TrustArc Terms and Conditions

Sub-Processors and Affiliates

Last updated June 25, 2025


TrustArc utilizes the following third-party data processors (“Sub-processors”) for the provision and operation of its Solutions and processing of Customer Data, including any associated Personal Information therein.

Data Hosting Location

Entity Name
Location
Purpose
Transfer Mechanism
Sub-Processor Contact
Amazon Web Services
Data Center for Platform:  US US-East-1 (Fairfax, Virginia) or EU-Central-1 (Frankfurt)

Data Center for Nymity Products: Canada-Central-1 (Ontario, Canada)

Data Center for Cookie Consent Manager:  EU-West-1 (Dublin, Ireland)
Hosting service for TrustArc platform
DPF and SCCs
https://aws.amazon.com/contact-us/

Third Party Sub-Processors

Entity Name
Location
Purpose
Transfer Mechanism
Sub-Processor Contact
Mailgun Technologies, Inc.
Texas, USA
Nymity R&A (Research & Alerts) email delivery service
SCCs
https://www.mailgun.com/contact/
Microsoft, Inc. (including Microsoft Canada Inc.)
Washington,  USA Canada, Central (Toronto, ON)

Cloud services supporting application logging and messaging queue capabilities for e-mail delivery for Nymity R&A
DPF and SCCs
https://support.microsoft.com/en-us/contactus
Salesforce.com
California, USA
Customer service, sales, and support
DPF, SCC and BCR
https://www.salesforce.com/company/contact-us/
Workato, Inc.
Virginia, US or Frankfurt, Germany

TrustArc platform integration tool
SCC
https://support.workato.com/en/support/home


Changes to Sub-processors

TrustArc may remove, replace or appoint suitable and reliable Sub-processors in accordance with the Data Processing Addendum (“DPA”) available here. TrustArc shall inform you of any new Sub-processors by updating its Sub-Processor disclosure and providing email notification no less than thirty (30) days before authorizing such Sub-processor(s) to Process Personal Information in connection with the provision of the applicable Solutions. To enable receipt of such e-mail notifications, you may subscribe here.

TrustArc Affiliates

In addition to the Sub-processors above, TrustArc may utilize the affiliates listed in the TrustArc Affiliate Sub-processor disclosure available here.

Data Transfers

Where TrustArc transfers personal data in connection with its Solutions, it does so in compliance with applicable data protection laws and regulations and utilizes the following safeguards and framework, as applicable:

  • Standard Contractual Clauses (or “Model Clauses”)
  • EU-U.S. Data Privacy Framework (“DPF”), UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF


Data Processing Addendum

TrustArc offers a comprehensive global DPA, which is designed to meet the requirements of applicable data privacy laws and regulations. Our DPA is available here.

Technical and Organizational Measures

TrustArc’s Technical and Organizational Measures (“TOMs”) that describe the security safeguards and other relevant measures implemented by TrustArc, such as access controls, transmission controls, data backup, and logical separation, can be found here