V2.0 TriFact365 Data Processing Agreement

Effective Date: 1 August 2026


This Data Processing Agreement forms part of the Agreement between TriFact365 and the Customer.

1. Definitions

Terms capitalised in this Data Processing Agreement have the meanings set forth below or in the General Terms and Conditions. Where Applicable Data Protection Law defines a term set forth below differently, that definition shall prevail. Defined terms have the same meaning in both the singular and plural forms.

1.1 Data Subject

The identified or identifiable natural person to whom the Personal Data relates.

1.2 Data Breach

A breach involving Personal Data as defined in the Applicable Data Protection Law.

1.3 Personal Data

Any information relating to an identified or identifiable natural person.

1.4 Subprocessor

A third party engaged by TriFact365 that processes Personal Data on behalf of TriFact365 for the benefit of the Customer.

1.5 Applicable Data Protection Law

All laws and regulations applicable to the processing of Personal Data, including the GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss FADP, and other applicable privacy laws.

1.6 Processor

The party that processes Personal Data on behalf of the Data Controller.

1.7 Processing

Any operation or set of operations performed on Personal Data, such as collecting, recording, storing, consulting, using, modifying, disclosing, or erasing it.

1.8 Data Controller

The party that determines the purposes and means of the processing of Personal Data.

2. Processing of Personal Data

2.1 Division of Roles

For Customer Data that includes Personal Data, the Customer is the Data Controller and TriFact365 is the Processor. For Personal Data for which TriFact365 itself is the Data Controller, the terms set forth in TriFact365's Privacy Statement apply. Such Processing falls outside the scope of this Data Processing Agreement.

2.2 Instructions

TriFact365 processes Personal Data exclusively on behalf of the Customer and based on the Customer's documented instructions. This Data Processing Agreement, the Processing Details in Annex A, and the use of the Service by the Customer and Application Users collectively constitute the Customer's documented instructions under Applicable Data Protection Law. The instructions include, at a minimum, the Processing for the provision of the Service, the engagement of Subprocessors in accordance with Article 7 and Annex C, and international transfers in accordance with Article 8 and Annexes D to G.

2.3 Notifications

If Applicable Data Protection Law or other applicable regulations require TriFact365 to perform Processing outside the scope of the instructions, TriFact365 will inform the Customer in advance, unless such legislation prohibits this. TriFact365 will also notify the Customer without delay if, in TriFact365's opinion, an instruction violates applicable laws and regulations.

2.4 Legal Basis

The Customer warrants that the Processing of Personal Data via the Service is based on a valid legal basis under Applicable Data Protection Law and that the Data Subjects have been informed in accordance with that law.

2.5 AI Data Use

The Processing of Personal Data as part of Customer Data and Derived Data as referred to in Section 13.5 of the General Terms and Conditions, for the purpose of training and improving AI models for the Service, is permitted under this Data Processing Agreement and falls within the scope of the Customer's documented instructions (Article 2.2). The improvement of AI functionalities is an integral and inseparable part of the Service. The AI Terms and Conditions apply additionally to the nature, scope, and categories of AI data use.

3. Compliance and Confidentiality

3.1 Compliance

When Processing Personal Data under this Data Processing Agreement, TriFact365 complies with the Applicable Data Protection Law that applies to TriFact365 as a Processor.

3.2 Confidentiality

TriFact365 ensures that individuals who have access to Personal Data are bound by a duty of confidentiality or a statutory confidentiality obligation.

4. Requests from Data Subjects and Assistance

4.1 Requests

If TriFact365 receives a request directly from a Data Subject, TriFact365 will refer the Data Subject to the Customer. TriFact365 may inform the Data Subject of this.

4.2 Assistance

TriFact365 shall provide the Customer with reasonable assistance in fulfilling its obligations under Applicable Data Protection Law, including — to the extent provided for by Applicable Data Protection Law — in handling requests from Data Subjects, implementing appropriate security measures, conducting data protection impact assessments, and engaging in prior consultations with the supervisory authority. In doing so, the nature of the Processing and the information available to TriFact365 shall be taken into account.

4.3 Costs

Assistance under this section is provided free of charge for up to two person-hours per request. For assistance beyond this, TriFact365 may charge reasonable fees based on standard rates.

4.4 Register

TriFact365 maintains a record of processing activities to the extent provided for by Applicable Data Protection Law.

