decisions, Trusted Accounts relies on such provisions, and where appropriate, Trusted Accounts implements Binding Corporate Rules for intra-group transfers. Trusted Accounts implements additional safeguards as required by applicable law and regularly reviews and updates its transfer mechanisms to ensure continued compliance.

12.2 Transfer Documentation Trusted Accounts maintains documentation of international data transfers, including records of transfer mechanisms and implemented safeguards, risk assessments and mitigation measures. Trusted Accounts reviews and updates transfer agreements based on evolving legal requirements. This documentation is available for review by the Controller and relevant supervisory authorities upon request and is regularly updated to reflect changes in legal requirements or Trusted Accounts' processing activities.

13. Data Return and Deletion

13.1 Return Process Upon written request from the Controller, Trusted Accounts as a data processor provides within 30 days after contract termination a copy of the personal data in a common, machine-readable format that supports data portability requirements. Trusted Accounts ensures secure transfer of the data with appropriate encryption and secure transfer protocols and confirms in writing the completion of the return process. Additional export/transformation services are provided at reasonable effort for compensation according to the data processor's current rates.

13.2 Deletion Process After return of the personal data, Trusted Accounts deletes all copies in production systems within 30 days after contract termination. Backups/archives are automatically overwritten within the regular rotation cycle (max. 90 days); until then they are logically/technically isolated and accessible exclusively for data backup/disaster recovery purposes. To the extent that legal retention obligations prevent deletion, the relevant data is blocked and held exclusively for the fulfillment of these obligations; after expiry of the period they are deleted. Trusted Accounts as a data processor provides the Controller with a deletion confirmation upon request and maintains deletion logs for internal compliance purposes where applicable. Trusted Accounts' deletion procedures ensure secure disposal of all physical records and complete removal of Personal Data from all electronic systems and storage media.

14. Liability and Indemnification

14.1 Liability Limitation The total liability of the data processor arising from or in connection with this agreement regardless of the legal basis is in total limited to a maximum amount that the Controller has paid to the data processor for the affected services in the twelve (12) months before the liability-triggering event. This amount represents the maximum total liability of the data processor towards the Controller for all claims together arising from this agreement, regardless of the number or type of individual damage cases. Mandatory claims under Art. 82 GDPR remain unaffected. Also unaffected are the liability of the data processor for intent and gross negligence, damages from injury to life, body or health as well as mandatory liability (in particular under the Product Liability Act). Liability for indirect damages, lost profits and costs of data recovery is excluded. The Controller must take reasonable measures to mitigate damages and inform the data processor immediately of impending or occurred damages.

14.2 Indemnification The data processor (Trusted Accounts) indemnifies the Controller from legitimate, legally binding or amicably settled third-party claims with prior written consent of the data processor that are directly attributable to a demonstrable breach of the data processor against this agreement, including reasonable and demonstrably incurred legal prosecution and defense costs, provided: (i) the Controller informs the data processor immediately in writing about the claim, (ii) grants the data processor exclusive procedural and settlement control and (iii) provides reasonable support.
No indemnification exists insofar as the claim was (co-)caused by instructions from the Controller, its breaches of obligations or the breaches of obligations of its data processors/agents.
Fines or official fees are only assumed insofar and to the extent legally permissible, insofar as they are attributable to intentional or grossly negligent breaches of obligations by the data processor; acknowledgments of guilt are not established hereby.
Indemnification claims under this point 14.2 are credited to and limited by the liability cap set in point 14.1. Mandatory claims under Art. 82 GDPR remain unaffected.

15. Term and Termination

15.1 Term This DPA remains in effect for the duration of the service agreement between the parties and remains in effect until all Personal Data has been returned or deleted in accordance with the provisions of this DPA. The term of this DPA survives the termination of the main agreement to the extent necessary to ensure compliance with data protection laws and fulfillment of all obligations set forth herein. This DPA remains binding on the parties until all data protection obligations are fulfilled and all Personal Data has been properly disposed of.

15.2 Termination Effects Upon termination of this DPA or the underlying service agreement, all Personal Data must be returned or deleted in accordance with the procedures set forth in Section 13, and all processing activities must be discontinued immediately, except as required by applicable law. Verification rights remain in effect for compliance verification purposes for a reasonable period after termination, and confidentiality obligations survive termination indefinitely to protect the privacy and security of Personal Data. The parties work in good faith to ensure proper termination and compliance with all applicable data protection requirements.

