Back to Terms

Data Processing Agreement

Last updated: March 5, 2026

GDPR Article 28 compliant. This DPA is incorporated into the Terms of Service and governs the processing of personal data by Truncus on behalf of customers.

Need a countersigned DPA?

Enterprise customers requiring a wet-signature or countersigned DPA for procurement purposes can request one at no charge.

Contact legal@truncus.co

1. Parties

Data Controller

The Customer — the company or individual subscribing to Truncus and determining the purposes and means of email processing.

Data Processor

Van Moose BV, registered in Amsterdam, Netherlands (KvK: 97411698), operating Truncus.

2. Subject Matter

Van Moose BV processes personal data on behalf of the Controller for the sole purpose of transactional email delivery via the Truncus platform. Processing occurs only on documented Controller instructions (email send requests via the Truncus API).

3. Duration

This DPA is in effect for the duration of the Controller's Truncus subscription. All personal data is deleted or returned within 30 days of account termination, except where retention is required by law.

4. Nature and Purpose of Processing

Processing activities include:

  • Receiving email send requests via the Truncus API
  • Routing email content to delivery infrastructure (AWS SES)
  • Attempting delivery to recipient mail servers
  • Recording delivery status, bounce codes, and engagement events
  • Returning delivery receipts and event webhooks to the Controller
  • Maintaining suppression lists to honor bounces and complaints

5. Types of Personal Data

  • Email addresses — required for delivery
  • Recipient names — optional, if included in the API request
  • Email content — processed in transit; not stored beyond 7 days for delivery retry
  • Delivery metadata — bounce codes, delivery timestamps, complaint flags; retained 90 days
  • Engagement data — open and click events (if tracking enabled); retained 90 days

6. Categories of Data Subjects

End users of the Controller's application or service who receive transactional emails triggered by their interactions with the Controller's platform.

7. Controller Obligations

The Controller represents and warrants that:

  • It has a valid legal basis under GDPR to process each recipient's personal data
  • It has a valid legal basis to share recipient data with Truncus as a processor
  • It is solely responsible for the content of emails sent via the Service
  • It maintains records of processing activities as required by GDPR Article 30
  • It complies with all applicable data protection laws in its jurisdiction

8. Processor Obligations (Truncus)

Van Moose BV commits to:

  • Process personal data only on documented Controller instructions
  • Ensure all personnel with access to personal data are bound by confidentiality
  • Implement appropriate technical and organizational security measures (see Section 11)
  • Not engage sub-processors without prior Controller consent (sub-processors listed in Section 9)
  • Assist the Controller in responding to data subject rights requests within 72 hours
  • Notify the Controller of a personal data breach within 72 hours of becoming aware
  • Delete or return all personal data upon termination within 30 days
  • Provide reasonable cooperation for audits (with minimum 30 days written notice)

9. Sub-processors

The Controller consents to the use of the following sub-processors. Van Moose BV will notify the Controller of any intended changes to this list, providing an opportunity to object.

Sub-processorPurposeLocation
Amazon Web Services (SES)Email delivery infrastructureEU (eu-west-1, Ireland)
ClerkAuthentication servicesUnited States (SCCs apply)
StripePayment processingUnited States (SCCs apply)
VercelApplication hostingUnited States / EU edge (SCCs apply)
Neon / SupabaseDatabase hostingEU region

10. International Transfers

Where personal data is transferred outside the European Economic Area (EEA) — specifically via Clerk, Stripe, and Vercel — such transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission. Email delivery via AWS SES is processed within the EU (eu-west-1, Ireland) and does not constitute an international transfer.

11. Security Measures

Technical and organizational measures include:

  • TLS encryption for all data in transit
  • Encryption at rest for stored data
  • API keys hashed using SHA-256; never stored in plain text
  • Access controls on a need-to-know basis
  • Audit logging of administrative actions
  • Regular security reviews

12. Data Subject Rights

The Controller is responsible for handling data subject rights requests (access, rectification, erasure, restriction, portability, objection). Truncus will assist the Controller with such requests within 72 hours of written notice at legal@truncus.co.

13. Breach Notification

In the event of a personal data breach affecting Controller data, Van Moose BV will notify the Controller within 72 hours of becoming aware, providing sufficient detail to fulfill the Controller's own notification obligations under GDPR Article 33.

14. Governing Law

This DPA is governed by the laws of the Netherlands and the General Data Protection Regulation (GDPR). Disputes shall be submitted to the courts of Amsterdam, Netherlands.

Questions or countersigned DPA requests

Truncus — Transactional Email Infrastructure for Builders | Truncus