_2026@2x.png?width=50&height=50&name=TPRC-Signet-(Deep)_2026@2x.png "TPRC-Signet-(Deep)_2026@2x")
Data Processing Agreement
The People Readiness Company (TPRC) is a brand by MUAIDENTITY INC.
This Data Processing Agreement ("DPA") forms part of the agreement between MUAIDENTITY INC. ("MUAIDENTITY INC.", "TPRC", "Processor", "we", "us", or "our") and the customer identified in the applicable order form, master services agreement, or subscription terms ("Customer", "Controller", or "you") (the "Agreement") under which we provide our software and related services (the "Services").
This DPA applies where, and to the extent that, we process Personal Data on behalf of the Customer in the course of providing the Services. It reflects the parties' agreement on the processing of such Personal Data in accordance with applicable Data Protection Laws. If you require a signed copy, contact us using the details below.
Last updated: 06.10.2026
Definitions
"Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, as applicable, the EU General Data Protection Regulation (2016/679) ("EU GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act as amended ("CCPA"), and other US state privacy laws.
"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Personal Data Breach" have the meanings given in the applicable Data Protection Laws. Where US state laws apply, "Business", "Service Provider", "Consumer", and "Sell"/"Share" have the meanings given in those laws, and references to Controller and Processor include Business and Service Provider respectively.
"Customer Personal Data" means Personal Data that we process on behalf of the Customer under the Agreement, as described in Annex I.
"Sub-processor" means any third party engaged by us to process Customer Personal Data.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission (Implementing Decision (EU) 2021/914), and, for UK transfers, the UK International Data Transfer Addendum.
Roles of the parties
The parties acknowledge that, with respect to Customer Personal Data, the Customer is the Controller (or Business) and MUAIDENTITY INC. is the Processor (or Service Provider). Where the Customer is itself a processor acting on behalf of a third-party controller, the Customer warrants that it has the authority and instructions necessary to engage us as described in this DPA.
Scope and details of processing
We will process Customer Personal Data only as necessary to provide the Services and as set out in this DPA. The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.
Processor obligations
We will:
- Process on documented instructions. Process Customer Personal Data only on the Customer's documented instructions — including the Agreement, this DPA, and Customer's use of the Services — unless required to do otherwise by law, in which case we will inform the Customer (unless legally prohibited).
- Notify of unlawful instructions. Inform the Customer if, in our opinion, an instruction infringes applicable Data Protection Laws.
- Ensure confidentiality. Ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
- Implement security. Implement and maintain the technical and organizational measures described in Annex II.
- Assist the Customer. Taking into account the nature of the processing, provide reasonable assistance to the Customer in meeting its obligations regarding security, Data Subject requests, breach notification, and data protection impact assessments and prior consultations.
Customer obligations
The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it was obtained. The Customer warrants that it has a lawful basis to provide the Customer Personal Data to us and to authorize the processing described in this DPA, and that its instructions comply with Data Protection Laws. This includes ensuring an appropriate lawful basis for any special-category data that its users may choose to include in free-text entries.
Sub-processors
The Customer provides general authorization for us to engage Sub-processors to process Customer Personal Data. Our current Sub-processors are listed in Annex III. We will:
- impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, through a written contract;
- remain liable for the performance of each Sub-processor's obligations; and
- give the Customer at least 30 days' prior notice of the addition or replacement of any Sub-processor — by email or by updating an online list to which the Customer may subscribe — giving the Customer the opportunity to object on reasonable data-protection grounds. If the Customer reasonably objects and we cannot accommodate the objection, the Customer may terminate the affected Services as its sole remedy.
International transfers
To the extent our processing of Customer Personal Data involves a transfer from the European Economic Area, the United Kingdom, or Switzerland to a country that does not provide an adequate level of protection, the parties agree that such transfers are governed by the Standard Contractual Clauses, which are incorporated into this DPA by reference and completed by the information in the Annexes, together with the UK Addendum where applicable. Where we maintain a valid certification under the EU-U.S. Data Privacy Framework, its UK Extension, and the Swiss-U.S. Data Privacy Framework, transfers may also rely on that certification. Module Two (controller to processor) of the SCCs applies where the Customer is a controller, and Module Three (processor to processor) applies where the Customer acts as a processor on behalf of a third-party controller. We currently host Customer Personal Data in the United States (Microsoft Azure, East Coast region). In the event of any conflict, the SCCs prevail with respect to transfers they govern.
