Skip to content
  • There are no suggestions because the search field is empty.

Data Processing Addendum (DPA)

1. INTRODUCTION

This Data Processing Addendum ("DPA") supplements and forms part of the applicable TrueEngage Terms of Service (the "Terms"), Order Form, Service Schedule, Partner Agreement, Statement of Work, or other agreement governing Customer's use of the Service (collectively, the "Agreement").

This DPA is entered into between:

Live Engage sp. z o.o. ("TrueEngage", "Processor", "Company", "we", "our", or "us")

and

the Customer identified in the applicable Agreement ("Customer" or "Controller").

This DPA reflects the Parties' agreement regarding the Processing of Personal Data by TrueEngage on behalf of Customer in connection with the Service.

Where Customer acts as a Controller and TrueEngage Processes Personal Data on Customer's behalf, the Parties agree that this DPA governs such Processing.

This DPA is intended to satisfy the requirements of Article 28 GDPR, UK GDPR, and other applicable Data Protection Laws governing Processor relationships.

Related Documents:

  • Terms of Service
  • Privacy Policy
  • Service Level Agreement (SLA)
  • Technical and Organizational Measures (TOMs)
  • Trust Center
2. DEFINITIONS

Capitalized terms not defined in this DPA have the meanings assigned in the Agreement.

2.1 Controller

The entity that determines the purposes and means of Processing Personal Data.

2.2 Processor

An entity that Processes Personal Data on behalf of a Controller.

2.3 Personal Data

Personal Data as defined under applicable Data Protection Laws.

2.4 Data Protection Laws

All applicable privacy and data protection laws and regulations, including:

  • Regulation (EU) 2016/679 ("GDPR");
  • UK GDPR;
  • The UK Data Protection Act 2018;
  • California Consumer Privacy Act, as amended ("CCPA/CPRA"), where applicable;
  • Applicable national implementing legislation;
  • Other applicable privacy and data protection laws.
2.5 Security Incident

Any confirmed incident resulting in unauthorized access to, disclosure of, loss of, alteration of, or destruction of Personal Data processed by TrueEngage on behalf of Customer.

2.6 Subprocessor

A third party engaged by TrueEngage to Process Personal Data on behalf of Customer.

2.7 Supervisory Authority

Any governmental, regulatory, or public authority responsible for privacy or data protection enforcement.

2.8 Processing

Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.

2.9 Data Subject

An identified or identifiable natural person to whom Personal Data relates.

3. SUBJECT MATTER AND SCOPE OF PROCESSING

3.1 Processing Activities

Customer instructs TrueEngage to Process Personal Data solely as necessary to:

  • Provide the Service;
  • Perform the Agreement;
  • Deliver support services;
  • Deliver Professional Services;
  • Maintain security, availability, and integrity of the Service;
  • Comply with applicable law;
  • Fulfill Customer's documented instructions.
3.2 Customer Instructions

Customer instructs TrueEngage to Process Personal Data only:

  • On documented instructions from Customer;
  • As necessary to provide the Service;
  • As necessary to perform the Agreement;
  • As required by applicable law.

Where applicable law requires Processing contrary to Customer instructions, TrueEngage shall inform Customer unless prohibited by law.

Customer is responsible for ensuring that its instructions comply with applicable Data Protection Laws.

3.3 Unlawful Instructions

TrueEngage shall notify Customer without undue delay if TrueEngage reasonably believes that a Customer instruction violates applicable Data Protection Laws.

Nothing in this DPA requires TrueEngage to follow instructions that are unlawful.

3.4 Categories of Data

Categories of Personal Data and Data Subjects processed through the Service are described in:

  • Appendix 1 – Details of Processing
  • The Privacy Policy
  • Applicable Customer configurations and deployments
3.5 Controller Responsibilities

Customer represents and warrants that:

  • It has all necessary rights and authority to provide Personal Data to TrueEngage for Processing;
  • It has established an appropriate legal basis for Processing;
  • It has provided any required privacy notices;
  • It has obtained any required consents where applicable;
  • Its Processing activities comply with applicable Data Protection Laws.

4. CONFIDENTIALITY

4.1 Access Restrictions

TrueEngage shall restrict access to Personal Data to personnel who require such access in order to perform their duties related to the Service.

