Data Processing Addendum (DPA)
Last Updated: 01/08/2026
This Data Processing Addendum (“DPA”) forms part of the agreement between TrueFingerprints LLC, a Delaware limited liability company (“Personnelgraph”), and the business customer (“Customer”) that accesses or uses the Personnelgraph background screening platform (the “Platform”).
This DPA applies to the extent Personnelgraph processes Personal Data on behalf of Customer in connection with the Platform.
1. Definitions
Capitalized terms not defined in this DPA have the meanings set forth in:
The Personnelgraph Terms of Service
Any applicable Order Form
Applicable data protection laws
For purposes of this DPA:
“Applicable Data Protection Law” means all laws relating to data protection and privacy, including (where applicable) the GDPR, UK GDPR, and U.S. state privacy laws.
“Personal Data” means any information relating to an identified or identifiable individual processed under the Agreement.
“Processing” has the meaning given under Applicable Data Protection Law.
2. Roles of the Parties
2.1 Customer as Controller
Customer acts as the Data Controller (or equivalent role) with respect to Personal Data submitted to the Platform.
2.2 Personnelgraph as Processor
Personnelgraph acts as a Data Processor (or equivalent role) when processing Personal Data on behalf of Customer.
Where Personnelgraph processes Personal Data to comply with its own legal obligations as a Consumer Reporting Agency, Personnelgraph acts as an independent controller to that extent.
3. Scope of Processing
3.1 Subject Matter
Processing of Personal Data for the purpose of providing background screening services through the Platform.
3.2 Duration
For the term of the applicable Order Form, plus any retention period required by law.
3.3 Nature and Purpose
Processing activities include:
Collection and storage of identifying information
Transmission of CourtRequests to courts
Retrieval and reporting of public record information
Dispute handling and reinvestigation
3.4 Categories of Personal Data
May include:
Name, address, date of birth
Government identifiers (where legally permitted)
Criminal court record information
Contact information
3.5 Categories of Data Subjects
Job applicants
Employees
Independent contractors
4. Customer Obligations
Customer represents and warrants that:
It has a lawful basis for processing Personal Data
It has provided all required notices and disclosures
It has obtained valid authorizations where required
Personal Data submitted is accurate and relevant
Customer remains solely responsible for compliance with employment, labor, and privacy laws.
5. Personnelgraph Obligations
Personnelgraph shall:
Process Personal Data only in accordance with documented instructions from Customer
Not sell Personal Data
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organizational safeguards
Personnelgraph does not provide legal advice regarding data protection compliance.
6. Security Measures
Personnelgraph implements reasonable administrative, technical, and physical safeguards designed to protect Personal Data, including:
Access controls
Encryption where appropriate
Monitoring and logging
Incident response procedures
Details may be updated as security practices evolve.
7. Subprocessors
Customer authorizes Personnelgraph to engage subprocessors to support Platform operations, including:
Cloud infrastructure providers
Security and monitoring vendors
Court access and data retrieval providers
Personnelgraph shall remain responsible for subprocessors’ compliance with this DPA.
A current list of subprocessors may be provided upon request.
8. International Data Transfers
Where applicable, Personnelgraph may transfer Personal Data outside the jurisdiction of origin in compliance with Applicable Data Protection Law, including through:
Standard Contractual Clauses (SCCs)
Other lawful transfer mechanisms
9. Data Subject Rights
Personnelgraph shall:
Assist Customer in responding to data subject requests where required by law
Redirect direct consumer requests where appropriate
Consumers may exercise rights through:
Consumer Rights page
Dispute Your Report page
10. Data Breach Notification
Personnelgraph shall notify Customer without undue delay upon becoming aware of a Personal Data Breach, and provide information reasonably required to meet legal obligations.
11. Data Retention and Deletion
Personnelgraph retains Personal Data:
As required to provide the Platform
As required by law (including FCRA obligations)
Upon termination of services, Personal Data may be retained where legally required and deleted thereafter in accordance with retention policies.
12. Audits
Upon reasonable written request, Personnelgraph shall make available information necessary to demonstrate compliance with this DPA, subject to confidentiality and security restrictions.
13. Limitation of Liability
Liability arising from this DPA is subject to the limitations set forth in the Personnelgraph Terms of Service.
14. Governing Law
This DPA is governed by the laws specified in the Personnelgraph Terms of Service, without regard to conflict-of-law principles.
15. Order of Precedence
In the event of a conflict:
Order Form
Terms of Service
This DPA
16. Contact Information
TrueFingerprints LLC
legal@personnelgraph.com
TrueFingerprints LLC is a Consumer Reporting Agency as defined by the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681.
Consumers have rights under the FCRA and applicable state laws.
Learn more about your full rights on our Consumer Rights page.
To request or dispute a background report, click here to access the dispute form.
© 2019-2026 TrueFingerprints LLC, dba Personnelgraph - All Rights Reserved
