Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between TuringTrust, Inc. ("Processor," "we," or "us") and the customer ("Controller," "you") for the provision of AI governance services (the "Service"). This DPA applies where and only to the extent that TuringTrust processes Personal Data on behalf of the Controller in the course of providing the Service.

This DPA is designed to ensure compliance with the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and other applicable data protection legislation.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable data protection law.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by TuringTrust to process Personal Data on behalf of the Controller.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Scope and Purpose of Processing

3.1 Subject Matter

TuringTrust processes Personal Data solely to provide the AI governance Service as described in the applicable service agreement.

3.2 Nature and Purpose

The nature of processing includes:

• Policy enforcement and guardrail evaluation for AI/LLM requests.
• Logging and audit trail generation for governance compliance.
• Token usage tracking and cost allocation for FinOps reporting.
• User authentication and access control management.

3.3 Categories of Data Subjects

Data subjects may include the Controller's employees, contractors, and end users who interact with AI systems governed by TuringTrust.

3.4 Types of Personal Data

Personal Data processed may include: names, email addresses, user identifiers, IP addresses, access logs, and organizational metadata. TuringTrust does not process the content of LLM prompts or responses unless explicitly configured by the Controller for content-based policy enforcement.

4. Obligations of the Processor

TuringTrust shall:

• Process Personal Data only on documented instructions from the Controller, unless required by law.
• Ensure that persons authorized to process Personal Data are bound by obligations of confidentiality.
• Implement appropriate technical and organizational security measures as described in Section 6.
• Engage Sub-processors only with prior written consent of the Controller and subject to equivalent data protection obligations.
• Assist the Controller in responding to Data Subject rights requests.
• Notify the Controller without undue delay (and within 72 hours) upon becoming aware of a Security Incident.
• Delete or return all Personal Data upon termination of the Service, at the Controller's election.
• Make available all information necessary to demonstrate compliance and allow for audits.

5. Obligations of the Controller

The Controller shall:

• Ensure it has a lawful basis for processing Personal Data and for instructing TuringTrust to process it.
• Provide clear, documented processing instructions to TuringTrust.
• Comply with all applicable data protection laws regarding its use of the Service.
• Inform TuringTrust of any changes in processing requirements in a timely manner.

6. Security Measures

TuringTrust implements and maintains the following security measures:

• Encryption: TLS 1.3 for data in transit; AES-256 for data at rest.
• Access Controls: Role-based access control (RBAC), multi-factor authentication, and least-privilege principles.
• Infrastructure: SOC 2 Type II compliant hosting environment with regular penetration testing.
• Monitoring: Continuous security monitoring, intrusion detection, and alerting.
• Incident Response: Documented incident response procedures with defined escalation paths.
• Business Continuity: Regular backups, disaster recovery procedures, and geographic redundancy.

7. Sub-processors

A current list of Sub-processors is maintained and available upon request. TuringTrust will notify the Controller at least 30 days before engaging a new Sub-processor. If the Controller objects to a new Sub-processor, the parties will work in good faith to resolve the concern. Sub-processors are bound by data protection obligations no less protective than those set out in this DPA.

8. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), United Kingdom, or other jurisdiction with transfer restrictions, TuringTrust ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission.
• UK International Data Transfer Agreement or Addendum, as applicable.
• Transfer Impact Assessments where required.

9. Data Subject Rights

TuringTrust will assist the Controller in fulfilling Data Subject requests (access, rectification, erasure, restriction, portability, objection) by providing appropriate technical and organizational measures, to the extent possible and as required by applicable law.

10. Audit Rights

The Controller may audit TuringTrust's compliance with this DPA once per year with 30 days' written notice. TuringTrust will cooperate with the audit and provide necessary access and information. As an alternative, TuringTrust may provide current SOC 2 Type II reports or equivalent third-party audit reports.

11. Term and Termination

This DPA remains in effect for the duration of the Service agreement. Upon termination, TuringTrust will, at the Controller's election, delete or return all Personal Data within 30 days and certify such deletion in writing, unless retention is required by applicable law.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the underlying service agreement between the parties.

13. Contact

For questions about this DPA or to request a signed copy, please contact:

• Email: contact@turingtrust.ai
• Website: Contact page