Access rights shall be granted based on business need and the principle of least privilege.

4.2 Confidentiality Obligations

Personnel authorized to Process Personal Data shall be subject to appropriate confidentiality obligations, whether through:

  • Employment agreements;
  • Contractor agreements;
  • Professional obligations;
  • Statutory duties;
  • Written confidentiality commitments.
4.3 Training and Awareness

TrueEngage shall maintain reasonable security awareness and privacy training programs for personnel with access to Personal Data.

4.4 Continuing Obligation

Confidentiality obligations shall survive:

  • Termination of employment;
  • Termination of contractor relationships;
  • Termination of access rights;
  • Expiration or termination of this DPA.

5. SECURITY OF PROCESSING

5.1 Security Program

TrueEngage maintains a comprehensive information security program designed to protect Customer Data and Personal Data against unauthorized access, disclosure, alteration, loss, destruction, or misuse.

5.2 Technical and Organizational Measures

TrueEngage shall implement and maintain appropriate technical and organizational measures consistent with:

  • Article 32 GDPR;
  • UK GDPR;
  • Applicable Data Protection Laws;
  • Industry standards;
  • The Technical and Organizational Measures described in Appendix E.

Such measures are designed to ensure a level of security appropriate to the risk presented by the Processing activities performed under this DPA.

5.3 Security Certifications

TrueEngage maintains:

  • ISO/IEC 27001:2022 certification;
  • SOC 2 Type II attestation;

or equivalent successor certifications and control frameworks.

TrueEngage shall use commercially reasonable efforts to maintain such certifications or equivalent control frameworks.

5.4 Security Controls

Security controls maintained by TrueEngage may include:

  • Encryption in transit using TLS;
  • Encryption at rest where appropriate;
  • Role-based access controls;
  • Multi-factor authentication;
  • Security monitoring and logging;
  • Vulnerability management processes;
  • Secure development practices;
  • Incident response procedures;
  • Business continuity controls;
  • Disaster recovery controls;
  • Security awareness training.

Specific security controls may evolve over time provided that the overall level of protection is not materially diminished.

5.5 Additional Information

Information regarding:

  • Security controls;
  • Certifications;
  • Compliance documentation;
  • Business continuity;
  • Disaster recovery;
  • Security assessments;
  • Subprocessors;
  • Compliance practices;

may be made available through the Trust Center.

5.6 GDPR Article 32 Compliance

Taking into account:

  • The state of the art;
  • The costs of implementation;
  • The nature, scope, context, and purposes of Processing;
  • The risks to the rights and freedoms of natural persons;

TrueEngage shall implement and maintain measures designed to ensure a level of security appropriate to the risk.

5.7 Technical and Organizational Measures

A summary of applicable Technical and Organizational Measures is provided in:

Appendix E – Technical and Organizational Measures (TOMs)

The Parties acknowledge that the TOMs may be updated from time to time provided that the overall level of protection is not materially reduced.

6. SUBPROCESSORS 6.1 General Authorisation

Customer grants TrueEngage a general authorisation to engage Subprocessors in connection with the provision of the Service.

TrueEngage may engage Subprocessors to provide services including:

  • Cloud hosting;
  • Infrastructure services;
  • Communications services;
  • Security services;
  • Monitoring services;
  • Identity and authentication services;
  • Customer support services;
  • Analytics services;
  • Professional services.
6.2 Subprocessor List

A current list of approved Subprocessors is maintained through the Trust Center.

The list may include:

  • Subprocessor name;
  • Processing purpose;
  • Processing location;
  • Applicable safeguards where relevant.
6.3 Changes to Subprocessors

TrueEngage may add, replace, or remove Subprocessors from time to time.

TrueEngage shall provide notice of material Subprocessor additions through:

  • The Trust Center;
  • Customer notifications;
  • Other reasonable means.

Customer may object to a new Subprocessor on reasonable data protection grounds within fourteen (14) days following notification.

If Customer objects:

  • The Parties shall work together in good faith to address the objection;
  • TrueEngage may propose alternative solutions;
  • If no reasonable solution can be implemented, Customer may terminate the affected Service upon written notice.
6.4 Subprocessor Agreements

TrueEngage shall enter into written agreements with Subprocessors requiring data protection, confidentiality, security, and compliance obligations that are no less protective than those applicable to TrueEngage under this DPA with respect to the Processing of Personal Data.

