TrueNAS Open Storage Logo

Data Processing Addendum (DPA)

to the TrueNAS Connect End User License Agreement

Last Modified: 09/29/25

This Data Processing Addendum (“DPA”) forms part of the TrueNAS Connect End User License Agreement (“Agreement”) entered into between iXsystems, Inc., d/b/a TrueNAS (“TrueNAS”) and the enterprise customer (“Controller”).

This DPA governs the processing of Personal Data by TrueNAS on behalf of the Controller in accordance with Article 28 of the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and any other applicable data protection laws.

1. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person. 
  • Controller: the customer that determines the purposes and means of processing Personal Data. 
  • Processor: iXsystems, Inc., d/b/a TrueNAS, which processes Personal Data on behalf of the Controller. 
  • Data Protection Laws: means all laws and regulations, including laws and regulations of the European Union, the EEA and its member states, Switzerland, the United Kingdom, and the United States. 
  • Data Subject: an identified or identifiable natural person whose Personal Data is processed. 
  • Sub-processor: any third party engaged by TrueNAS to process Personal Data on behalf of the Controller. 
  • Personal Data Breach: means a breach of Personal Data which leads to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such Personal Data. 
  • Processing: means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

2. Subject Matter and Duration

This DPA applies to TrueNAS’ processing of Personal Data through the TrueNAS product as necessary to provide the services under the Agreement. The DPA remains in force for the duration of the Agreement.

3. Nature and Purpose of Processing

The processing of Personal Data by TrueNAS is limited to what is strictly necessary to:

  • Provide and maintain the TrueNAS Connect service. 
  • Perform support, security, and troubleshooting functions. 
  • Improve service functionality where lawful and agreed. 

Processing will not extend to unrelated activities or unauthorized purposes.

4. Obligations of TrueNAS (Processor)

TrueNAS shall:

  • Process Personal Data only on documented instructions from the Controller. 
  • Ensure confidentiality by staff and contractors. 
  • Implement appropriate Technical and Organizational Measures (TOMs) to protect Personal Data. 
  • Assist the Controller in responding to Data Subject rights requests. 
  • Assist with data protection impact assessments and breach notifications where applicable. 
  • Delete Personal Data upon termination of the Agreement, unless required by law to retain it. 

5. Sub-processors

  • TrueNAS may engage Sub-processors to provide services (e.g., hosting providers, support vendors). 
  • A current list of Sub-processors shall be made available upon request. 
  • TrueNAS will ensure that Sub-processors are bound by obligations no less protective than those set out in this DPA. 
  • The Controller has the right to object to changes in Sub-processors where there are reasonable grounds. 

6. International Data Transfers

  • Where Personal Data is transferred outside the EEA, UK, or Switzerland, TrueNAS shall ensure an adequate level of protection is in place, including use of Standard Contractual Clauses (SCCs) or other legally recognized safeguards. 
  • TrueNAS will notify the Controller of the legal basis relied upon for such transfers. 

7. Controller Obligations

The Controller is responsible for:

  • Ensuring that it has a lawful basis for the collection and processing of Personal Data. 
  • Providing appropriate privacy notices to Data Subjects. 
  • Ensuring that Personal Data transferred to TrueNAS is accurate and relevant. 

8. Liability

The liability provisions of the Agreement apply to this DPA. Each party remains responsible for compliance with its own obligations under applicable data protection law.

9. Data Deletion

Upon Controllers’ written request, TrueNAS will return or delete all Personal Data following the termination of the Agreement, unless such Personal Data is required to be maintained by Data Protection Laws, in which case it shall be held in accordance with the terms of this DPA.

10. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with:

  • The law of the European Union where GDPR applies. 
  • The law of the United Kingdom where UK GDPR applies. 
  • The law of Switzerland where FADP applies.

Disputes shall be subject to the jurisdiction of the courts of the Controller’s place of establishment, without prejudice to mandatory provisions of applicable law.

11. Changes in Laws

In the event of any newly enacted Data Protection Laws, changes to existing Data Protection Laws, or any qualified and informed interpretation of a new or existing Data Protection Law, the Parties shall agree upon how TrueNAS’ delivery of the services will be impacted and shall make equitable adjustments to the terms of the Agreement and the services.

12. Miscellaneous

This DPA supersedes any prior arrangements on data processing under the Agreement. If there is a conflict between this DPA and the Agreement, the DPA prevails with respect to Personal Data protection.