Legal
Data Processing Addendum
Article 28 GDPR + UK Data Protection Act 2018 disclosures for customers using Trust Agent to process personal data. Last updated 4 May 2026.
Controller of customer data
The customer
Processor of customer data
Trust Agent Ltd
Hosting region
United Kingdom
Trust Agent acts as a Data Processor under Article 28 GDPR and the UK Data Protection Act 2018 with respect to personal data customers entrust to the platform. Customers remain the Data Controllers of that data and decide the purposes and means of processing within the bounds of their Trust Agent subscription.
Subject matter, duration, nature, and purpose
Trust Agent processes personal data for the duration of the customer's active subscription, and for a maximum of 30 days after termination, solely to:
- Operate the marketplace (browse, hire, install, run, audit roles and skills).
- Run the audit pipeline (security, safety, compliance, behaviour) on customer-submitted listings.
- Generate trust scores and the public audit reports the customer chooses to publish.
- Provide the dashboard, billing, support, and administrative functions the customer relies on.
- Comply with legal obligations imposed on Trust Agent (record-keeping, tax, anti-fraud).
No personal data is sold to third parties. No personal data is used to train downstream models without explicit, opt-in customer consent.
Categories of personal data processed
| Category | Detail |
|---|---|
| Account identity | Email address, display name, hashed password, plan tier, billing customer ID. Created when the customer signs up. |
| Payment metadata | Stripe / Revolut customer ID, subscription ID, invoice references. The card / bank details themselves are stored by Stripe and Revolut; Trust Agent never receives the PAN. |
| Role and skill artefacts | Customer-supplied prompts, capability manifests, system-prompt fragments, skill packs. Stored to render the marketplace, run audits, and serve via MCP. |
| Usage telemetry | Hire activity, session counts, audit-pipeline outputs, security-scan findings. Used to compute trust scores and surface dashboards. |
| Communications | Transactional email content (verification, receipts, audit certificates, support replies). Marketing email is opt-in and unsubscribable per category. |
Categories of data subjects
- Customer's authorised users (employees, contractors, staff) — when the customer is a business or organisation.
- End users of the customer's product — only when the customer chooses to embed Trust Agent role agents in their downstream service.
- Creators (when a customer is also publishing roles or skills to the marketplace).
Authorised sub-processors
Trust Agent may engage the following third parties as sub-processors. Each is bound by data-protection terms equivalent to those in this DPA. Customers are notified of material additions or replacements at least 30 days before the change takes effect, with a right to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Payments UK Ltd | Card / SEPA payment processing for subscriptions, role hires, skill purchases. | United Kingdom · United States (SCCs in place) |
| Revolut Ltd | Alternative payment provider (open-banking, Revolut Pay) and payouts. | United Kingdom |
| Resend (Resend Labs Inc.) | Transactional email delivery (verification, receipts, magic links, audit notifications). | United States (SCCs in place) |
| Cloudflare, Inc. | DNS, edge caching, DDoS protection for trust-agent.ai. | Global edge · United Kingdom POP |
| GoDaddy Operating Company, LLC | Authoritative DNS for trust-agent.ai. | United States (SCCs in place) |
| Self-hosted infrastructure | Application servers, PostgreSQL database, file storage. Trust Agent owns and operates the underlying hardware in the United Kingdom. | United Kingdom |
Technical and organisational measures (TOMs)
Trust Agent implements appropriate measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. The current measures include:
- Encryption in transit (TLS 1.3) on every endpoint, including api.trust-agent.ai and the customer-facing dashboard.
- Encryption at rest (AES-256) for the production database and file storage.
- Role-based access control across the application; least-privilege principle for staff access; audit trail on every privileged action.
- Secrets stored outside the source tree; no production credentials in version control.
- Time-limited bearer tokens for the API; revocable per customer.
- Production deployments require code review and pass an automated test + lint gate before merge.
- Incident response runbook with documented escalation procedures and customer-notification timelines.
- Annual review of the sub-processor list; customers notified of material additions or replacements at least 30 days before the change takes effect.
International transfers
Customer personal data is hosted on Trust Agent's self-managed infrastructure in the United Kingdom. Where a sub-processor operates outside the UK / European Economic Area (e.g. Stripe US, Resend US, GoDaddy US), Trust Agent relies on the UK's data adequacy regulations and on the European Commission's Standard Contractual Clauses (2021/914) where applicable, supplemented by additional safeguards reflecting the data flow.
Assistance with data-subject rights
Trust Agent assists controllers in fulfilling data-subject rights under GDPR Articles 12–22. The default flows below apply unless the customer's contract specifies otherwise.
| Right | How Trust Agent supports it |
|---|---|
| Access | Customer admins can self-serve a JSON export of their organisation's data via the admin console. Trust Agent assists in writing for any data not surfaced there within 30 days of a documented request. |
| Rectification | In-product editing for account, role, and skill data. Out-of-band fields corrected by Trust Agent on written request within 30 days. |
| Erasure | Account deletion deletes all customer-owned PII and listing artefacts within 30 days of the deletion request. Aggregated, irreversibly anonymised audit-score statistics may be retained for marketplace integrity. |
| Portability | JSON export covers the structured account, role, skill, and audit data. CSV exports are available from the admin dashboard for the subset that fits a tabular shape. |
| Restriction & objection | Honoured under GDPR Articles 18 and 21. Marketing email opt-out is one click; transactional email can be paused on written request. |
Personal-data breach notification
Trust Agent will notify affected customers without undue delay, and in any case within 72 hours, of becoming aware of a personal-data breach affecting their data. The notification will include the nature of the breach, categories and approximate volumes of data affected, likely consequences, and measures taken or proposed to mitigate the breach.
Audit rights
Customers have the right to audit Trust Agent's compliance with this DPA, on reasonable written notice and at the customer's expense. Audits will not unreasonably interfere with Trust Agent's normal operations and may, at Trust Agent's option, be conducted by the provision of independent attestation reports (e.g. SOC 2 once obtained) and a written response to a documented questionnaire.
Return and deletion of data on termination
On termination of the customer's subscription, customers may export their structured data via the admin console (JSON / CSV) for up to 30 days. After 30 days Trust Agent will delete or irreversibly anonymise the customer's personal data, subject to any retention required by law (e.g. statutory financial records).
Related pages
For general legal queries, see our Privacy Policy, Terms of Service, and Security overview.
This page is a description of Trust Agent's data-processing position and is not itself a contract. Last updated 4 May 2026.