TrueEngage Logo Icon TrueEngage
Skip to content
  • There are no suggestions because the search field is empty.

TrueEngage Privacy Policy

TRUEENGAGE PRIVACY POLICY

Last updated: 1st of May 2025

1. Introduction

This Privacy Policy explains what Live Engage Sp. z o.o. (“Company,” “we,” “us,” or “our”) does with your Personal Data. The Privacy Policy describes how we collect, process, and protect Personal Data when providing the TrueEngage service to our customers. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights. It is important to point out that we may amend this Privacy Policy from time to time.

2. What Is TrueEngage

TrueEngage is a proprietary SaaS platform integrated with Genesys Cloud, offering omnichannel web or mobile app contact and trigger based or AI-driven website visitor engagement tools provided by the Company, and deployed by customers (“Customers”) on their websites and digital properties to enable real-time communication with their website visitors or other digital properties users (“Users”), (“TrueEngage”).

3. Definitions

3.1. “Agreement” − Partner Agreement concluded with Live Engage Sp. z o.o.

3.2. “Controller” − the entity that determines the purposes and means of the processing of Personal Data.

3.3 “Data Protection Laws” − all legislation in force in the relevant jurisdiction relating to the privacy or use or processing of data relating to natural persons, in particular (a) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation  ("GDPR"), (b) the UK General Data Protection Regulation (“UK GDPR”), as retained in UK law under the European Union (Withdrawal) Act 2018, (c) the California Consumer Privacy Act ("CCPA"), and (d) other applicable privacy regulations.

3.4. “Personal Data” – any information relating to an identified or identifiable natural person, directly or indirectly, based on identifiers such as name and surname, identification number, location data, online identifier, or information collected via cookies and other similar technologies.

3.5. "Processing" − an operation or set of operations which is performed on personal data or sets of personal data by automated or non-automated means, i.e. collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3.6. "Processor" − an entity that processes Personal Data on behalf of the Controller.

3.7. “Policy” – this privacy policy.

3.8. "Supervisory Authority" − independent authority for data protection in a specific jurisdiction.

4. Scope and Roles

4.1. The Company remains an independent Controller with respect to its own Customers. However, in the context of the services provided, the Company processes Personal Data on behalf of the Customers, acting as a data Processor.

4.2. With regard to the Personal Data of their Users, Customers act as data Controllers and are responsible for complying with applicable Data Protection Laws and informing Users about their data processing practices.

5. Information We Collect

5.1 As the Data Controller, we process the following categories of Personal Data of our Customers, who act as representatives or contact persons of the business entities:

5.1.1. Personal details:

  • first and last name,

    5.1.2. Professional and organizational information:

  • information about business activity or employment,

  • job title,

  • name of the represented business entity,

  • tax identification number (if it constitutes Personal Data of a sole proprietorship),

  • bank account number (if it constitutes Personal Data of a sole proprietorship);

    5.1.3. Contact details:

  • business email address,

  • business phone number,

  • business or correspondence address.

5.2. As Processor, we collect the following categories of Personal Data through the TrueEngage widget:

5.2.1. User Behavior Data:

  • Page visits and navigation flow,

  • Engagement timing and widget interactions.

  • Browsing history

  • Time spent on each page or section

  • Interaction data with the website (e.g., clicks, form submissions, chat initiations)

  • Entry and exit points on the website

    5.2.2. Technical Data:

  • IP address,

  • Browser and device information,

  • Language and screen resolution.

    5.2.3. Contact Details:

  • Phone numbers or email addresses submitted via forms or callback widgets.

6. Purposes and Legal Basis for Data Processing

6.1. INITIATION AND IMPLEMENTATION OF THE COOPERATION

The Controller processes Personal Data:

6.1.1. for the purpose of providing and maintaining services related to making TrueEngage content and services available to Customers, including providing onboarding, training, and enablement resources to the Customers, as well as onboarding support – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR). If you act as an attorney-in-fact, representative, or contact person of Customer – the legal basis is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), which consists in the performance of the concluded Agreement.

6.1.2. for the purpose of processing payments related to the provided services – within the selected payment model, including granting discounts in accordance with the contractual provisions – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR). If you act as an attorney-in-fact, representative, or contact person of the Customer – the legal basis is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), which consists in processing payments and granting discounts as agreed in the Agreement.

