Skip to main content

Legal

Data Processing Agreement

The data processing terms that apply when TrueClara processes Customer Personal Data on behalf of monitored Next.js applications and customer workspaces.

Last updated: May 10, 2026

Summary

This Data Processing Agreement (“DPA”) governs the processing of Customer Personal Data that TrueClara performs on a customer’s behalf, including runtime telemetry from monitored Next.js applications, static route graphs, deploy metadata, notification settings, and related workspace data. It includes processor terms, subprocessor authorization, international-transfer terms, security measures, deletion/return commitments, audit support, and CCPA/CPRA service-provider terms.

This summary is for convenience only. The sections below are the legally binding agreement.

1. Scope and incorporation

This DPA forms part of the Terms of Service or other agreement between Customer and The Plain Works Co., Ltd. (주식회사 더플레인웍스), operating TrueClara.

This DPA applies when TrueClara processes Customer Personal Data as a processor or subprocessor on behalf of Customer in connection with the Service.

Capitalized terms not defined in this DPA have the meanings given in the Terms or applicable Data Protection Laws.

2. Definitions

Customer Personal Data means Personal Data contained in Customer Content that TrueClara processes on Customer’s behalf through the Service.

Customer Content means data, telemetry, route graphs, deploy metadata, project settings, notification settings, public observation content, webhook payloads, exported files, and other materials submitted to or processed through the Service by or for Customer.

Account Data means Personal Data about Customer’s representatives, such as names, email addresses, authentication data, workspace roles, billing relationship data, and communications with TrueClara.

Service Data means usage, diagnostic, performance, security, and operational data generated by the Service, excluding Customer Personal Data except to the extent such data is inseparable from logs or diagnostics.

Data Protection Laws means laws applicable to the processing of Personal Data under this DPA, including GDPR, UK GDPR, Swiss FADP, Korean PIPA, CCPA/CPRA, and other applicable privacy laws.

GDPR means Regulation (EU) 2016/679.

UK GDPR means the GDPR as retained and amended under UK law.

SCCs means the European Commission Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914.

3. Roles

For Customer Personal Data:

  • Customer is the controller. If Customer acts as a processor for a third party, Customer is a processor and TrueClara is Customer’s subprocessor.
  • TrueClara is the processor or subprocessor.
  • Customer determines the purposes and means of processing by deciding which applications to monitor, which routes to include, which integrations to configure, which notification destinations to use, what content to publish, and what data to submit.

For Account Data and Service Data that TrueClara processes for its own business purposes, TrueClara is an independent controller. The Privacy Policy governs that processing.

Paddle is an independent controller for buyer, payment, tax, and transaction data it processes as merchant of record.

4. Processing details

Element Description
Subject matter Processing Customer Personal Data to provide TrueClara behavioral observability for monitored Next.js applications
Duration The subscription term, plus the export/deletion period and any legally required retention
Nature and purpose Ingesting, storing, analyzing, aggregating, displaying, exporting, and notifying about runtime telemetry, route graphs, deploy metadata, observations, and project settings
Categories of data subjects End users of Customer’s monitored applications; Customer’s workspace members; notification recipients; individuals whose data appears in route paths, deploy metadata, observation content, public links, or webhook payloads
Categories of Personal Data Depending on Customer’s configuration: route path, referrer path, timestamp, response/load duration, deploy attribution, project identifiers, coarse user-agent family, daily salted session hash after analytics opt-in, workspace member identifiers and roles, notification destination identifiers, email/webhook addresses, commit metadata, branch/deploy metadata, and any Personal Data Customer includes in monitored paths, metadata, or content
Sensitive data Not expected and prohibited unless separately agreed. TrueClara is not designed for special-category Personal Data, protected health information, payment card data, government IDs, credentials, reset tokens, or secrets
Frequency Continuous or event-based during Customer’s use of the Service
Retention According to Customer’s plan retention window, the Terms, and the Privacy Policy; backups are typically purged within 35 days after deletion

5. Customer instructions and responsibilities

Customer instructs TrueClara to process Customer Personal Data to provide, secure, support, and maintain the Service in accordance with:

  • the Terms;
  • this DPA;
  • Customer’s Service configuration;
  • the documentation;
  • any Order Form; and
  • any written instructions accepted by TrueClara.