Such obligations shall include, where applicable:

  • Confidentiality obligations;
  • Security obligations;
  • International transfer safeguards;
  • Assistance obligations;
  • Data deletion obligations.
6.5 Responsibility

TrueEngage shall remain responsible for the acts and omissions of its Subprocessors in connection with the Processing of Personal Data to the same extent as if such acts or omissions were performed by TrueEngage directly, subject to the liability limitations and exclusions set forth in the Agreement.

7. INTERNATIONAL DATA TRANSFERS

7.1 Regional Processing

Customer Data is generally processed in the region selected for the applicable Customer deployment.

Available regions may include:

  • European Union;
  • United States;
  • Other supported regions.

Information regarding regional deployment options may be made available through the Trust Center.

7.2 Transfer Mechanisms

Where Personal Data is transferred internationally, TrueEngage shall implement appropriate safeguards, including where applicable:

  • European Commission Adequacy Decisions;
  • Standard Contractual Clauses (SCCs);
  • UK International Data Transfer Addendum;
  • UK International Data Transfer Agreement (IDTA);
  • Other lawful transfer mechanisms recognized under applicable Data Protection Laws.
7.3 Supplementary Measures

Where required by applicable Data Protection Laws, TrueEngage shall implement reasonable supplementary measures designed to protect Personal Data transferred internationally.

Such measures may include:

  • Encryption;
  • Access controls;
  • Contractual safeguards;
  • Organizational safeguards.
7.4 Cooperation

The Parties shall reasonably cooperate regarding inquiries, assessments, audits, or regulatory requirements relating to international data transfers.

7.5 Cross-Border Data Processing

Where the provision of the Service or Processing of Personal Data involves transfers to, access from, or Processing in jurisdictions outside the European Union, United Kingdom, Canada, or the jurisdiction selected for the applicable Customer deployment, TrueEngage shall comply with applicable Data Protection Laws and implement appropriate safeguards required by such laws.

The Parties shall cooperate in good faith to implement any additional transfer mechanisms, contractual safeguards, or compliance measures reasonably required under applicable Data Protection Laws.

8. DATA SUBJECT REQUESTS

8.1 Assistance

Taking into account the nature of the Processing, TrueEngage shall provide reasonable assistance to Customer in responding to requests from Data Subjects exercising rights under applicable Data Protection Laws.

Such rights may include:

  • Access;
  • Rectification;
  • Erasure;
  • Restriction of Processing;
  • Data portability;
  • Objection to Processing;
  • Withdrawal of consent.
8.2 Direct Requests

If TrueEngage receives a request directly from a Data Subject relating to Customer Data, TrueEngage may:

  • Direct the Data Subject to Customer; or
  • Notify Customer of the request,

unless otherwise required by applicable law.

8.3 Technical Assistance

Where reasonably possible and taking into account the nature of the Service, TrueEngage shall provide technical or organizational assistance to support Customer's response to Data Subject requests.

9. SECURITY INCIDENTS

9.1 Notification

TrueEngage shall notify Customer without undue delay after becoming aware of a confirmed Security Incident affecting Customer Data.

Notification shall be provided in accordance with:

  • Applicable Data Protection Laws;
  • The Agreement;
  • Applicable regulatory requirements.
9.2 Information Provided

To the extent reasonably available, Security Incident notifications may include:

  • The nature of the Security Incident;
  • Categories of affected Personal Data;
  • Categories of affected Data Subjects;
  • Known or suspected consequences;
  • Remediation actions;
  • Mitigation measures;
  • Contact information for further assistance.
9.3 Ongoing Updates

TrueEngage may provide supplemental information as it becomes available.

Information may be provided in phases where complete information is not immediately available.

9.4 Investigation and Mitigation

TrueEngage shall take commercially reasonable measures to:

  • Investigate Security Incidents;
  • Contain Security Incidents;
  • Mitigate Security Incidents;
  • Remediate Security Incidents;
  • Restore affected services where applicable.
9.5 Government Requests

Where legally permitted, TrueEngage will use commercially reasonable efforts to notify Customer of governmental, regulatory, judicial, or law enforcement requests seeking access to Customer Data.