6.1.3. for the purpose of handling complaints – the legal basis for processing is the necessity of processing for the performance of a contract (Article 6(1)(b) of the GDPR) to which the complaint relates;

6.1.4. for the purpose of fulfilling legal obligations imposed on the Controller, particularly those resulting from tax and accounting regulations – the legal basis for processing is compliance with a legal obligation to which the Controller is subject (Article 6(1)(c) of the GDPR);

6.1.5. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in analyzing and compiling statistics on activity in the platform to improve the functionalities and services offered by the Controller;

6.1.6 for the purpose of ensuring the proper functioning and security of TrueEngage, including the detection and prevention of fraud – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in maintaining proper operation and security;

6.1.7. for the purpose of establishing, pursuing, or defending against potential legal claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in the protection of its rights.

7. Contact with the Controller

The Controller processes Personal Data:

7.1. for the purpose of handling correspondence and phone calls and responding to inquiries – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in responding to inquiries related to the Controller's business activity. In the case of data provided voluntarily in such inquiries, the legal basis is the data subject’s consent (Article 6(1)(a) of the GDPR);

7.2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in analyzing inquiries submitted by Customers, to improve the functionalities and services offered by the Controller, and to assess the quality and effectiveness of the communication method used;

7.3. for the purpose of establishing, pursuing, or defending against potential legal claims – the legal basis for processing is the legitimate interest of the Controller (Article 6(1)(f) of the GDPR), consisting in the protection of its rights.

8. Voluntary Provision of Personal Data

The provision of Personal Data is voluntary but necessary to use the services provided by the Controller, including establishing cooperation, as well as to contact the Controller and obtain answers to questions addressed to the Controller.

9. Personal Data Retention Period

9.1. Personal Data will be processed for the period necessary to achieve the purposes of processing. In principle, this period covers the time of access to and use of the TrueEngage platform or lasts until consent is withdrawn or an effective objection to the processing is raised, if the legal basis for processing is the legitimate interest of the Controller.

9.2. The processing period may be extended if necessary for the establishment, exercise, or defense of legal claims. After the expiration of this period, Personal Data will only be processed to the extent required by law. Once the processing is concluded, Personal Data will be permanently deleted or anonymized.

10. Recipients of Personal Data

10.1. In connection with the processing purposes Customers’ Personal Data may be shared with external entities providing services to the Controller, including IT service providers, analytical and marketing service providers, payment operators and entities providing accounting and advisory services.

10.2. Recipients of such Personal Data processed in connection with the fulfillment of the processing purposes may also include service providers, carriers and couriers, telecommunications operators, law firms, and authorized public authorities and institutions.

10.3. The Controller also reserves the right to disclose selected information regarding individuals using the TrueEngage or third parties for whom data collection is conducted in the provided services, to the relevant authorities or third parties who request such information based on an appropriate legal basis (in accordance with applicable law).

11. Transfer of Personal Data to Third Countries

11.1. Our services are designed to support Customers globally. As part of the system configuration, Customers can select the region where their data will be stored and processed (e.g., the European Union, the United States, or other available regions).

11.2. As a result, if you are a resident of the European Union, your Personal Data may be processed outside the EU/EEA, for example in the United States or other countries. The level of protection of Personal Data in those countries may not be equivalent to the level guaranteed under EU law.

11.3. Therefore, when the Controller transfers Personal Data outside the EEA ensures that appropriate safeguards are in place, in particular by:

11.3.1. cooperation with data Processors in countries that have received an adequacy decision from the European Commission confirming an appropriate level of data protection. In some cases, the Commission may require such entities to participate in programs approved by it for organizations outside the EEA, which commit them to ensuring data protection at a level equivalent to that in the EU and associated countries (details available here);

11.3.2. using standard contractual clauses approved by the European Commission, which, together with additional security measures, guarantee the protection of Personal Data at a level equivalent to that required in the EU and associated countries (sample agreements available here);

11.3.3. the application of binding corporate rules approved by the competent Supervisory Authority.

12. Data Security

12.1. The Company implements ISO 27001:2013–aligned technical and organizational measures (TOMs), including:

12.1.1. End-to-end encryption;

12.1.2. Role-based access control (RBAC);

12.1.3. Secure hosting in Microsoft Azure EU or determined by the location of Customer’s Genesys Cloud organization AWS region.  In the process, Personal Data may also be transmitted to Microsoft's parent company in the USA. The transfer of Personal Data is always appropriately secured, please refer to point 8 of this Privacy Policy. In this case, the data transfer to the USA is based on the EU standard contractual clauses.

