Trusaic GDPR
Compliance

International data transfers

Trusaic has implemented the following two mechanisms for international data transfers.

Mechanism 1

The EU-U.S. Data Privacy Framework (DPF)

The DPF establishes a binding adequacy decision. EU supervisory authorities must accept the adequacy decision as creating a valid mechanism for EU-U.S. data transfers in compliance with the transfer provisions of the GDPR. Trusaic maintains a certification under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), (including the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework). For companies certified to the DPF, a transfer impact assessment (TIA) is not required. A TIA is a formal risk assessment to assess all applicable privacy risks and mitigating safeguards relating to those risks. Our customers can find the link to the DPF certification list here. We will maintain the certification throughout the term of any client agreement.

Mechanism 2

Standard Contractual Clauses

• Trusaic routinely implements standard contractual clauses through its data processing addendum available here.
• Trusaic utilizes the European Commission’s Standard Contractual Clauses (Commission Implementing Decision 2021/914 of 4 June 2021) (SCCs). The SCCs are a widely used safeguarding tool for international transfers. The 2021 SCCs are in a template format approved by the European Commission so there is very little need to make changes. Under the 2021 SCCs, the responsibility for conducting TIAs primarily sits with the data exporter. Trusaic provides resources to assist customers in performing TIAs in connection with their use of Trusaic’s software-as-a-service application.

Trusaic’s data protection strategy framework

Encryption

Trusaic encrypts all data across our systems in transit and at rest using secure, up-to-date protocols and key lengths.

• Encryption in motion: TLS 1.2+
• Encryption at rest: AES-256+ disk encryption
• Encryption keys are properly secured using Microsoft-managed keys

Trusaic protects data in our data centers

Your data is protected, both from physical and environmental threats.

• Trusaic’s workplace equity platform is hosted on Microsoft Azure: Cloud Computing Services
• Customer data is physically protected by Trusaic’s cloud hosting provider which is SOC 2 and ISO27001 certified
• We have localized servers in the U.S. and Europe
• Environmental protections against fire, moisture, and loss of power or connectivity

Access control

Trusaic requires unique user accounts and multi-factor authentication for all our software solutions.

• Role-based access
• Access by the Trusaic team to the databases is on a need-to-know basis, following the principle of least privilege
• Access is removed promptly when no longer required
• Access rights reviews, approvals and tracking

Comprehensive logging

Trusaic has a comprehensive logging infrastructure in place across our software solutions and systems to assist clients in monitoring user activity.

• Trusaic logs all users and network activity and responds to alerts of any abnormal activity
• Firewalls and host-based intrusion detection are in place
• Logs are reviewed weekly and on alert
• Security logs are retained indefinitely and all other logs for 90 days

We stand by our data security

Trusaic undergoes independent security auditing, vulnerability scanning, and penetration testing. Trusaic’s software solutions undergo continuous vulnerability scanning and annual external application penetration testing. As part of the software development life cycle, the software solutions undergo industry standard quality assurance and regression testing.

In addition to Trusaic’s information security program and application scanning and testing, Trusaic benefits from Microsoft’s Azure cloud platform, a world class physical and environmental security. For more information on Azure’s security certifications see here.

Industry-standard security evaluation

• Annual SOC 2 Type II audit conducted by BDO, LLP, an independent auditor of all five trust services principles including; security, privacy, confidentiality, availability and processing integrity
• A copy of the report is available to clients upon request
• Trusaic is in the process of obtaining ISO 27001 certification, which is an internationally recognized standard for information security management systems

Vulnerability scanning and penetration

• Continuous vulnerability scanning is integrated into our CI pipeline and annual external application penetration testing is conducted

Data security FAQ

What other efforts does Trusaic take to protect client data? Expand

Trusaic’s software solutions undergo continuous vulnerability scanning and annual external application penetration testing. As part of the software development life cycle, the software solutions undergo industry standard quality assurance and regression testing.

In addition to Trusaic’s information security program and application scanning and testing, Trusaic benefits from Microsoft’s Azure cloud platform’s world-class physical and environmental security. For more information on Azure’s security certifications see here.

Does Trusaic have service level commitment? Expand

Yes. Trusaic will use commercially reasonable efforts to maintain availability of the software 24 hours a day, 7 days per week with no less than 99% uptime outside of scheduled maintenance. Planned maintenance that may affect the availability of Trusaic’s software solutions are generally at non-peak times with advanced notice.

Can Trusaic act as your data processor? Expand

Yes. We leverage the principles of privacy by design and by default. The Trusaic platform enables customers to honor data subjects’ rights such as the right to access, correct, and delete data. We are also positioned to meet any local data retention and minimization requirements.

Trusaic is fully compliant with the new Standard Contract Clauses published by the European Commission and has created a standard Data Protection Agreement (DPA) contract addendum that can be incorporated into client agreements involving international data transfers. Trusaic is also in the process of rolling out EU data localization so that EU clients can choose to localize their data storage on EU data servers.

Does Trusaic support consent-based data processing? Expand

Yes. Trusaic will only process your data for the services identified in your agreement and pursuant to the data processing terms and conditions of that agreement, which includes data subject rights such as the right to access, correct, and delete data. We do not share your data with advertiser-supported services.

Does Trusaic use data sub-processors? Expand

There are limited situations where Trusaic will use data sub-processors. When we utilize subcontractors or sub-processors to perform tasks that require access to your data, they will only have access to the data necessary to perform the specific sub-function contracted for and they will always be bound by the same contractual privacy commitments as Trusaic.

A list of sub-processors and their contracted sub-functions is available upon request and will always be fully identified in any DPA or other privacy addendum to the agreement.

How does Trusaic respond to data requests? Expand

We will always notify you prior to responding to any government, court, or law enforcement agency request. We will not disclose data except as directed by you or required by law.

If we receive a consumer data request related to data provided by you, we will always notify and work with you to ensure compliance with any local laws and regulations related to consumer data requests.

Interested in learning about Trusaic software and services?

Contact us

Trusaic is Trusted and Partnered with HCM Global Leaders