Customer is responsible for:

  • complying with Data Protection Laws;
  • having a valid lawful basis for Customer Personal Data;
  • providing required notices and obtaining required consents or opt-ins;
  • ensuring monitored applications and routes are authorized;
  • excluding sensitive data, secrets, credentials, and prohibited data from monitored paths, query strings, fragments, deploy metadata, and public content;
  • responding to data-subject requests where Customer is the controller; and
  • ensuring its own connected services and notification destinations are lawfully configured.

If TrueClara believes an instruction violates Data Protection Laws, TrueClara will notify Customer unless prohibited by law.

6. TrueClara processor obligations

TrueClara will:

  1. process Customer Personal Data only on Customer’s documented instructions, unless legally required to do otherwise;
  2. ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations;
  3. implement appropriate technical and organizational measures described in Schedule 2;
  4. assist Customer with data-subject requests, taking into account the nature of the processing and the information available to TrueClara;
  5. assist Customer with security, breach notification, DPIAs, and regulator consultations where required by Data Protection Laws and reasonably related to the Service;
  6. delete or return Customer Personal Data at the end of the Service as described in Section 12;
  7. make information available to demonstrate compliance with this DPA as described in Section 13;
  8. impose appropriate data protection obligations on subprocessors; and
  9. notify Customer if TrueClara can no longer meet its obligations under this DPA.

7. CCPA/CPRA service-provider terms

Where CCPA/CPRA applies, TrueClara acts as a service provider or contractor for Customer Personal Data.

Customer discloses Customer Personal Data to TrueClara only for the following limited and specific business purposes:

  • providing behavioral observability for Customer’s monitored applications;
  • ingesting, processing, storing, aggregating, and displaying telemetry, route graphs, deploy metadata, and observations;
  • providing dashboards, exports, retention, notifications, public observation links, and support;
  • securing, debugging, maintaining, and improving the reliability and quality of the Service, using Customer Personal Data only as permitted by CCPA/CPRA and not for unrelated product improvement;
  • enforcing plan limits, authentication, authorization, and acceptable-use controls; and
  • complying with legal obligations relating to the Service.

TrueClara will not:

  • sell or share Customer Personal Data;
  • retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer except as permitted by CCPA/CPRA;
  • retain, use, or disclose Customer Personal Data for purposes other than the limited and specific business purposes above;
  • combine Customer Personal Data with Personal Data received from other sources except as permitted by CCPA/CPRA;
  • process Customer Personal Data for cross-context behavioral advertising; or
  • use Customer Personal Data to profile individuals outside the Service.

TrueClara certifies that it understands and will comply with these restrictions.

8. Subprocessors

Customer gives TrueClara general written authorization to engage subprocessors. Current subprocessors and customer-selected providers are listed at trueclara.com/legal/subprocessors.

TrueClara will:

  • enter into written agreements with subprocessors imposing obligations no less protective than this DPA in substance;
  • remain responsible for subprocessors’ processing of Customer Personal Data;
  • provide at least 30 days’ notice before adding or replacing a subprocessor that materially processes Customer Personal Data, unless urgent security, legal, or continuity needs require shorter notice; and
  • allow Customer to object on reasonable data protection grounds within 14 days after notice.

If Customer objects and TrueClara cannot reasonably resolve the objection, Customer may terminate the affected portion of the Service and receive a prorated refund for unused prepaid fees for that portion.

Customer-selected integrations or destinations, such as Slack, GitHub, or webhook receivers configured by Customer, may process data under Customer’s own relationship with that provider. They are listed for transparency but are not used unless Customer configures them.

