Discover our latest updates and insights. Read the blog

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Triqai (trade name of Rediant, Netherlands, KVK 97621803) and the customer using the Services ("Customer").

This DPA applies where Triqai processes personal data on behalf of the Customer in connection with the API and related services.

1. Purpose and Scope

This DPA governs processing under GDPR Article 28. Triqai processes Customer Personal Data only on documented instructions from the Customer, unless otherwise required by applicable law.

2. Roles of the Parties

  • Customer acts as Controller (or processor acting on behalf of its controller).
  • Triqai acts as Processor for Customer Personal Data processed to provide the Services.

Triqai acts as an independent controller for limited operational data processed for service security, anti-abuse, billing administration, and legal compliance, as described in the Privacy Policy.

3. Subject Matter, Duration, and Processing Details

  • Subject matter: Processing transaction inputs and related metadata for enrichment and delivery of results.
  • Nature of processing: Collection, storage, structuring, analysis, enrichment, retrieval, and deletion.
  • Data subjects: End users and individuals referenced in submitted transaction data.
  • Personal data categories: Transaction descriptions and associated context that may include personal data.
  • Duration: For the term of Services and according to retention periods in this DPA and the Privacy Policy.

4. Processor Obligations

Triqai shall:

  1. Process data only on documented instructions from the Customer.
  2. Ensure personnel with access to personal data are subject to confidentiality obligations.
  3. Implement appropriate technical and organizational security measures.
  4. Assist with data subject rights requests where applicable.
  5. Assist with DPIAs, consultations, and security incident handling where reasonably required.
  6. Maintain records and evidence needed to demonstrate compliance under Article 28.
  7. Not sell Customer Personal Data and not use Customer Personal Data to train foundation models.

5. Security Measures

Triqai implements security controls including encryption in transit, scoped access controls, rate limiting, monitoring, and incident response. Additional details may be provided through security documentation and audit artifacts under confidentiality terms.

6. Retention and Deletion

  • Transaction and transaction-linked data: retained up to 90 days by default via automated retention controls.
  • Operational diagnostics/logs/caches: generally up to 90 days.
  • Extended operational retention: up to 1 year only where strictly necessary for active security investigations, fraud prevention, or active support obligations.

Upon termination or verified deletion request, Triqai deletes or returns Customer Personal Data as required by applicable law and product functionality. Scheduled cleanup cycles may apply for certain transient systems.

7. Subprocessors

The Customer grants general authorization for Triqai to use subprocessors required to provide the Services. Triqai imposes data protection obligations on subprocessors that are materially consistent with this DPA and remains responsible for subprocessor performance to the extent required by law.

Triqai publishes the current subprocessor list (including function, location, and transfer context) at /page/subprocessors.

Change notifications: Triqai will provide at least 15 days prior notice for material subprocessor additions or replacements, except where shorter notice is required to address urgent security or availability issues. Notice is provided to account-owner or designated contractual contacts and may also be published in-product or on the website.

Objections: Customer may object in writing on reasonable data protection grounds within the notice period. Triqai will work in good faith to address objections, which may include mitigation steps, alternative processing options where feasible, or affected-service termination rights if no reasonable resolution is available.

8. International Transfers

Triqai processes data in the EU where feasible. For restricted transfers, Triqai relies on appropriate safeguards, including the EU SCCs (and UK/Swiss equivalents or addenda where applicable), together with supplementary measures as needed.

9. Data Subject Requests

Triqai will assist Customer in fulfilling obligations to respond to requests from data subjects under applicable data protection law, taking into account the nature of processing and information available to Triqai.

10. Personal Data Breaches

Triqai will notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Personal Data and will provide relevant information reasonably required for Customer compliance obligations. Where feasible, initial notice is targeted within 72 hours of confirmation.

11. Audits and Compliance Evidence

Upon reasonable request, Triqai will provide information necessary to demonstrate compliance, typically including security documentation, certifications/reports (where available), and responses to reasonable questionnaires.

If such information is insufficient for a specific legal obligation, the parties may agree on a scoped audit process subject to reasonable notice, confidentiality, security controls, and proportionality constraints.

12. Liability

Liability under this DPA is subject to the liability framework in the governing commercial agreement (including Terms of Service and any executed enterprise agreement), except where prohibited by law.

13. Governing Law and Jurisdiction

Unless otherwise agreed in a signed enterprise agreement, this DPA is governed by the laws of the Netherlands and disputes are subject to Dutch courts.

14. Order of Precedence

For data protection matters, this DPA prevails over conflicting terms in the standard Terms of Service. Where an executed enterprise agreement contains data protection terms, that agreement governs to the extent expressly stated.

Related Legal Pages

Subprocessors | Enterprise Addendum

15. Acceptance

This DPA is incorporated into the Terms of Service and applies when Customer uses the Services as a controller (or processor acting for a controller).

View legal changelog