Nothing in this Section requires TrueEngage to violate applicable law or a legally binding confidentiality obligation.

10. DPIAS AND REGULATORY COOPERATION

10.1 Assistance

Taking into account:

  • The nature of the Processing;
  • Information available to TrueEngage;
  • The costs of implementation;

TrueEngage shall provide reasonable assistance to Customer in meeting obligations under Articles 32 through 36 GDPR and equivalent provisions of applicable Data Protection Laws.

10.2 Data Protection Impact Assessments

Where required by applicable Data Protection Laws, TrueEngage shall provide reasonable assistance relating to:

  • Data Protection Impact Assessments (DPIAs);
  • Risk assessments;
  • Security reviews.
10.3 Prior Consultation

Where a DPIA indicates that Processing would result in a high risk absent mitigation measures, TrueEngage shall provide reasonable assistance regarding prior consultation with competent Supervisory Authorities where required by law.

10.4 Regulatory Inquiries

TrueEngage shall provide reasonable assistance regarding:

  • Supervisory Authority inquiries;
  • Regulatory investigations;
  • Regulatory inspections;

to the extent required by applicable Data Protection Laws and to the extent information is available to TrueEngage.

10.5 Cost Recovery

Where assistance requested by Customer requires significant additional effort beyond standard obligations under this DPA, TrueEngage may charge reasonable fees for such assistance, provided such fees are disclosed in advance and agreed by Customer.

11. RETURN, EXPORT, AND DELETION OF DATA

11.1 Customer Rights

Upon termination or expiration of the Service, Customer may request export of Customer Data in accordance with:

  • The Agreement;
  • The Terms of Service;
  • Applicable Service documentation.
11.2 Export Period

Unless otherwise agreed in writing, Customer may request export of Customer Data within thirty (30) days following termination or expiration of the Service.

Customer is responsible for initiating any export request within the applicable export period.

11.3 Export Format

Where reasonably practicable, Customer Data shall be made available using standard Service functionality and in a commonly used electronic format.

TrueEngage is not required to:

  • Convert data into proprietary formats;
  • Develop custom export tools;
  • Retain Customer Data beyond applicable retention periods.
11.4 Deletion

Following the applicable export period, TrueEngage may delete Customer Data unless:

  • Retention is required by applicable law;
  • Retention is required for legitimate security, compliance, audit, or dispute-resolution purposes;
  • The Parties agree otherwise in writing.
11.5 Legal Retention

Nothing in this DPA requires deletion where retention is required by:

  • Applicable law;
  • Court order;
  • Regulatory requirement;
  • Legitimate legal preservation obligations.

Where retained, Personal Data shall remain subject to the confidentiality, security, and protection obligations of this DPA.

12. AUDITS AND COMPLIANCE INFORMATION

12.1 Compliance Documentation

TrueEngage may satisfy audit, security review, and compliance information requests by providing:

  • ISO/IEC 27001:2022 certification information;
  • SOC 2 Type II reports or summaries;
  • Security documentation;
  • Audit summaries;
  • Trust Center materials;
  • Security questionnaires;
  • Compliance questionnaires;
  • Technical and Organizational Measures documentation.
12.2 Trust Center Documentation

Customer acknowledges that TrueEngage may satisfy audit, security review, and compliance information requests through documentation made available via the Trust Center.

The Trust Center may provide information regarding:

  • Security controls;
  • Compliance certifications;
  • Subprocessors;
  • Business continuity;
  • Disaster recovery;
  • Security assessments;
  • Compliance documentation.
12.3 Additional Audits

Where required by applicable Data Protection Laws, Customer may request an audit upon reasonable advance written notice and subject to:

  • Confidentiality obligations;
  • Reasonable scope limitations;
  • Protection of other customers;
  • Protection of TrueEngage confidential information;
  • Reasonable security requirements.
12.4 Frequency

Unless required by applicable law, audits may not occur more than once during any twelve (12) month period.

12.5 Audit Costs

Each Party shall bear its own costs associated with audits unless otherwise required by applicable law or agreed in writing.

