Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the TruVis Technologies LLC customer agreement and governs the processing of personal data submitted by your end-users into a TruVis tenant. The customer is the data controller; TruVis Technologies LLC is the processor. This DPA covers obligations under UAE Federal Decree-Law No. 45 of 2021 (UAE PDPL) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Subject matter and duration

TruVis processes personal data on the customer's instructions to deliver the AML/KYC compliance services described in the customer agreement. Processing continues for the contract term plus any export window agreed at termination.

2. Categories of data and data subjects

• Data subjects:the customer's prospects and customers undergoing onboarding, and the customer's own staff using TruVis.
• Data categories:identity data (name, DOB, ID numbers), contact data (address, email), document images, screening hits, risk scores and case notes generated by the customer's staff.

3. TruVis obligations as processor

• Process personal data only on the customer's documented instructions
• Ensure personnel with access are bound by confidentiality
• Implement the security measures described in Schedule 1
• Use only the sub-processors listed at /legal/sub-processors
• Notify the customer without undue delay of any personal-data breach
• Assist the customer with data-subject-rights requests
• Return or delete personal data at termination, subject to retention obligations

4. Sub-processors

Our current sub-processor list is published and updated at /legal/sub-processors. We will give you 30 days' notice of any new sub-processor, and you may object on reasonable grounds.

5. Security (Schedule 1)

• Data residency in Bahrain (Vercel and Supabase region me1)
• Tenant isolation by Row Level Security at the database
• Encryption in transit (TLS 1.2+) and at rest (Supabase-managed)
• MFA for MLRO, Compliance Officer and Tenant Admin roles
• Append-only, hash-chained audit log; UPDATE/DELETE blocked at the database
• Customer documents in private buckets accessed only through 15-minute signed URLs
• PII-aware application logger; no raw PII in stdout or platform logs
• Annual third-party penetration test (Enterprise tier)

6. International transfers

We do not transfer personal data outside the GCC for processing or storage without your written instruction. If a sub-processor must process data outside the GCC for a discrete function (for example, a specific notification provider), we will document the transfer mechanism and the safeguards applied.

7. Audit rights

On request and reasonable notice, we will provide a current security overview and independent test or audit reports we hold (e.g. penetration test, SOC 2 Type II report once available). On Enterprise tiers, on-site audits may be agreed subject to confidentiality.

8. Breach response

We notify customers of confirmed personal-data breaches within 72 hours of confirmation, in accordance with UAE PDPL (Federal Decree-Law No. 45 of 2021) and GDPR obligations. The notification will include a description of the breach, categories and approximate volume of records affected, likely consequences, and remedial steps taken or proposed.

9. Termination

On termination, we provide a 60-day export window. After the window we delete personal data, except where retention is required by law or where you instruct otherwise in writing.

10. Contact

DPA questions and DSR requests: privacy@truvis.ae. Security issues: security@truvis.ae.