12.1.4. See Appendix E for full TOMs documentation.

13. Data Subject Rights

13.1. You have certain legal rights in relation to the matters dealt with in this Policy and so, where relevant, we have described these as well.

13.2. If you are a resident of EU, you have certain rights under the GDPR. These rights include:

13.2.1. request access to your Personal Data and obtain a copy, as well as the right to rectification, portability, restriction of processing, or erasure of their Personal Data;

13.2.2. where the basis for processing Personal Data is consent – withdraw the consent given for the processing of Personal Data at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;

13.2.3. object at any time to the processing of Personal Data for reasons related to your particular situation when the Controller processes data based on its legitimate interests (Article 21(1) GDPR); for evidence purposes, the Controller requests that objections be made in writing or sent to the Controller's email address;

13.2.4. object at any time to the processing of Personal Data for direct marketing purposes, including profiling (Article 21(2) GDPR); for evidence purposes, the Controller requests that objections be made in writing or sent to the Controller's email address;

13.2.5. lodge a complaint with the Supervisory Authority responsible for Personal Data protection if you believe that the processing of Personal Data violates the law. You should contact your local data protection authority in this regard.

13.3 If you are a resident of California, you have certain rights under the CCPA (as amended by the California Privacy Rights Act (CPRA)). These rights include:

13.3.1. the right to know what categories of Personal Data we collect and how we use it;

13.3.2 the right to request access to your Personal Data or its deletion;

13.3.3. the right to correct inaccurate Personal Data;

13.3.4. the right to opt out of the “sale” or “sharing” of your Personal Data (note: we do not sell or share Personal Data);

13.3.5. the right to limit the use of sensitive Personal Data (note: we do not collect sensitive Personal Data as defined under California law);

13.3.6. the right not to be discriminated against for exercising your privacy rights.

13.4. We may share Personal Data with third parties only for clearly defined business purposes and under strict confidentiality obligations.

13.5. To exercise your rights or contact us with questions, please refer to point 13 of this Policy.

14. Cookies, Analytical and Marketing Tools

14.1. The widget provided by the Controller is embedded on the Customer’s website, meaning that all cookies are stored within the Customer’s domain as first-party cookies.

14.2. The responsibility for managing Users consent - including displaying a cookie banner and enabling preference management - rests entirely with the Customer.

14.3. The Controller may provide technical support to Customers, upon request and in accordance with their specific requirements, to help ensure that cookies are used in compliance with applicable consent mechanisms and legal requirements.

14.4. The User should have the ability to manage their consents at any time, including withdrawing previously given consents and adjusting preferences for specific categories of cookies (e.g., necessary, functional, analytical, marketing). Users should also have the option to delete cookies at any time via their browser settings. The responsibility for providing these options lies with the Customer. Instructions on how to manage cookies in different browsers can be also found on the websites of the respective browser providers.

14.5. The Controller does not actively use any analytical or marketing tools, such as Google Analytics, for their own purposes. However, the platform may facilitate the transfer of certain data to the Google Analytics accounts of Customers, when such functionality is integrated by them into their own use of the service. In such cases, Customers act as independent data controllers with respect to the data they collect via analytics tools. For more detailed information on how such data is processed, please refer to the relevant Customer’s privacy policy.

15. Final Provisions

15.1 Customers are solely responsible for ensuring that their use of the TrueEngage complies with all applicable laws, in particular concerning Data Protection Laws, or consumer rights.

15.2. Customers must, in particular:

  • Clearly display privacy and cookie notices on their websites or digital services where the TrueEngage platform is implemented;
  • Obtain the legal basis for processing of the Personal Data, including valid, informed, and freely given consent for data processing where required by law (e.g., under the GDPR, CCPA or similar legislation);
  • Inform their Users about the nature and scope of data processing involving the TrueEngage platform, including the use of cookies, tracking technologies, or profiling functionalities, where applicable;
  • Implement technical and organizational measures to ensure the security of the Personal Data they collect or process.

15.3. The Controller bears no responsibility for any breaches of data protection obligations by Customers in connection with their independent use of the TrueEngage.