9. International transfers

TrueClara is based in Korea and uses providers in the United States, the European Union, Korea, and other locations listed on the Subprocessors page.

Where an adequacy decision applies to a transfer to Korea, the parties rely on that adequacy decision. Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an applicable adequacy decision, the transfer is governed by the safeguards below.

9.1 EU SCCs

For restricted transfers from the EEA, the SCCs are incorporated into this DPA by reference and completed as follows:

  • Module Two applies where Customer is a controller and TrueClara is a processor.
  • Module Three applies where Customer is a processor and TrueClara is a subprocessor.
  • Clause 7 docking clause is not used.
  • Clause 9 Option 2 general written authorization applies, with the notice period in Section 8.
  • Clause 11 optional language is not used.
  • Clause 17 Option 1 applies. The governing law is Ireland unless the data exporter is established in another EU Member State and that Member State’s law is required.
  • Clause 18 venue is the courts of Ireland unless another EU Member State’s courts are required.
  • Annex I is completed by Schedule 1 and the parties’ account/order details.
  • Annex II is completed by Schedule 2.
  • Annex III is completed by the Subprocessors page.
  • Annex I.C competent supervisory authority is determined under Clause 13 based on the data exporter’s circumstances and is not hard-coded globally.

9.2 UK transfers

For restricted transfers from the UK, the parties use either the UK International Data Transfer Addendum to the EU SCCs or the UK International Data Transfer Agreement, as applicable. Where the UK Addendum is used, the SCCs above are amended as required by the Addendum.

9.3 Swiss transfers

For restricted transfers from Switzerland, the SCCs apply with Swiss adaptations required by the Swiss FADP, including references to the FDPIC as applicable and protection for legal persons where required by Swiss law.

9.4 Transfer assessments and government requests

TrueClara will use reasonable measures to support transfer-impact assessments where required.

If TrueClara receives a legally binding government or law-enforcement request for Customer Personal Data, TrueClara will, where legally permitted:

  • notify Customer;
  • redirect the requester to Customer where appropriate;
  • review the legality and scope of the request;
  • challenge or narrow overbroad requests where reasonable; and
  • disclose only the minimum information legally required.

10. Security

TrueClara will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Schedule 2 describes current measures.

Customer is responsible for securing its own applications, instrumentation, keys, tokens, webhooks, notification destinations, workspace roles, and connected services.

11. Personal Data Breach

TrueClara will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

The notice will include, to the extent known:

  • nature of the breach;
  • categories and approximate number of affected data subjects and records;
  • likely consequences;
  • measures taken or proposed;
  • contact point for follow-up; and
  • information reasonably needed for Customer’s notification obligations.

TrueClara will supplement the notice as more information becomes available and reasonably assist Customer with required notifications.

12. Deletion and return

At the end of the Service or on Customer’s written request, TrueClara will delete or return Customer Personal Data within 30 days, unless retention is required by law, security, fraud prevention, backup, dispute resolution, or legitimate business continuity.

Backups are encrypted or protected by equivalent provider controls and are typically purged within 35 days after deletion from live systems. During backup retention, Customer Personal Data remains subject to this DPA.

TrueClara will provide deletion confirmation on reasonable written request.

13. Audits and compliance information

Upon reasonable request, TrueClara will provide information necessary to demonstrate compliance with this DPA, such as security summaries, subprocessor lists, data-flow descriptions, retention details, and questionnaire responses.

If legally required information cannot reasonably be provided through documentation, Customer may request an audit by an independent auditor that is not a competitor of TrueClara. Audits require at least 30 days’ notice, must occur during normal business hours, must avoid disrupting operations, must be limited to systems relevant to Customer Personal Data, and may occur no more than once every 12 months unless required by a regulator or following a confirmed Personal Data Breach affecting Customer.

Customer bears audit costs unless the audit confirms a material breach of this DPA.

