Troja

Data Processing Addendum

Last updated: June 7, 2026

Data Processing Addendum

Effective date: June 7, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer", "Controller") and FounderGem LLC operating Troja ("Troja", "Processor"). It applies where Troja processes personal data on your behalf in connection with the Service. To request a signed copy, email support@troja.dev.

1. Definitions

Terms such as "personal data", "processing", "data subject", "controller", "processor", and "supervisory authority" have the meanings given in the EU General Data Protection Regulation (GDPR) and the UK GDPR. "Applicable Data Protection Law" means all privacy and data-protection laws applicable to the processing under this DPA.

2. Roles of the parties

The Customer is the controller (or processor acting for another controller) of personal data submitted to the Service. Troja acts as a processor (or sub-processor) and processes personal data only on the Customer's documented instructions, including as set out in the Terms and this DPA.

3. Subject matter and details of processing

  • Subject matter: provision of website security, SEO, and AEO scanning.
  • Duration: for the term of the agreement and the retention periods described in the Privacy Policy.
  • Nature and purpose: hosting, scanning, generating reports, authentication, billing, and support.
  • Types of personal data: account identifiers (email), authentication data, billing metadata, and any personal data contained in submitted URLs or scan results.
  • Categories of data subjects: the Customer's users, staff, and visitors to scanned sites.

4. Customer obligations

The Customer warrants that it has a lawful basis to provide the personal data to Troja and that its instructions comply with Applicable Data Protection Law. The Customer is responsible for the accuracy and legality of data it submits.

5. Processor obligations

Troja will:

  • process personal data only on documented instructions;
  • ensure persons authorized to process data are bound by confidentiality;
  • implement appropriate technical and organizational security measures (Section 7);
  • assist the Customer, taking into account the nature of processing, with data-subject requests and with obligations under Articles 32–36 GDPR;
  • make available information necessary to demonstrate compliance; and
  • delete or return personal data at the end of the agreement, subject to legal retention.

6. Sub-processors

The Customer provides general authorization for Troja to engage sub-processors to deliver the Service. A current list is maintained on our Subprocessors page. Troja imposes data-protection obligations on each sub-processor that are no less protective than this DPA and remains responsible for their performance. We will give notice of intended changes to sub-processors so the Customer can object on reasonable grounds.

7. Security measures

Troja maintains measures including encryption in transit (TLS), access controls and least-privilege, network protections (WAF/CDN via Cloudflare), logging and monitoring, regular patching, and backup and recovery procedures. Measures may be updated provided they do not materially decrease overall security.

8. Personal data breaches

Troja will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data and will provide information reasonably needed to meet the Customer's notification obligations.

9. International transfers

Where Troja transfers personal data outside the EEA, UK, or Switzerland, it relies on appropriate safeguards such as the EU Standard Contractual Clauses and the UK Addendum, which are incorporated by reference where applicable.

10. Data-subject rights and assistance

Troja will, to the extent legally permitted, promptly inform the Customer of data-subject requests it receives directly and assist the Customer in responding to such requests.

11. Audits

Troja will make available compliance information and, on reasonable prior notice and subject to confidentiality, allow audits reasonably necessary to verify compliance, which may be satisfied via third-party reports.

12. Deletion and return

On termination, Troja will delete or return personal data within the timeframe in the Privacy Policy, except where retention is required by law.

13. Liability and conflicts

Liability under this DPA is subject to the limitations in the Terms. If there is a conflict between this DPA and the Terms regarding processing of personal data, this DPA controls.

To execute this DPA or ask questions, contact support@troja.dev.

Data Processing Addendum — Troja