15.4. The TrueEngage platform is not designed for or directed at children.  If the Customer intends to provide services to children or minors, it is their sole responsibility to ensure full compliance with all legal requirements.

16. Contact With Controller and DPS

16.1. Controller:

You can contact the Controller at: Live Engage Sp. z o.o., ul. Grochowska 306/308, 03-840 Warszawa, Poland or via e-mail address: legal@trueengage.com.

18.2. Data Protection Specialist (DPS):

The Controller has appointed a Data Protection Specialist (DPS), who is Piotr Huk. You can contact the DPS via email at: dataprotection@trueengage.com.

APPENDIX D: Data Processing Addendum (DPA)

1. Introduction

This Data Processing Addendum (“DPA”) supplements the TrueEngage Partner Agreement (the “Agreement”) and Terms of Service (“the Terms”) between Live Engage Sp. z o.o. (“Processor” or “Company”) and the Partner (“Controller” or “Client”; referred to each individually hereafter as a “Party”, and collectively as the “Parties”) and reflects the Parties’ agreement concerning the processing of Personal Data under applicable Data Protection Laws. This DPA sets out the framework under which the Processor shall carry out processing activities on behalf of the Controller.

The Parties have agreed to enter into a DPA as follows:

2. Definitions

2.1. Terms used in the DPA shall have the meanings set out below unless the context stipulates otherwise.

2.1.1 "Controller" − the entity that determines the purposes and means of the processing of Personal Data.

2.1.2. "Processor" − an entity that processes Personal Data on behalf of the Controller. The Processor does not decide on the means and purposes of the processing of Personal Data.

2.1.3. “Data Protection Laws” − all legislation in force in the relevant jurisdiction relating to the privacy or use or processing of data relating to natural persons, in particular (a) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation  ("GDPR"), (b) the UK General Data Protection Regulation (“UK GDPR”), as retained in UK law under the European Union (Withdrawal) Act 2018, the California Consumer Privacy Act ("CCPA"), and (c) other applicable privacy regulations, in particular Polish Data Protection Regulation, including the Personal Data Protection Act of 10 May 2018 (“PDPA”).

2.1.4. “Personal Data” − all Personal Data within the meaning of Article 4(1) of the GDPR processed by the Processor on behalf of the Controller.

2.1.5. "Processing" − an operation or set of operations which is performed on personal data or sets of personal data by automated or non-automated means, i.e. collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.1.6. "Supervisory Authority" − independent authority established in accordance with Article 51 GDPR, which in Poland is the President of the Office for Personal Data Protection, based in Warsaw.

2.1.7 "Third country" − a country that is not part of the European Economic Area (EEA).

2.1.8. "Personal Data breach" − any event leading to the loss, unauthorised or unlawful processing, destruction, damage, alteration or unauthorised disclosure or access of Personal Data, whether the breach was accidental or intentional.

2.1.9. "Data Protection Impact Assessment” − a process that describes planned processing, assesses its advisability and proportionality, and serves to identify and manage risks to the rights and freedoms of data subjects.

2.1.10 “Data subject request” − the data subject's requests covering his or her rights under the Data Protection Regulations.

3. Scope of Processing

3.1. The Controller transfer to the Processor for processing, pursuant to Article 28 of the GDPR, the Personal Data it has collected and is processing in accordance with applicable laws and regulations, under the terms and for the purpose set forth in this DPA, to the extent necessary to perform its obligations under the Agreement.

3.2. The Company shall process the Personal Data only for the purposes of the performance of the DPA, the Agreement or on documented instructions from the Client, unless such obligation is imposed by Union law or the law of the Member State to which the Processor is subject, in which case the Processor shall inform the Controller of such obligation prior to the processing.

3.3. The Company shall notify the Client without delay if the Company considers that an order issued by the Client infringes Data Protection Laws.

3.4 Instructions include those contained in the Agreement, this DPA, or any authorized written instruction (including electronic communications).

3.5. Types of Personal Data and categories of Data Subjects processed are detailed in the Privacy Policy (Appendix C).

4. Confidentiality and Personnel

4.1. Access to Personal Data is strictly limited to those employees and contractors of the Company who require such access to fulfil their duties in connection with the performance of the DPA or the Agreement.

