TRINSIC TECHNICAL AND ORGANIZATIONAL MEASURES
Trinsic maintains an information security program designed to implement and maintain technical and organizational measures appropriate for the sensitivity, type, and scope of Personal Data processed in connection with the Services it offers to its Customers and comply with relevant Data Protection Laws and Regulations. Visit our security page to learn more at https://security.trinsic.id/
Security Policies: Trinsic establishes and maintains documented security policies and procedures aligned with recognized industry benchmarks outlining controls to safeguard Personal Data. These policies address areas including incident response, data handling, access control, and acceptable use, and are reviewed and updated regularly.
Personnel Screening: Subject to applicable laws and regulations, Trinsic will perform background checks on employees and contractors prior to granting access to systems that process personal data.
Confidentiality Agreements: Employees and contractors of Trinsic must sign confidentiality agreements as part of their employment or engagement conditions, agreeing to follow protocols safeguarding customer information, confidential data, and overall information security.
Security and Privacy Training: Trinsic will conduct obligatory annual training for its employees and contractors covering ethics, privacy, and security awareness, with training content reviewed and refreshed each year.
Code of Conduct: Trinsic maintains a code of conduct coupled with disciplinary actions that are enforced in response to breaches of security or privacy policies by employees or contractors.
Access Control: Trinsic implements technical and organizational measures to control and limit access to systems processing Personal Data based on the principle of least privilege. This includes unique user identification, appropriate authentication methods (including multi-factor authentication where applicable), authorization controls, regular access reviews, and logging of access activities. Access is granted only as necessary to perform assigned duties related to the Services. We maintain asset inventory & data classification systems to inform access control decisions.
Information Security Leadership: Trinsic will appoint a qualified individual responsible for overseeing data security within the organization and managing regular reviews and updates to its security policy.
Encryption: Trinsic implements technical measures to encrypt Personal Data during transmission over public networks (using industry-standard protocols such as TLS 1.2 or higher) and when stored at rest (using industry-standard algorithms such as AES-256 or equivalent).
Vulnerability Management & System Integrity: Trinsic implements measures to maintain system integrity and address vulnerabilities. This includes regular vulnerability scanning, risk assessment of identified vulnerabilities, timely patch management according to internal policies, and periodic independent penetration testing. Systems are configured using security hardening best practices. When Trinsic’s retention period ends, it securely and permanently deletes personal data.
Network Security: Trinsic employs industry-standard technical measures to protect its network infrastructure, including the use of firewalls and network segmentation to control traffic flow and isolate sensitive environments.
Logging and Monitoring: Trinsic implements technical systems for security logging across relevant infrastructure and applications. Logs are monitored to detect, analyze, and respond to security events and potential threats.
Incident Management: Trinsic maintains a documented incident response plan outlining procedures for detecting, managing, responding to, and reporting Security Incidents in accordance with Data Protection Laws and Regulations.
Business Continuity and Disaster Recovery (BCDR): Trinsic maintains BCDR strategies designed to ensure the availability and integrity of the Services and associated Personal Data. These plans include risk assessments, defined recovery objectives, and are tested periodically.
Secure Development: Trinsic integrates security considerations into its software development lifecycle, including practices such as secure coding guidelines and security testing before deployment.
Vendor Management: Trinsic performs due diligence on Sub-Processors and critical vendors handling Personal Data to assess their security practices and ensure appropriate contractual safeguards are in place.
Change Management: Trinsic utilizes a formal change management process for changes to the production environment, including testing, review, and approval procedures, to minimize security risks and operational disruptions.
Trinsic’s Chief Technology Officer (or their successors, as outlined in Trinsic’s Business Continuity Plan), is responsible for maintaining the company’s security posture. The CTO may be contacted directly at [email protected].
Trinsic reserves the right to update or modify these measures from time to time, provided that such updates do not materially decrease the overall security of the Services provided to the Customer.
ANNEX C — CURRENT LIST OF SUB-PROCESSORS
To support delivery of our Services, Trinsic (or one of its Affiliates listed below), may engage and use Sub-Processors. Prior to engaging any Sub-Processors, Trinsic performs diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations in accordance with this DPA.