Data Subject requests
Taking into account the nature of the processing, we will provide reasonable assistance, including by appropriate technical and organizational measures, to enable the Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws. If we receive such a request directly, we will, unless legally prohibited, promptly notify the Customer and direct the Data Subject to the Customer; we will not respond to the request ourselves except on the Customer's instructions or as required by law.
Personal Data Breach
We will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to us to help the Customer meet its breach-notification obligations. We will take reasonable steps to mitigate and, where possible, remediate the breach. Our notification is not an acknowledgment of fault or liability.
Government and law-enforcement requests
If we receive a legally binding request from a public authority for Customer Personal Data, we will disclose only the Customer Personal Data we are legally required to disclose, and, where legally permitted, we will notify the Customer of the request before disclosing.
Audits
We will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. To minimize disruption, audits will be conducted on reasonable prior notice, no more than once per year (unless required by a supervisory authority or following a Personal Data Breach), during business hours, subject to confidentiality obligations. We may satisfy audit requests by providing current third-party certifications or audit reports (such as SOC 2 or ISO 27001) where available.
Return and deletion of data
Upon termination or expiry of the Agreement, we will, at the Customer's choice, delete or return Customer Personal Data, and delete existing copies, unless retention is required by law. We will complete deletion or return within 30 days of termination, subject to our standard backup cycles, during which the data remains protected under this DPA until deleted.
US state privacy law terms (Service Provider)
With respect to Personal Data subject to the CCPA or other US state privacy laws, we act as a Service Provider (or processor). We will not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than performing the Services or as otherwise permitted by law; (c) retain, use, or disclose it outside the direct business relationship with the Customer; or (d) combine it with personal information from other sources, except as permitted by law. We certify that we understand and will comply with these restrictions.
Aggregated and de-identified data
We may create aggregated, anonymized, or de-identified data from Customer Personal Data and use it to operate, develop, secure, and improve the Services — for example, for organization-level benchmarking, analytics, and forecasting — provided that such data does not identify, and cannot reasonably be used to identify, the Customer, any Data Subject, or any individual. Such data is not Customer Personal Data, and we will not attempt to re-identify it.
Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not increase those limits beyond what is permitted by Data Protection Laws.
Term, conflicts, and general
This DPA is effective for as long as we process Customer Personal Data under the Agreement. In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA prevails; where this DPA conflicts with the Standard Contractual Clauses, the SCCs prevail with respect to the transfers they govern. All other terms of the Agreement remain in full force.
Annex I — Details of processing
Confirm and complete the bracketed items below for your platform.
Parties. Controller: the Customer identified in the Agreement. Processor: MUAIDENTITY INC. (The People Readiness Company), 221 W 10th Street, Fl 3, #77, Wilmington, DE 19801, United States.
Subject matter and duration. Processing of Customer Personal Data for the provision of the Services, for the duration of the Agreement plus any wind-down and legally required retention period.
Nature and purpose of processing. To host, store, and process Customer Personal Data as necessary to deliver the Services — including people-readiness assessments, journaling, calendar integration, account and user administration, aggregated trend analytics and forecasting, support, and related functionality. Analytics and forecasting are performed using traditional machine-learning techniques and are reported only in aggregated form at the organization level (see "Automated processing" in Annex II).
Categories of Data Subjects. The Customer's employees, personnel, candidates, contractors, and authorized users of the Services.
Categories of Personal Data. Identification and contact details (name, business email, phone); job role, department, and organizational data; account credentials and authentication tokens, including OAuth2 tokens for authorized Microsoft and Google calendar integrations; usage and diagnostic data; calendar and scheduling data accessed with the user's authorization; and content submitted through the Services, including assessment, survey, readiness, and journal or reflective entries created by users.