4.2. The Company shall ensure that all its employees, contractors, and collaborators authorized to process Personal Data are bound by appropriate confidentiality obligations, either through contractual agreements or statutory duties of confidentiality, applicable both during and after the termination of their engagement.

4.3. The Company undertakes to maintain the confidentiality of all information, data, documents, materials, and Personal Data received from the Client or obtained in connection with the performance of the Agreement, whether disclosed intentionally or unintentionally and regardless of the form (oral, written, or electronic) (“Confidential Data”).

4.4. Confidential Data shall not be used, disclosed, or made available by the Processor without the prior written consent of the Controller, except as required by applicable law, the DPA, or the Agreement.

4.5. The Parties agree to use their best efforts to ensure that all means of communication, transfer, and storage of Confidential Data provide adequate protection against unauthorized access, particularly with respect to Personal Data entrusted for processing.

5. Security

5.1. The Parties undertake to perform the Agreement with the utmost professional diligence in order to safeguard the legal, organizational and technical interests of the Parties in the processing of the Personal Data.

5.2. Taking into account the nature of the processing and the information available to it, the Company shall assist the Client in complying with its obligations under Articles 32 to 36 of the GDPR.

5.3. The Company shall implements appropriate technical and organizational measures (TOMs) as required under Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, and context and purposes of processing and the risk of violation of the rights or freedoms of natural persons of varying probability and gravity to ensure the security of the processed Personal Data in the manner specified in the Data Protection Laws.

5.4. A full list of security controls is provided in Appendix E: Technical and Organizational Measures.

6. Sub-Processors

6.1. The Client agrees to further transfer of  the processing of Personal Data on behalf of the Company, i.e. to further processing entities (“Sub-processors”), listed at: [Insert Link].

6.2. The Company shall notify the Client of any changes to the list of Sub-Processors at least 14 days prior to the planned change. The Client may object to the planned change (i.e., addition or modification of a given Sub-Processor) within 7 days of becoming aware of the planned use of a given Sub-Processor. Failure to object shall signify the Client consent to further  processing of Personal Data to a given Sub-Processor.

6.3. The Sub-Processor shall provide its services on the basis of a separate (further) personal data processing agreement concluded between the Company and the Sub-Processor, such agreement to comply at least with the terms and conditions under which the Company process Personal Data on behalf of the Client under this DPA.

6.4. The Company remains fully liable for its Sub-processors’ performance.

7. International Data Transfers

7.1. By default, all Personal Data is hosted and processed within Microsoft Azure's EU-based data centers, ensuring compliance with the GDPR.

7.2. Any transfer of Personal Data to countries outside the European Economic Area (EEA) will occur only when strictly necessary, upon request and with appropriate safeguards.

7.3. In such cases, the transfer shall be conducted in accordance with Chapter V of the GDPR, ensuring that appropriate safeguards are in place. These safeguards may include the use of Standard Contractual Clauses (SCCs) adopted by the European Commission, or other lawful mechanisms recognized under applicable data protection laws. Where applicable, additional technical, organizational, or contractual measures will be implemented to ensure an adequate level of data protection.

7.4. The Parties shall cooperate to demonstrate compliance and respond to any Data Subject or Supervisory Authority inquiries related to international data transfers.

8. Data Subject Rights

8.1. The Company shall, as far as possible and taking into account the nature of the processing operation, assist the Client, by means of appropriate technical and organizational measures, in fulfilling obligation to respond to the Data subjects’ requests in the exercise of its rights set forth in Chapter III of the GDPR.

8.2. Assistance will be provided via secure communication and within a reasonable timeframe.

9. Personal Data Breach

9.1. The Company shall notify the Client within written form, without undue delay, no later than within 48 hours, of any accidental or unauthorized access to the Personal Data processed on behalf of the Client or of any other event that may constitute a Personal Data breach.

9.2. In the cases referred to above, the Company shall notify the Client of the Personal Data breach and provide the following information in the Company’s possession:

9.2.1. the date, duration and location of the Personal Data breach;

9.2.2. the nature and scale of the Personal Data breach, in particular, the category and approximate number of persons affected by the breach, and if possible, an indication of the specific persons whose Personal Data was breached;

9.2.3. the information system or application in which the Personal Data breach occurred;

9.2.4. measures taken to date to minimize the effects of the Personal Data breach;

9.2.5. contact details of a person who can provide more information about the Personal Data breach.