Platform Sub-Processors
| Name | Services Provided | Country | Safeguards (if necessary) |
| Microsoft | Cloud computing and security | United States | EU-US DPF Participation |
| Datadog | Logs and metrics | United States | EU-US DPF Participation |
| Posthog | Product analytics | United States | EU-US DPF Participation |
| Cloudflare | Network security | United States | EU-US DPF Participation |
| Everapi GmbH | IP address intelligence (optional) | Germany | N/A |
ID Provider Sub-Processors
Trinsic provides access to a variety of ID Providers through the Services, some of which may act as Sub-Processors. Customer may obtain a real-time report of currently-enabled Sub-Processor ID Providers by emailing [email protected].
Affiliate Sub-Processors
Trinsic may also engage its Affiliate(s) listed below as a Sub-Processor to deliver some or all of the Services, as necessary.
| Name | Registered Address | Country |
| Trinsic Europe Ltd. | Fourth Floor St James House, St James’ Square, Cheltenham, England, GL50 3PR | United Kingdom |
| Trinsic Technologies EU B.V. | Vlierweg 12 1032 LG Amsterdam | Netherlands |
ANNEX D — LGPD STANDARD CONTRACTUAL CLAUSES
SECTION I – GENERAL INFORMATION
CLAUSE 1. Identification of the Parties
1.1. By this agreement, the Data Exporter and the Data Importer (hereinafter, jointly “Parties” and individually “Party”), identified below, agree to these Standard Contractual Clauses (hereinafter, “Clauses”) approved by the National Data Protection Authority (ANPD) to govern the international transfer of personal data described in Clause 2, in accordance with the provisions of the National Legislation (as defined in Clause 6.1).
Data Exporter:
| Name | The name of the Customer identified in the relevant Order. |
| Qualification | Additional identification information for the Data Exporter can be found in the relevant Order. |
| Main Address | The address associated with the Data Exporter in the relevant Order Form. |
| Email Address | The email associated with the Data Exporter in the relevant Order Form or listed in “Other information” below. |
| Contact for the Data Subject | The representative named in the relevant Order Form associated with the Data Exporter or listed in “Other information” below. |
| Other Information |
Data Importer:
| Name | Trinsic Technologies, Inc. |
| Qualification | EIN: 84-2221672 |
| Main Address | 881 Baxter Dr. STE 100 South Jordan, UT 84095 |
| Email Address | [email protected] |
| Contact for the Data Subject | https://trinsic.id/contact |
| Other Information |
CLAUSE 2. Object and Scope of Application
2.1. These Clauses shall apply to the International Transfers of Personal Data between the Data Exporter and Data Importer, as described below:
| Main Purposes of the Transfer | The main purpose of the transfer of Personal Data is to authenticate an End User, or verify the identity of an End User, as more fully explained in Annex A of this DPA. |
| Categories of Personal Data Transferred | Categories of Personal Data transferred can be found in Annex A of this DPA. |
| Period of data storage | Period of data storage of transferred data can be found in Annex A of this DPA. |
| Other Information |
CLAUSE 3. Onward Transfers Allowed Under the Following Conditions:
3.1. The Importer may carry out an Onward Transfer of Personal Data subject to the International Data Transfer governed by these Clauses, in the cases and according to the conditions described below and the provisions of CLAUSE 18.
(a) Onward transfers to an authorized sub-processor
| Main purposes of the transfer | The parties may transfer Personal Data onward to their sub-processors which are approved under the terms of this agreement. |
| Categories of personal data transferred | Categories outlined in Annex A of this DPA. |
| Period of data storage | Retention periods are specified in Annex A of this DPA. |
| Other information |
(b) Onward transfers to an End Customer under this DPA and the MSA
| Main purposes of the transfer | Customer may transfer Personal Data onward to its End Customers, if applicable, provided such transfer complies with the terms of this DPA and these SCCs. |
| Categories of personal data transferred | Categories outlined in Annex A of this DPA. |
| Period of data storage | Retention periods are specified in Annex A of this DPA. |
| Other information |
CLAUSE 4. Responsibilities of the Parties
If Customer is identified in Annex A of this DPA as a Data Controller, Option A. 4.1 will apply, otherwise Option B. 4.1 will apply.
Option A.