5. Security Measures

5.1 Security Measures

TriFact365 implements appropriate technical and organisational measures to protect Personal Data against loss, unauthorised access, alteration, or disclosure. The measures are described in Annex B.

5.2 Evaluation

TriFact365 regularly evaluates and reviews the effectiveness of these measures and adapts them based on technological developments and the nature of the Processing.

5.3 Certifications

An up-to-date overview of certifications, security statements, and compliance information is available on the Trust Center section of the TriFact365 website.

6. Data Breaches

6.1 Reporting

The Customer is responsible for reporting a Data Breach to the supervisory authority and/or Data Subjects. TriFact365 will notify the Customer without undue delay and, to the extent reasonably possible, no later than 72 hours after discovery, so that the Customer can fulfil its reporting obligations under Applicable Data Protection Law in a timely manner.

6.2 Provision of Information

TriFact365 shall provide the information reasonably necessary to enable the Customer to comply with its notification obligations under Applicable Data Protection Law.

6.3 Cooperation

TriFact365 shall provide the Customer with reasonable cooperation in handling the Data Breach and in any notifications to the competent supervisory authority or Data Subjects.

6.4 No Admission

A report or notification under this section shall not constitute an admission of any fault or liability on the part of TriFact365.

6.5 Failed Attempts

Failed attempts that do not compromise security—such as failed login attempts, pings, port scans, or denial-of-service attacks—are not subject to the reporting obligation under this section.

7. Subprocessors

7.1 Engagement

The Customer grants TriFact365 general permission to engage Subprocessors and, upon commencement of the Agreement, consents to the Subprocessors listed at that time in the overview referred to in Annex C.

7.2 Changes

If TriFact365 wishes to add or replace a Subprocessor, TriFact365 shall give at least 14 days' prior notice, specifying the name of the intended Subprocessor, the nature of the Processing, and the location of the Processing. In urgent circumstances—such as a legal obligation requiring immediate engagement, or an acute security or continuity incident that makes continuation of the existing Processing irresponsible—the change may be implemented with immediate effect; TriFact365 will then provide the notice afterwards without undue delay, also stating the reason. The Customer may object within 10 days of the announcement. The parties will then consult in good faith to find an appropriate solution. If the consultation does not lead to a solution, the Customer may cancel the Subscription effective at the end of the current calendar month.

7.3 Pass-Through Obligations

TriFact365 imposes obligations on each Subprocessor that are at least equivalent to the data protection obligations set forth in this Data Processing Agreement.

8. International Transfers

8.1 Safeguards

TriFact365 processes Personal Data with appropriate safeguards in accordance with Applicable Data Protection Law. Transfers of Personal Data to another jurisdiction shall only take place on the basis of an adequacy decision by the competent authority or with appropriate safeguards—such as standard contractual clauses or equivalent transfer mechanisms—supplemented, where necessary, by technical and organisational measures.

8.2 Jurisdiction Annexes

For transfers of Personal Data from the EEA, the United Kingdom, and Switzerland, Annex D (EU SCCs), Annex E (UK Addendum), and Annex F (Swiss Addendum) apply in addition. Annex G governs the international applicability of this Data Processing Agreement for other jurisdictions.

8.3 Changes in Location

TriFact365 will notify the Customer in advance of any changes to the transfer location of a Subprocessor, following the same procedure as for the addition or replacement of a Subprocessor.

9. Requests from Government Authorities

9.1 Notification

If TriFact365 receives a legally binding government request for access to Personal Data, TriFact365 will notify the Customer without undue delay, unless prohibited by law or regulation.

9.2 Challenge, Minimisation

TriFact365 will contest requests that are manifestly unlawful or disproportionate and will provide only the minimum amount of Personal Data necessary.

9.3 Third Countries

TriFact365 processes requests from government authorities in third countries in accordance with Applicable Data Protection Law.

10. Reports and Audits

10.1 Reports

Upon written request from the Customer and subject to confidentiality, TriFact365 will make current audit reports and certification statements from independent third parties available, to the extent they are available. The Customer shall first consult the Trust Center on the TriFact365 website and limit any audit to topics not covered therein.