12.6 Audit Cooperation

TrueEngage shall provide reasonable cooperation with lawful audit requests to the extent required by applicable Data Protection Laws.

Nothing in this DPA requires TrueEngage to:

  • Disclose information relating to other customers;
  • Disclose trade secrets;
  • Disclose information that would compromise security;
  • Violate legal, regulatory, or contractual obligations.

13. GOVERNING LAW AND LIABILITY

13.1 Governing Law

This DPA shall be governed by the governing law specified in the Agreement.

13.2 Dispute Resolution

Disputes relating to this DPA shall be resolved in accordance with the dispute resolution provisions of the Agreement.

13.3 Liability

The liability of the Parties arising from or relating to this DPA shall be subject to the liability limitations, exclusions, and allocation of risk provisions contained in the Agreement unless prohibited by applicable Data Protection Laws.

Nothing in this DPA shall be interpreted to expand either Party's liability beyond that expressly provided in the Agreement except where such limitation is prohibited by applicable law.

14. TERM

14.1 Effective Date

This DPA becomes effective when Customer first uses the Service or otherwise enters into the Agreement.

14.2 Duration

This DPA shall remain in effect for as long as TrueEngage Processes Personal Data on behalf of Customer.

14.3 Survival

The provisions of this DPA that by their nature should survive termination shall survive termination or expiration, including:

  • Confidentiality obligations;
  • Security obligations;
  • Audit obligations;
  • Data deletion obligations;
  • Liability provisions;
  • Applicable legal and regulatory obligations.
15. CONTACT INFORMATION

Live Engage sp. z o.o.

ul. Święty Marcin 29/8

61-806 Poznań, Poland

Legal

legal@trueengage.com

Data Protection Contact

dataprotection@trueengage.com

Security Contact

security@trueengage.com

Trust Center

https://trust.trueengage.com/

APPENDIX 1 – DETAILS OF PROCESSING

A. Subject Matter of Processing

Provision of the TrueEngage Service, including associated support services, Professional Services, security operations, maintenance activities, and related functionality.

B. Duration of Processing

For the duration of:

  • The Agreement;
  • The Customer's use of the Service;
  • Any applicable retention period;
  • Any period required by applicable law.
C. Nature and Purpose of Processing

Processing activities may include:

  • Customer engagement;
  • Messaging;
  • Voice communications;
  • Video communications;
  • Screen sharing;
  • Feedback collection;
  • Customer support;
  • Service administration;
  • Authentication and access management;
  • Analytics and reporting;
  • Security monitoring;
  • Incident management;
  • Service improvement activities.
D. Categories of Data Subjects

Data Subjects may include:

  • Customer employees;
  • Authorized Users;
  • Administrators;
  • End Users;
  • Prospective customers;
  • Business contacts;
  • Customer representatives;
  • Website visitors;
  • Support contacts.
E. Categories of Personal Data

Depending upon Customer configuration and use of the Service, Personal Data may include:

  • Names;
  • Email addresses;
  • Telephone numbers;
  • User identifiers;
  • Account information;
  • Communications metadata;
  • Chat transcripts;
  • Call metadata;
  • Video session metadata;
  • Device information;
  • IP addresses;
  • Browser information;
  • Authentication information;
  • Usage data;
  • Customer-submitted information;
  • Support and service communications.
F. Special Categories of Personal Data

TrueEngage does not intentionally require or request Special Categories of Personal Data.

To the extent Customer submits Special Categories of Personal Data through the Service, such Processing shall occur solely:

  • On Customer instructions;
  • In accordance with applicable law;
  • Subject to appropriate safeguards.

G. Processing Operations

Processing operations may include:

  • Collection;
  • Recording;
  • Organization;
  • Structuring;
  • Storage;
  • Retrieval;
  • Consultation;
  • Transmission;
  • Disclosure;
  • Analysis;
  • Restriction;
  • Deletion;
  • Destruction.
H. Technical and Organizational Measures

The Technical and Organizational Measures applicable to Processing activities are described in:

Appendix E – Technical and Organizational Measures (TOMs)

and may be supplemented by information made available through the TrueEngage Trust Center.

© 2026 Live Engage sp. z o.o. All rights reserved.