4.1. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below, as Controller, shall be responsible for complying with the following obligations set out in these Clauses:
a) Responsible for publishing the document provided in CLAUSE 14:
( X ) Exporter ( ) Importer
b) Responsible for responding to requests from Data Subjects dealt with in CLAUSE 15:
( X ) Exporter ( ) Importer
c) Responsible for notifying the security incident provided in CLAUSE 16:
( X ) Exporter ( ) Importer
4.2. For the purposes of these Clauses, if the Designated Party pursuant to item 4.1. is the Processor, the Controller remains responsible for:
a) compliance with the obligations provided in CLAUSES 14, 15 and 16 and other provisions established in the National Legislation, especially in case of omission or non-compliance with the obligations by the Designated Party;
b) compliance with ANPD’s determinations; and
c) guaranteeing the Data Subjects’ rights and repairing damages caused, subject to the provisions of Clause 17.
Option B
4.1 Considering that both Parties act exclusively as Processors within the scope of the International Data Transfer governed by these Clauses, the Exporter declares and guarantees that the transfer is carried out in accordance with the written instructions provided by the Third-Party Controller identified in the chart below.
Identification information of the Third-Party Controller:
| Name | Identification information for each Third-Party Controller, including name, is maintained by Trinsic and is available upon request. |
| Qualification | Identification information for each Third-Party Controller, including qualifying identifying details, is maintained by Trinsic and is available upon request. |
| Main Address | Identification information for each Third-Party Controller, including address, is maintained by Trinsic and is available upon request. |
| Email Address | Contact information for each Third-Party Controller, including email address, is maintained by Trinsic and is available upon request. |
| Contact for the Data Subject | Contact information for each Third-Party Controller, including a contact for data subjects, is maintained by Trinsic and is available upon request. |
| Information on Related Contract | Identification information for each Third-Party Controller, including the name of its contract with Data Importer, is maintained by Trinsic and is available upon request. |
4.2. The Exporter shall be jointly liable for the damage caused by the International Data Transfer if it is carried out in breach of the obligations of the National Legislation or the lawful instructions of the Third-Party Controller, in which case the Exporter shall be deemed to be the Controller, subject to the provisions of Clause 17.
4.3 In the event of being deemed a Controlling Party as referred to in item 4.2, the Exporter shall be responsible for complying with the obligations set out in Clauses 14, 15 and 16.
4.4 With the exception of the provisions of items 4.2 and 4.3, the provisions of Clauses 14, 15 and 16 shall not apply to the Parties as Processors.
4.5. The Parties shall, in any event, provide all the information at their disposal that proves necessary for the Third-Party Controller to comply with ANPD’s determinations and to adequately fulfill the obligations provided for in the National Legislation relating to transparency, compliance with the rights of data subjets and the reporting of security incidents to ANPD.
4.6. The Parties shall promote mutual assistance in order to meet the requests of the Data Subject.
4.7 In the event of receiving a request from a Data Subject, the Party shall:
a) respond to the request when it has the necessary information;
b) inform the Data Subject of the service channel provided by the Third-Party Controller; or
c) forward the request to the Third-Party Controller as soon as possible, to enable a response within the period provided for in the National Legislation.
4.8. The Parties must keep a record of security incidents involving personal data, in accordance with national legislation.
SECTION II – MANDATORY CLAUSES
The Parties hereby incorporate by reference Clauses 5–22 of the most recent English-language Brazilian Standard Contractual Clauses for International Transfers, as published and updated from time to time on the Brazilian National Data Protection Authority’s “International Affairs” webpage (https://www.gov.br/anpd/pt-br/assuntos/assuntos-internacionais/international-affairs) or its successor, which shall form an integral, binding, and prevailing part of this Data Processing Addendum without further action by the Parties.
SECTION III – SECURITY MEASURES
Data Importer shall implement and maintain for the duration of this DPA the technical, administrative, and organizational safeguards described in Annex B of this DPA. These safeguards include, at a minimum:
a) Governance and oversight of internal processes, including documented security policies, assignment of security responsibilities, and periodic risk assessments; and
b) Logical, physical, and procedural controls designed to ensure the confidentiality, integrity, availability, and resilience of Personal Data during its collection, transmission, processing, and storage.
Such measures satisfy the requirements of Article 46 of the LGPD and the Brazilian SCCs, and they apply equally to all categories of Personal Data, including Sensitive Personal Data and data relating to children and adolescents. Given the scope and depth of the safeguards in Annex B, the Parties agree that no additional safeguards applicable exclusively to minors’ data shall be required.
The Data Importer will periodically review and, where appropriate, enhance these measures to ensure they continue to provide a level of protection consistent with applicable law and these Clauses.