10.2 Audit

Only to the extent that the Customer cannot reasonably verify compliance through Article 10.1, or if data protection legislation or a supervisory authority requires it, may the Customer, at its own expense, have an audit conducted by an independent auditor bound by confidentiality. An audit:

(a) must be announced in writing at least 30 days in advance;

(b) shall take place during regular business hours;

(c) shall not unreasonably disrupt business operations;

(d) shall be limited to once per calendar year, unless there is a reasonable suspicion of non-compliance; and

(e) shall be conducted remotely, through document review and videoconferences.

TriFact365 does not have its own data centres or server locations; production data is processed and stored in the data centres of Subprocessors (Annex C). These data centres are not accessible for physical inspection by TriFact365 or the Customer; for this layer, the audit relies on the certifications and audit reports of the relevant Subprocessors.

10.3 Cooperation

TriFact365 will cooperate reasonably with the audit. If the audit reveals that TriFact365 is deficient in material respects, TriFact365 will bear its own costs.

11. Deletion and Retention of Data

11.1 Deletion

Upon termination of the Subscription, Personal Data will be deleted in accordance with the following timeframes:

(a) Customer Content (data entered by or on behalf of the Customer): retained for 90 days, followed by deletion from active systems within 30 days. The Customer may download the Customer Content via the Software as long as the Subscription is active;

(b) Operational data (access logs, audit trails, and technical logs): retained for up to 12 months for security and operational integrity purposes;

(c) Secure backups: overwritten according to a rolling retention schedule within 12 months of creation; processing is solely for recovery and business continuity purposes. Backups are not intended for retrieving data for individual Customers.

11.2 Statutory Retention

TriFact365 may retain Personal Data for a longer period to the extent required by law. In such cases, Processing is limited to this purpose.

12. Liability

12.1 Liability

The liability of the parties under this Data Processing Agreement, including TriFact365's liability for compliance with this Data Processing Agreement by engaged Subprocessors, is subject to the limitations and exclusions set forth in Article 18 of the General Terms and Conditions, to the extent permitted by applicable law.

13. Final Provisions

13.1 Precedence

In the event of any conflict between this Data Processing Agreement and the transfer mechanisms set forth in Annexes D to F for the relevant transfers, those transfer mechanisms shall prevail.

13.2 Term

This Data Processing Agreement shall remain in effect for as long as TriFact365 processes Personal Data under the Agreement.

Annex A — Processing Details

A.1 Subject Matter

Processing of Personal Data by TriFact365 as a Processor in connection with the Customer's use of the Service.

A.2 Purpose

To provide the Service to the Customer in accordance with the Agreement. The Customer determines which components of the Service are used and for what purpose.

A.3 Nature of the Processing

The Processing includes, among other things: receipt and storage; consultation, searching, and filtering; conversion between file formats; recognition, extraction, and classification; linking and matching of records; AI Processing, including training and improving AI models for the purposes of the Service; facilitating workflows and approval processes; reporting and analysis; creating, editing, and sending documents and data; exchanging documents and data with external software; notifications; archiving; backup and recovery; deletion; user management and authentication; customer contact and support; logging and audit logging.

A.4 Categories of Data Subjects

The Processing may involve Personal Data of:

(a) Application Users;

(b) employees and former employees of the Customer;

(c) the Customer's customers, suppliers, and other business partners;

(d) the Customer's clients and their business contacts, to the extent that the Customer uses the Service in connection with providing services to third parties;

(e) other natural persons whose Personal Data is processed by or on behalf of the Customer via the Service.

A.5 Categories of Personal Data

These include, among others:

(a) user data (name, email, login and session data);

(b) organisational and contact information (company name, address, VAT/Chamber of Commerce number, phone number, bank account number, and account holder name);

(c) technical data (IP address, timestamps, log data);

(d) other Personal Data processed by or on behalf of the Customer via the Service.

The Service is not intended for the targeted processing of special categories of Personal Data. To the extent that such data occasionally appears in documents provided by or on behalf of the Customer, the Customer is responsible for ensuring that such Processing is permitted under Applicable Data Protection Law.

A.6 Duration of Processing

TriFact365 processes Personal Data during the Subscription and thereafter exclusively for the periods and for the purposes set forth in Article 11.

A.7 Frequency of Transfers

Continuously, depending on the Customer's use of the Service.

A.8 Location of Processing

Processing locations are set forth in the overview of Subprocessors as referred to in Annex C. Transfers to other jurisdictions take place in accordance with Article 8 and Annexes D to G.

Annex B — Technical and Organisational Measures (TOMs)

B.1 Organisational Security

(a) Information Security Management System (ISMS) aligned with standards such as ISO/IEC 27001; current certification status is available on the Trust Center on the TriFact365 website.