Special categories of Personal Data. The Services are a reflection and readiness tool, not a health application, and include no features that request or require special-category data. Users may, of their own choice, include personal reflections in free-text journal entries that could contain information relating to, for example, stress, wellbeing, or health. Any such content is stored in the same database and protected by the same technical and organizational measures as all other Customer Personal Data; we apply no special-category-specific processing to it. The Customer, as controller, is responsible for ensuring an appropriate lawful basis for any special-category data its users choose to submit.
Frequency of processing. Continuous, for the duration of the Agreement.
Sub-processors. As listed in Annex III.
Annex II — Technical and organizational security measures
Confirm and expand the items in brackets (e.g., MFA, backup cadence) to match current operations before signing.
The Services are an Azure-native application. We maintain technical and organizational measures appropriate to the risk, which include:
- Hosting and infrastructure — the Services are hosted on Microsoft Azure, using Azure App Services (application hosting), Azure SQL Database (data storage with high availability and automated backups), Azure Front Door (global load balancing, traffic distribution, and intelligent health monitoring), and Application Insights (real-time monitoring and diagnostics). We rely on Microsoft Azure's certified physical and infrastructure security for the underlying data centers.
- Encryption — encryption of data in transit via HTTPS/TLS, and encryption at rest for stored data, including encrypted handling of user credentials.
- Authentication and access control — email/password authentication for user login; role-based access on least-privilege principles; OAuth2 tokens for authorized third-party calendar integrations (Microsoft and Google), which are one-way and read-only; and multi-factor authentication enforced for administrative access.
- Network and application security — secure transport, environment segregation, and secure development practices, with vulnerability management and patching.
- Logging and monitoring — application and performance monitoring, anomaly detection, and diagnostics via Application Insights.
- Resilience and backup — Azure SQL Database high availability and automated backups, and Azure Front Door health monitoring and failover, to restore availability and access to Personal Data in a timely manner following an incident.
- Confidentiality — confidentiality obligations for personnel and security awareness practices.
- Vendor management — due diligence and contractual safeguards for Sub-processors.
- Incident response — a documented process for detecting, responding to, and notifying Personal Data Breaches.
Automated processing. We do not use AI to read, summarize, interpret, or generate user-created content (such as journal or reflective entries), and we do not use such content to train AI models. We use traditional machine-learning techniques only for aggregated trend analytics and forecasting at the organization level, and we do not make decisions producing legal or similarly significant effects about individuals without human involvement. General-purpose AI assistants used by our personnel for internal productivity are not used to process Customer Personal Data.
Annex III — List of Sub-processors
This lists the third parties that process Customer Personal Data held in the platform. Marketing/website trackers (Google Analytics, Google Ads, LinkedIn) operate on our own website on a controller basis and are covered by our Cookie Policy, not here. Confirm the Azure region and any additions before signing.
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Corporation (Microsoft Azure) | Cloud hosting, database, content delivery / load balancing, and application monitoring (Azure App Services, Azure SQL Database, Azure Front Door, Application Insights) | United States (East Coast region) |
| Twilio SendGrid | Sending application notification and account emails to users | United States |
| Intercom, Inc. | In-app support, onboarding, and user messaging within the Services | United States |
| HubSpot, Inc. | Customer communications, support ticketing, and payments (HubSpot Payments), where used in connection with the Services | United States |
| Typeform S.L. | Online assessment and survey forms used to collect responses through the Services | European Union / United States |
| Microsoft and Google (calendar integrations) | One-way, read-only calendar and scheduling integration via OAuth2, accessed only with the user's authorization | United States / global |
General-purpose AI assistants used by our personnel for internal productivity (such as Claude and Microsoft Copilot) are not used to process Customer Personal Data and are therefore not listed as Sub-processors.
Contact
For questions about this DPA, or to request a signed copy, contact us at:
MUAIDENTITY INC. (The People Readiness Company) 221 W 10th Street, Fl 3, #77 Wilmington, DE 19801 United States
Email: privacy@thepeoplereadiness.com