16. Governing Law and Jurisdiction

16.1 Governing Law This DPA is governed by Austrian law for general contractual matters, with specific reference to EU data protection law for data protection matters. The parties acknowledge that EU data protection law takes precedence over all conflicting provisions of Austrian law to the extent necessary to ensure compliance with GDPR requirements. This DPA incorporates by reference all applicable regulations, directives and implementing laws related to data protection and privacy.

16.2 Jurisdiction Disputes arising from this DPA are primarily resolved through good faith negotiations between the parties, with the goal of finding mutually acceptable solutions. If negotiations fail, disputes are resolved exclusively before Austrian courts, subject to mandatory GDPR jurisdiction provisions and the right of Data Subjects to file complaints with their local supervisory authority. All dispute resolution procedures are conducted in accordance with applicable law and the principles of fairness and due process.

17. Miscellaneous

17.1 Severability Clause If any provision of this DPA is found to be invalid, unenforceable or in conflict with applicable law, the remaining provisions remain in full force and effect. Invalid provisions are replaced by valid alternatives that best reflect the original intent and consensus between the parties while ensuring full compliance with data protection laws. The parties agree to negotiate in good faith to replace invalid provisions with valid ones that achieve the same economic and legal objectives.

17.2 Amendments Trusted Accounts may unilaterally amend this DPA with 30 days' notice to reflect changes in data protection laws, integrate regulatory guidelines, implement technical or organizational improvements or meet compliance requirements. The Controller may terminate within 30 days of notification of changes if it disagrees with the changes. All changes are made with appropriate notification to the Controller.

17.3 Entire Agreement This DPA represents the complete and exclusive agreement between the parties regarding data processing activities and supersedes all prior agreements, understandings and representations on this subject. This DPA is incorporated by reference into the Terms of Service and Privacy Policy and may be supplemented by additional terms, schedules or annexes when agreed between the parties. In case of conflicts between this DPA, the Terms of Service or the Privacy Policy, the provisions of this DPA take precedence.

18. Contact Information

Data Protection Officer:

Legal Department:

Annex I: Details of Processing

A. List of Parties

  • Controller: You, as customer and contracting party of Trusted Accounts
  • Processor: Trusted Accounts SW FlexCo, Vorarlberger Wirtschaftspark 1, 6840 Götzis, Austria

B. Description of Processing The processing activities include user authentication and verification, detection and prevention of security threats, service performance monitoring and optimization, technical support and maintenance as well as compliance and regulatory reporting.

C. Processing Duration Processing takes place for the duration of the service agreement and until data deletion requirements are met.

D. Nature and Purpose of Processing Processing is necessary for service provision, security and compliance with legal obligations.

E. Categories of Data Subjects

  • End users of customer platforms (processed on behalf of our customers)

Note: Platform administrators, billing and support contacts who are direct customers of Trusted Accounts are covered by our Privacy Policy, as we act as Data Controller in this case.

F. Types of Personal Data (only for end users on behalf of our customers)

  • Technical device data (for bot detection)
  • Connection data (for threat analysis)
  • Interaction data (for human vs. bot detection)
  • Session data (for security tracking)
  • Verification data (only for Trusted Verify: email addresses and phone numbers)

Annex II: Technical and Organizational Measures

A. Access Control

  • Role-based access control (RBAC) with principle of least privilege
  • Multi-factor authentication (MFA) for all administrative access
  • Regular access reviews and permission audits
  • Secure credential management and rotation

B. Data Security

  • Encryption in transit (industry-standard protocols)
  • Encryption at rest (industry-standard encryption)
  • Secure key management and separation
  • Data loss prevention measures

C. Network Security

  • Comprehensive firewall protection
  • Intrusion Detection and Prevention Systems
  • Regular security assessments and testing
  • Vulnerability management and patch management

D. Physical Security

  • Cloud-based infrastructure with enterprise security
  • Environmental controls and monitoring
  • Access logging and monitoring
  • Disaster Recovery and Business Continuity procedures

E. Organizational Measures

  • Employee training and awareness programs
  • Incident Response procedures and escalation
  • Business Continuity planning and testing
  • Regular security audits and compliance reviews

Annex III: Sub-processors

A. Current Sub-processors Trusted Accounts maintains a current list of sub-processors in its documentation.

B. Sub-processor Requirements All sub-processors must provide equivalent data protection obligations, implement appropriate security measures, support our compliance obligations and accept audit rights.

C. Sub-processor Changes Trusted Accounts notifies 30 days in advance of sub-processor changes and allows objections for legitimate reasons.