(b) Risk management with periodic evaluation; supplier risk assessment for Subprocessors.

(c) Confidentiality obligations for all employees with access to Personal Data.

(d) Mandatory security and privacy training upon hire and periodically thereafter.

(e) Access granted based on the principle of least privilege and role-based access control (RBAC).

B.2 Logical Access Security

(a) Unique user identification; strong authentication; multi-factor authentication (MFA) for privileged access.

(b) Periodic access reviews and revocation of access rights upon a change in role or termination of employment.

(c) Secure key management with restricted access and a rotation policy.

B.3 Data Protection

(a) Encryption in transit: TLS 1.2 or higher.

(b) Encryption at rest: AES-256 or equivalent for storage, backups, and portable media.

(c) Pseudonymisation where appropriate and reasonably feasible.

B.4 Application and Development Security

(a) Secure development standards (secure SDLC); peer review; dependency checking; static and dynamic code analysis.

(b) Separate development, test, and production environments.

(c) Periodic security testing, including penetration testing.

B.5 Monitoring and Logging

(a) Centralised logging of security events (authentication, authorisation changes, administrative actions, unusual data access).

(b) Log integrity protection; log retention period of up to 12 months.

(c) Alerting and on-call rotation for security incidents.

B.6 Business Continuity and Recovery

(a) Documented Business Continuity and Disaster Recovery plans; tested periodically.

(b) Geographically separate redundancy of critical systems.

(c) Procedures to promptly restore the availability of and access to Personal Data in the event of a physical or technical incident.

B.7 Vulnerability and Patch Management

(a) Periodic vulnerability scans of infrastructure and applications.

(b) Risk-based recovery timelines; emergency patches for critical vulnerabilities.

B.8 Security Incident Response

(a) A documented Security Incident Response plan with procedures for detection, triage, containment, resolution, and recovery.

(b) Notification of Data Breaches to customers in accordance with Article 6.

(c) Root-cause analysis and corrective measures following security incidents.

B.9 Privacy by Design and by Default

(a) Privacy assessment during the design of new or modified processing operations.

(b) Data segregation per Customer (multi-tenancy).

(c) Default configurations aimed at minimising data collection and disclosure.

Annex C — Subprocessors

C.1 Current Overview

An up-to-date overview of the Subprocessors engaged by TriFact365, including the name, the nature of the Processing, and the processing location, is available on the Subprocessors page.

Annex D — EU Standard Contractual Clauses (Incorporation)

D.1 Incorporation

The EU Standard Contractual Clauses adopted by Implementing Decision (EU) 2021/914 (or any subsequent version that automatically replaces this decision) are incorporated by reference into this Data Processing Agreement and apply to transfers of personal data from the EEA to countries without an adequacy decision.

D.2 Module Selection

(a) Module 2 (controller → processor): applies to transfers of personal data from the Customer (controller) to TriFact365 (processor), to the extent that TriFact365 processes data outside the EEA.

(b) Module 3 (processor → subprocessor): applies to onward transfers from TriFact365 (processor) to Subprocessors outside the EEA.

D.3 Docking Clause

Clause 7 (docking clause) applies.

D.4 Subprocessor Authorisation

Clause 9, Option 2 (general authorisation) applies with a 14-day notice period, in accordance with Article 7.2 of this Data Processing Agreement.

D.5 Governing Law and Jurisdiction

(a) Clause 17: Dutch law.

(b) Clause 18: Midden-Nederland District Court.

D.6 Competent Supervisory Authority

The supervisory authority of the EEA Member State in which the Customer is established. If the Customer is not established in the EEA, the Dutch Data Protection Authority is the supervisory authority.

D.7 Annex Details

(a) Appendix I.A (Parties): as described in Annex A.

(b) Appendix I.B (Description of the Transfer): as described in Annex A.

(c) Appendix I.C (Supervisory Authority): as described in D.6.

(d) Appendix II (technical and organisational measures): as described in Annex B.

(e) Appendix III (List of Subprocessors): as described in Annex C.

Annex E — UK Addendum (United Kingdom and Gibraltar)

For transfers of personal data subject to the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018. References to the UK GDPR in this Annex include, where relevant, equivalent data protection laws of jurisdictions that closely align with the UK framework, including the Gibraltar General Data Protection Regulation (Gibraltar GDPR); references to the Information Commissioner's Office (ICO) shall, where applicable, be deemed to be references to the Gibraltar Information Commissioner.

