Discover our latest updates and insights. Read the blog

Data Processing Agreement

Last updated: February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Triqai (a trade name of Rediant, registered in the Netherlands, KVK 97621803) ("Processor") and the customer using the Services ("Customer" or "Controller").

This DPA applies where Triqai processes personal data on behalf of the Customer in connection with the Triqai API and related services.

1. Purpose and Scope

This DPA governs the processing of personal data by Triqai on behalf of the Customer in accordance with Article 28 of the GDPR.

Triqai processes personal data only on documented instructions from the Customer and solely to provide the Services.

2. Roles of the Parties

  • The Customer acts as Data Controller.
  • Triqai acts as Data Processor when processing API data submitted by the Customer.

Triqai acts as an independent data controller only for its own user accounts, billing, and service administration, which are governed by the Privacy Policy and not this DPA.

3. Subject Matter and Duration of Processing

  • Subject matter: Processing of transaction data submitted via the Triqai API for enrichment purposes.
  • Duration: For the duration of the Customer's use of the Services and until deletion is requested or the agreement is terminated.

4. Nature and Purpose of Processing

Triqai processes personal data to:

  • Enrich transaction data submitted by the Customer
  • Display enrichment results to the Customer
  • Maintain and improve enrichment accuracy
  • Ensure system reliability, performance, and security through operational diagnostics, activity logs, and caching

Processing operations may include analysis, classification, normalization, enrichment, caching, and operational monitoring.

5. Categories of Data Subjects

  • End users or customers of the Customer
  • Individuals referenced in transaction descriptions submitted by the Customer

6. Categories of Personal Data

The Customer may submit:

  • Transaction descriptions, which may include personal data

Based on transaction descriptions, Triqai may generate derived enrichment data (such as merchant entities, company identifiers, locations, and payment processors).

  • Raw transaction descriptions are stored only within the Customer's organization.
  • Derived enrichment data shared across customers is based on non-PII transactional signals and is not intended to identify individuals.
  • Organization-specific enrichment results that may contain personal or contextual data remain scoped to the Customer's organization.

6.1 Operational Diagnostics and Logs

To ensure system reliability, performance, and security, Triqai processes operational diagnostics, activity logs, and cached data. This processing may include raw transaction inputs or descriptions when necessary for troubleshooting, performance monitoring, and security purposes.

For this processing, Triqai acts as an independent data controller as described in Section 2 of this DPA. The legal basis is Triqai's legitimate interest in maintaining security, performance, and system reliability, in accordance with GDPR Article 6(1)(f), as further detailed in the Privacy Policy.

7. Data Retention

Personal data processed on behalf of the Customer is retained as follows:

  • Transaction data: Retained until deleted by the Customer or until termination of Services
  • Operational logs, diagnostics, and cached data: Up to 90 days from creation
  • Extended retention: In exceptional cases, logs may be retained beyond 90 days if required for ongoing security investigations or active support matters, but not exceeding 1 year from creation. The Customer will be notified of any such extended retention.

Customers may request deletion at any time in accordance with Section 14 of this DPA.

Full retention details are available in the Privacy Policy.

8. Processor Obligations

Triqai shall:

  1. Process personal data only on documented instructions from the Customer.
  2. Ensure personnel authorized to process personal data are bound by confidentiality.
  3. Implement appropriate technical and organizational security measures.
  4. Not sell personal data or use it for advertising purposes.
  5. Not use Customer data to train AI models.
  6. Assist the Customer in fulfilling data subject rights under the GDPR.
  7. Assist with security incidents, DPIAs, and regulatory inquiries where reasonably required.

9. Security Measures

Triqai implements appropriate security measures, including:

  • Encryption in transit (HTTPS)
  • Secure hosting environments
  • Organization-scoped access controls and data isolation
  • API keys and rate limiting
  • Monitoring and incident response procedures
  • Monitored automated cleanup processes for transient stores

10. Sub-Processors

The Customer provides general written authorization for Triqai to engage sub-processors that are necessary to provide the Services.

Triqai may use sub-processors for categories such as cloud infrastructure, application hosting, database hosting, AI inference, data enrichment, payment processing, email delivery, monitoring, caching, and analytics.

Triqai ensures all sub-processors are bound by data protection obligations consistent with this DPA, including appropriate safeguards for international data transfers where applicable.

Triqai will notify the Customer of any intended changes to sub-processors, giving the Customer the opportunity to object. The current sub-processor details (including location and transfer safeguards) are available to customers upon request.

11. International Data Transfers

Triqai processes data primarily within the European Union.

Where processing occurs outside the EU, Triqai applies appropriate safeguards, including Standard Contractual Clauses, in accordance with GDPR requirements.

12. Data Subject Requests

Triqai shall assist the Customer, where applicable, in responding to requests from data subjects to exercise their rights under the GDPR, including access, rectification, and deletion.

13. Personal Data Breaches

Triqai shall notify the Customer without undue delay after becoming aware of a personal data breach involving Customer data, and provide reasonable assistance to support compliance with GDPR obligations.

14. Deletion or Return of Data

Upon termination of the Services or upon request by the Customer, Triqai shall delete all personal data processed on behalf of the Customer, unless retention is required by applicable law.

Deletion timeline:

  • Immediate primary deletion (typically within minutes) of transaction data, enrichment results, and associated records from production systems
  • Prompt purge of transient stores (within hours) including activity logs, operational diagnostics, cached data, and operational queues

Where logs are retained for ongoing security investigations or active support matters, the Customer will be notified. Such extended retention shall not exceed 1 year from creation, and data will be deleted upon conclusion of such matters or upon reaching the maximum retention period, whichever comes first.

Billing records required by law are retained by the payment provider in accordance with legal obligations.

15. Audits

Upon reasonable request, Triqai shall make available information necessary to demonstrate compliance with this DPA, taking into account confidentiality and security obligations.

16. Liability

Liability arising under this DPA is subject to the limitations of liability set out in the Terms of Service.

17. Governing Law and Jurisdiction

This DPA is governed by the laws of the Netherlands.

Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the Dutch courts.

18. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

19. Acceptance

This DPA is automatically incorporated into and forms part of the Terms of Service. By using the Services, the Customer agrees to this DPA.