9.3. If the Company is unable to provide the information mentioned above, at the same time, it shall provide it to the Client immediately.

9.4. Until instructed by the Client, the Company shall immediately carry out all reasonable measures to mitigate and remedy the consequences of the Personal Data breach.

10. DPIAs and Prior Consultation

10.1. The Company shall assist the Client with any required DPIAs or consultations with Supervisory Authorities, in each case relating to the use of the Service and to the extent reasonably required by Data Protection Laws.

11. Return or Deletion of Data

11.1. Upon termination of the DPA, the Company shall be obligated, as adequately requested by the Client:

11.1.1. immediately cease processing the Personal Data;

11.1.2. depending on the Client’s request, securely return to the Client any Personal Data processed by the Company, whether in writing, electronically or otherwise, or irretrievably delete any controlled or held Personal Data covered by this DPA.

11.2. The above provisions do not apply if the Company is obliged to store Personal Data for a longer period of time under separate regulations.

12. Audits

12.1. The Client shall be entitled to carry out an audit, either directly or through an authorized auditor, to verify Company’s compliance with this DPA, the Agreement and Data Protection Laws.

12.2. Any such audit shall: (i) be conducted during the Company’s regular business hours, (ii) require reasonable prior written notice of at least sixty (60) calendar days (unless a shorter notice period is mandated by applicable Data Protection Laws or a Supervisory Authority); (iii) be subject to appropriate confidentiality obligations requiring the Client (and its authorized auditors) to maintain the confidentiality of any information that, by its nature, is confidential; (iv) take place no more than once every twelve (12) months; and (v) be limited in scope to information relevant to the Client.

12.3. The audit shall not include access to information or documents relating to other clients of the Company, nor shall it result in the Client accessing any personal data other than the Personal Data processed on its behalf, or any confidential information belonging to the Company or third parties.

12.4. Each Party shall bear its own costs associated with the audit.

13. Governing Law and Jurisdiction

13.1. This DPA shall be governed by the laws specified in the Agreement, which in this case shall be the laws of Poland.

13.2. Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions set forth in the Agreement.

13.3. This DPA shall be effective from the date of execution of the Agreement and shall remain in force for the duration of the Agreement. For the avoidance of doubt, termination of the Agreement shall result in the termination of this DPA.

14. Contact Details of the Processor

Live Engage Sp. z o.o.

Ul. Grochowska 306/308

03-840 Warszawa, Poland

Data Protection Specialist: Piotr Huk

Email: dataprotection@trueengage.com

APPENDIX E: Technical and Organizational Measures (TOMs)

Last updated: 1st of May 2025

These Technical and Organizational Measures ("TOMs") describe the security controls implemented by Live Engage Sp. z o.o. (“Company”) to ensure the confidentiality, integrity, availability, and resilience of the TrueEngage platform and the Personal Data processed on behalf of Clients.

The Company is certified under ISO/IEC 27001:2013, and all TOMs are designed in alignment with this standard and applicable legal frameworks such as the GDPR, UK GDPR, and CCPA.

1. Scope of Personal Data Protection

1.1. TOMs apply to all Personal Data processed through TrueEngage, including:

  • User Behavior Data: page views, clicks, interaction sequences,
  • Technical Data: IP addresses, browser/device info,
  • Contact Details: phone numbers, email addresses submitted through widgets.

1.2. Processing of Personal Data by the Company will include all processing necessary for the performance of the DPA and the Agreement, including:

  • collecting,
  • recording,
  • organising,
  • structuring,
  • storing,
  • adapting or modifying,
  • downloading,
  • viewing,
  • using,
  • disclosing by transmission,
  • dissemination or otherwise making available,
  • matching or combining,
  • restricting,
  • erasing or destroying.

2. Governance and Information Security Managment

2.1. The Company operates a formal Information Security Management System (ISMS) under ISO 27001.

2.2. A Data Protection Specialist (DPS) and Information Security Manager oversee compliance and security programs.

2.3. All employees are trained annually in data protection and security awareness.

2.4. Access to Personal Data is role-based and follows the principle of least privilege.

3. Data Hosting and Infrastructure

3.1. TrueEngage is hosted in Microsoft Azure data centers certified under ISO 27001, SOC 1/2/3, and PCI DSS.

3.2. Default data residency is in the European Union (EU). Alternate regions (e.g., US) available upon request as determined by the Customer’s Genesys Cloud organization AWS region.

