TrustMint TrustMint

Data Processing Agreement

Last updated: March 1, 2026

Download DPA

Download a signed copy for your records.

Download PDF

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller: The business user ("you") who has signed up for a TrustMint account.
  • Data Processor: TrustMint ("we", "us"), acting on your behalf to process end-customer personal data.

2. Scope and Purpose

This DPA applies to all personal data processed by TrustMint on behalf of the Controller in connection with the TrustMint service. The purpose of processing is to send review request emails, host review landing pages, and provide review analytics.

3. Types of Personal Data

  • Customer names
  • Customer email addresses
  • Customer phone numbers (optional)
  • Review feedback content
  • Email interaction data (opens, clicks)
  • Consent timestamps

4. Obligations of the Processor

TrustMint shall:

  • Process personal data only on documented instructions from the Controller.
  • Ensure that persons authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (Art. 32 GDPR).
  • Not engage sub-processors without prior written consent of the Controller.
  • Assist the Controller in responding to data subject requests.
  • Delete or return all personal data upon termination of the service.
  • Make available all information necessary to demonstrate compliance.

5. Sub-Processors

We use the following sub-processors:

Provider Purpose Location
Heroku (Salesforce) Application hosting EU (Ireland)
Brevo (Sendinblue) Email delivery EU (France)
Stripe Payment processing EU-US DPF certified

6. Data Transfers

All primary data processing occurs within the EU. Where data is transferred to a third country (e.g., Stripe's US infrastructure), appropriate safeguards are in place, including the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs).

7. Security Measures

  • Encryption in transit (TLS 1.2+) and at rest.
  • Access controls and role-based permissions.
  • Regular security updates and patching.
  • Automated backups with encryption.
  • Incident response procedures.

8. Data Breach Notification

In the event of a personal data breach, TrustMint will notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach, in accordance with Art. 33 GDPR.

9. Duration and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, all personal data will be deleted within 30 days, unless retention is required by applicable law.

10. Contact

For DPA-related inquiries, contact us at support@trustmint.co.