E.1 Incorporation

The International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner's Office (version B.1.0 or any subsequent version that automatically supersedes it), is incorporated by reference into this Data Processing Agreement.

E.2 Applicability

The following applies additionally to Customers based in the United Kingdom:

(a) the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018 apply to the Customer as the data controller;

(b) the Information Commissioner's Office (ICO) acts as the supervisory authority for the Customer;

(c) for data transfers from the United Kingdom to third countries, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses shall be used where necessary.

E.3 Table Entries

(a) Table 1 (parties): as described in Annex A.

(b) Table 2 (selected SCCs): as described in Annex D, Module 2 or 3, as applicable.

(c) Table 3 (annex information): as described in Annex A (description), Annex B (TOMs), and Annex C (Subprocessors).

(d) Table 4 (Termination of the Addendum): Neither party chooses to deviate from the ICO's mandatory updates mechanism.

Annex F — Swiss Addendum

For transfers of personal data subject to the Swiss Federal Act on Data Protection (FADP, in effect since 1 September 2023).

F.1 Applicability

The following applies additionally to Customers based in Switzerland:

(a) the Swiss Federal Act on Data Protection (FADP) applies to the Customer as the data controller;

(b) the Federal Data Protection and Information Commissioner (FDPIC) acts as the supervisory authority for the Customer.

F.2 Amendments to the EU Standard Contractual Clauses

For transfers from Switzerland to third countries, the EU Standard Contractual Clauses apply with the modifications recognised by the FDPIC for the Swiss context, including:

(a) references to the "Member State" shall be deemed to refer to Switzerland;

(b) references to the EU GDPR are deemed, where applicable, to be references to the FADP;

(c) the competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC).

F.3 Annex Completion

(a) Annex I.A (parties): as described in Annex A.

(b) Annex I.B (Description of the Transfer): as described in Annex A.

(c) Annex I.C (Supervisory Authority): the Federal Data Protection and Information Commissioner (FDPIC).

(d) Appendix II (technical and organisational measures): as described in Annex B.

(e) Appendix III (List of Subprocessors): as described in Annex C.

Annex G — International Applicability

For the processing of personal data relating to Customers or data subjects worldwide, subject to Sanctions Legislation as further described in Article 23 of the General Terms and Conditions.

G.1 Scope

This Data Processing Agreement applies worldwide to the processing of personal data by TriFact365 with respect to Customers and data subjects, subject to Sanctions Legislation and the operational exclusion criteria as described in Article 23 of the General Terms and Conditions. The core provisions of this Data Processing Agreement (Articles 1 to 13 and Annexes A to C) apply universally to all processing activities.

G.2 Transfer Mechanism

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to Customers, data subjects, or Subprocessors in other jurisdictions, TriFact365 applies the EU Standard Contractual Clauses (Annex D), the UK Addendum (Annex E), and the Swiss Addendum (Annex F) as universal transfer safeguards, supplemented by technical and organisational measures as described in Annex B. These safeguards apply regardless of the specific jurisdiction of the Customer or the data subject.

G.3 Customer's Responsibility for Local Laws

To the extent that the Customer or the Customer's Application Users are located in a jurisdiction outside the European Economic Area, the United Kingdom, and Switzerland, the Customer is responsible for complying with the local data protection laws applicable to the Customer and the data subjects. The Customer represents that the use of the Service by the Customer and the Application Users complies with such local laws. The Customer shall indemnify TriFact365 against any third-party claims arising exclusively from obligations under the laws and regulations of the Customer's or the Application Users' place of business, to the extent that such obligations are not included in this Data Processing Agreement.

G.4 Supplementary Addendum upon Request

If a Customer requires additional data protection provisions specific to the laws and regulations of the Customer's place of business or of the data subjects, the Customer may submit a request for a separate Addendum to TriFact365. Requests will be assessed on a case-by-case basis, taking into account the nature of the processing, the complexity of the applicable legislation, and the operational feasibility for TriFact365.


— End of TriFact365 Data Processing Agreement — Version 2.0 —

TriFact365 B.V.
Arnhemseweg 10, 3817 CH Amersfoort, The Netherlands | Chamber of Commerce No. 30262227 | VAT No. NL820778540B01