3.3. Data at rest is encrypted using AES-256.

3.4. Data in transit is protected by TLS 1.2 or higher.

4. Access and Authentication Controls

4.1. Multi-factor authentication (MFA) is enforced for all administrative and privileged accounts.

4.2. Access controls are managed via Azure Active Directory (Entra ID).

4.3. Automatic session timeouts and account lockout mechanisms are in place.

4.4. Access reviews and audits are conducted quarterly.

5. Application and Network Security

5.1. Application code is developed under a secure SDLC with static and dynamic code analysis.

5.2. Changes undergo peer review, CI/CD pipeline scanning, and staged deployment.

5.3. Penetration testing is performed annually by third-party experts.

5.4. Network traffic is segmented, monitored, and protected by firewalls and IDS.

6. Data Minimization and Retention

6.1. The Company ensures that Personal Data is collected only to the extent necessary for the intended purposes and is not retained longer than required. Data retention periods are based on the purpose of processing, and once the data is no longer needed, it will be securely deleted or anonymized. We regularly review our practices to ensure compliance with applicable Data Protection Laws.

6.2. Personal Data retention is as follows:

Retention periods:

Data Type Retention Period Method
Visitor behavior data 1 month Auto-deletion
Technical data 1 month Auto-deletion
Contact details Retained until client contract ends or per instruction Manual or automated purge

6.3. Client-specific retention policies can be configured upon request.

7. Logging and Monitoring

7.1.All administrative and user actions are logged with time stamps and audit trails.

7.2. Logs are retained for a minimum of 90 days.

7.3. Real-time alerts are triggered for unauthorized access or anomalous behavior.

7.4. Logs are reviewed regularly by the security team.

8. Business Continuity and Disaster Recovery

8.1. Full BC/DR plans are in place and tested annually.

8.2. Data is backed up daily, encrypted,

8.3. Recovery Point Objective (RPO): <24 hours.

8.4. Recovery Time Objective (RTO): <4 hours.

9. Physical Security

9.1. Access to office premises is controlled via key cards and biometric verification. The access rights are regularly reviewed to ensure only authorized personnel are granted entry.

9.2. Azure data centers implement comprehensive security measures, including 24/7 surveillance, access logs, and perimeter security.

9.3. Paper-based information is minimal and subject to a clean desk policy. Paper records are securely shredded when no longer needed.

10. Sub-Processors and Third-Party Risk

10.1. All Sub-processors are subject to risk-based due diligence and are bound by data processing agreements that comply with the GDPR. The principles of cooperation with Sub-processors are regulated in point 8 of the DPA.

10.2. A current list of approved Sub-processors is available at: [Insert Link].

10.3. The performance and security posture of each Sub-processor are reviewed at least annually.

11. Personal Data Breach (Incident Response Plan)

11.1.A formal Incident Response Plan (IRP) is in place, outlining defined escalation paths and communication procedures.

11.2. All Incidents are logged and subject to root cause analysis, with remediation actions tracked and documented.

11.3. The Company will notify affected Clients of any Personal Data breach involving their data without undue delay and in accordance with the provisions set out in point 8 of the DPA, and will provide timely status updates as appropriate.

12. Continuous Improvement

12.1. The Company maintains a process for ongoing evaluation and enhancement of its data protection practices. This includes regular reviews of policies, procedures, technical and organizational measures, as well as incorporating lessons learned from audits, incidents, and regulatory developments.

12.2. Security controls are reviewed at least annually.

12.3.The Company conducts regular internal audits and participates in external audits for ISO 27001 surveillance.

12.4. Policies and risk assessments are updated in response to:

  • Security incidents,
  • Regulatory changes,
  • Client requirements.

13. Client Responsibilities

13.1. Clients must:

  • Use TrueEngage in accordance with the Agreement, DPA and applicable Data Protection Laws.
  • Ensure user-facing privacy notices and consent mechanisms are implemented.
  • Promptly notify the Company of any suspected misuse of access credentials.

14. Contact and Documentation

14.1. For security-related inquiries, please contact:

Data Protection Specialist

Live Engage Sp. z o.o.

Email: dataprotection@trueengage.com.

Full documentation (ISO policies, audit logs, processor agreements, penetration test summaries) can be provided under NDA upon request.