Effective: March 2026

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Truefol LLC (“Processor”) and the organization executing this agreement (“Controller”) for the use of the Compass platform.

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable individual processed through the Compass platform.
• “Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• “Subprocessor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Data Breach” means any unauthorized access, acquisition, use, or disclosure of Personal Data.

2. Scope of Processing

The Processor shall process Personal Data solely for the purpose of providing the Compass platform services as described in the Terms of Service. This includes:

• Account management (email addresses, names, organizational affiliations).
• Assessment delivery and scoring (responses, competency evaluations, maturity scores).
• Report generation (individual reports, peer benchmarks, recommendations).
• Aggregated, anonymized benchmarking across the platform user base.

3. Processor Obligations

3.1 Data Security

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of data in transit (TLS 1.2 or higher).
• Encryption of data at rest for all stored records.
• Role-based access controls for all personnel.
• Regular security reviews and infrastructure monitoring.

3.2 Data Breach Notification

In the event of a Data Breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:

• The nature and scope of the breach.
• The categories and approximate number of individuals affected.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate its effects.

3.3 Data Export

Upon written request, the Processor shall provide the Controller with an export of all Personal Data in a standard machine-readable format. This right may be exercised at any time during the term of the agreement and for a reasonable period following termination.

3.4 Data Deletion

Upon termination of the agreement and completion of any requested data export, the Processor shall delete all Personal Data within a reasonable timeframe, except where retention is required by applicable law. The Processor shall provide written confirmation of deletion upon request.

3.5 Confidentiality

The Processor shall ensure that all personnel authorized to process Personal Data are bound by obligations of confidentiality.

4. Subprocessors

The Processor engages the following subprocessors to deliver the Compass platform:

The Processor shall notify the Controller of any intended changes to subprocessors, providing the Controller with the opportunity to object within 30 days.

5. International Transfers

All Personal Data is stored on Truefol-owned infrastructure located in San Diego, California, United States. The Processor does not transfer Personal Data to any third-party cloud providers or to jurisdictions outside the United States.

6. Audit Rights

The Controller may request an audit of the Processor’s data processing practices up to once per year. Audit requests must be submitted in writing with at least 30 days’ notice. The Processor shall cooperate with reasonable audit requests and provide access to relevant documentation, facilities, and personnel. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor’s operations.

7. Term and Termination

This DPA shall remain in effect for the duration of the Terms of Service between the parties. Upon termination of the Terms of Service, this DPA shall automatically terminate, subject to the Processor’s ongoing obligations regarding data export and deletion as described in Sections 3.3 and 3.4.

8. Amendments

This DPA may be amended only by written agreement between both parties. Either party may propose amendments by contacting security@truefol.com. Proposed amendments shall take effect upon written acceptance by both parties.

9. Signature

By signing below, both parties agree to the terms of this Data Processing Agreement.