14. Liability and order of precedence

Liability under this DPA is subject to the limitations in the Terms, except where the SCCs or applicable law require otherwise.

If documents conflict, the order is:

  1. SCCs or required transfer terms for restricted-transfer matters;
  2. this DPA for Customer Personal Data;
  3. the Terms;
  4. the Privacy Policy; and
  5. other incorporated documents.

15. Term

This DPA takes effect when Customer accepts the Terms, signs an Order Form, signs this DPA, or starts transmitting Customer Personal Data to the Service, whichever occurs first.

It remains in effect while TrueClara processes Customer Personal Data.

16. Contact and execution

For privacy, DPA execution, or security questions:

The Plain Works Co., Ltd. (주식회사 더플레인웍스)

Privacy: privacy@trueclara.com Legal: legal@trueclara.com Security: security@trueclara.com

This DPA is accepted electronically through the Terms. If Customer requires a countersigned copy, contact legal@trueclara.com.

Schedule 1 — Details of processing

A. List of parties

Data exporter

Customer, as identified in the applicable account, checkout, Order Form, or agreement.

Role: Controller or processor, as applicable.

Data importer

The Plain Works Co., Ltd. (주식회사 더플레인웍스), operating TrueClara.

Role: Processor or subprocessor, as applicable.

Contact: privacy@trueclara.com

B. Description of transfer and processing

Customer Personal Data is processed to provide behavioral observability for monitored Next.js applications, including ingestion, storage, analysis, aggregation, dashboard display, notifications, public observation links, export, support, security, and retention.

Processing categories are described in Section 4.

C. Competent supervisory authority

For EU SCC Annex I.C, the competent supervisory authority is determined under SCC Clause 13 based on the data exporter’s establishment or representative. If Customer is not established in the EEA but is subject to GDPR Article 3(2), the competent authority is the authority of the Member State where Customer’s EU representative is established, or otherwise as determined by the GDPR.

Schedule 2 — Technical and organizational measures

1. Data minimization

Runtime telemetry is designed to minimize identifiers. Aggregate mode is designed to operate without SDK-set cookies, localStorage, stable user IDs, or direct end-user identity. Analytics mode may use daily salted session hashes after appropriate opt-in.

2. Access control

Administrative access to infrastructure and production systems is limited to authorized personnel or contractors with a business need. Administrative access uses multi-factor authentication where supported. Permissions follow least-privilege principles.

3. Authentication and authorization

Customer access requires authentication. Workspace roles and project permissions restrict access to project data. API keys, project tokens, webhook secrets, and credentials should be scoped and rotated where supported.

4. Encryption

Data is encrypted in transit using TLS. Data stored by infrastructure providers is encrypted at rest using provider-managed encryption or equivalent controls.

5. Network and edge protection

Cloud hosting, CDN, DDoS mitigation, rate limiting, bot controls, and platform-level isolation are used to protect the Service.

6. Logging and monitoring

The Service uses logging, error monitoring, metrics, and alerting to detect operational issues and investigate security events. Access to logs is restricted.

7. Vulnerability management

Dependencies and infrastructure are reviewed for known vulnerabilities. Critical security patches are prioritized based on severity and exploitability.

8. Backups and resilience

Application data is backed up according to provider and internal backup practices. Backups are protected and retained for limited periods.

9. Incident response

TrueClara maintains procedures for identifying, investigating, containing, remediating, and notifying about security incidents and Personal Data Breaches.

10. Subprocessor management

Subprocessors are reviewed before use and bound by written agreements with data protection and confidentiality obligations. The active list is maintained at /legal/subprocessors.

11. Personnel confidentiality

Personnel and contractors authorized to process Customer Personal Data are subject to confidentiality obligations.

12. Customer configuration safeguards

Customers are responsible for configuring route exclusions, consent mode, analytics mode, workspace access, public links, notification destinations, and webhook security in accordance with their legal and security obligations.