Home
/
Policies
/
Data Processing Agreement
Trigify.io

Data Processing Agreement

This Data Processing Addendum explains how Trigify processes personal data on your behalf when providing its Services.

Start Listening
Contents
This is some text inside of a div block.
Example H3
Ready to Start?
See social intelligence in action with workflows.
Book demo

Last updated
Wednesday 13th May 2026

Parties

  1. TRIGIFY.IO LIMITED, a company incorporated in England and Wales under No. 14927586 whose registered office is at Orchard Cottage, Bereleigh, Petersfield, GU32 1PH, England (Supplier);
  2. [CUSTOMER], a company incorporated in [jurisdiction] under No. [COMPANY NUMBER] whose registered office is at [REGISTERED ADDRESS] (Customer).

(each a party and together the parties)

Background

  1. The Supplier is a provider of B2B signal intelligence, social listening and sales automation services. The Services analyse engagement signals across publicly available sources and third-party data providers to surface engagement metrics, topic interest, and professional activity trends, and to enrich records, trigger workflows, and synchronise information between the Customer’s connected systems (Services).
  2. The parties entered into an agreement for the provision of services on [DATE] (Agreement).
  3. The parties have agreed to enter into this DPA in relation to the processing of personal data by the Supplier in the course of providing the Services. The terms of this DPA are intended to apply in addition to and not in substitution of the terms of the Agreement.

Agreement

1. Meanings

In this DPA, the following words are defined:

Addendum: the International Data Transfer Addendum to the EU Standard Contractual Clauses available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (as amended or updated from time to time).

Affiliate: any entity that directly or indirectly controls, or is controlled by, or is under common control with the subject entity. "Control" for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

Data Protection Law:
a. all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom applicable to the Processing of Personal Data under the Agreement, including, but not limited to EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; and
b. to the extent applicable, the data protection or privacy laws of any other country.

EU Standard Contractual Clauses: Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as may be replaced or superseded by the European Commission.

GDPR:
a. Regulation (EU) 2016/679 (the EU GDPR); and
b. the EU GDPR as implemented or adopted under the laws of the United Kingdom (UK GDPR).

Personnel: in relation to a party, those of its employees, workers, agents, consultants, contractors, sub-contractors, representatives or other persons employed or engaged by that party on whatever terms.

Sub-processor: any entity (whether or not an Affiliate of the Supplier, but excluding the Supplier’s Personnel) appointed by or on behalf of the Supplier to process Personal Data on behalf of the Customer under this DPA.

Working Day: any day, other than a Saturday, Sunday, or public holiday in England and Wales.

"Data Subject", "Processing", "Personal Data", "Controller", "Processor", "Supervisory Authority" and "Personal Data Breach" shall have the same meaning as ascribed to them in the Data Protection Law.

2. Processing Customer Personal Data

  1. For the purpose of Data Protection Law, the Customer shall be the Controller and the Supplier shall be the Processor.
  2. The Supplier and each Supplier Affiliate shall:
    a. comply with all applicable Data Protection Law in the Processing of Customer Personal Data; and
    b. only Process Personal Data on the Customer’s documented instructions, unless Processing is required by any applicable law to which the Supplier is subject (in which case, the Supplier shall, to the extent permitted by applicable law, inform the Customer of such legal requirement before undertaking the Processing).
  3. The Supplier and each Supplier Affiliate shall take reasonable steps to ensure the reliability of Personnel who have access to the Personal Data, ensuring in each case that such Personnel is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they Process the Personal Data in compliance with all applicable law and only for the purpose of delivering the Services under the Agreement.

3. Security

  1. The Supplier will establish data security in relation to the Processing of Personal Data under this DPA. The measures to be taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of the Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons must be taken into account.
  2. In assessing the appropriate level of security, the Supplier shall take into account any risks that are presented by the Processing, in particular, from a Personal Data Breach.
  3. The Supplier has laid down the technical and organisational measures in Schedule 2 of this DPA. Technical and organisational measures are subject to technical progress and further development. In this respect, the Processor may implement alternative adequate measures from time to time and shall notify the Customer in writing where it has done so.

4. Sub-Processors

  1. The Customer authorises the Supplier and each Supplier Affiliate to appoint the Sub-processors listed in Schedule 3 (if any) and any new Sub-processors in accordance with the subsequent provisions.
  2. With respect to each Sub-processor, the Supplier, or the Supplier Affiliate shall:
    a. carry out appropriate due diligence prior to the Processing by such Sub-processor to ensure that the Sub-processor is capable of providing the level of protection for Personal Data required by the terms of the Agreement and this DPA;
    b. enter into a written agreement with the Sub-processor incorporating terms which are substantially similar (and no less onerous) than those set out in this DPA and which meet the requirements of Article 28(3) of UK GDPR; and
    c. remain fully liable to the Customer for all acts or omissions of such Sub-processor as though they were its own.
  3. The Supplier and each Supplier Affiliate may continue to use Sub-processors already engaged by the Supplier or Supplier Affiliate as at the date of this DPA, provided that the Supplier has met, as of the Effective Date, the obligations set forth in the preceding clause.
  4. The Supplier shall give the Customer at least thirty (30) days’ prior written notice of the appointment of any new Sub-processor, including the name of the Sub-processor it seeks to appoint and the Processing activity to be undertaken by the Sub-processor. The Supplier may publish updates to its Sub-processor list at the URL referenced in Schedule 3 and, where the Customer has subscribed to such notifications (e.g., by email subscription or RSS feed), such publication shall constitute notice for the purposes of this clause.
  5. If within 30 days of receipt of notice under the preceding clause, the Customer (acting reasonably and in good faith) notifies the Supplier in writing of any objections to the proposed appointment:
    a. the parties will work in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of the proposed Sub-processor without unreasonably burdening the Customer; and
    b. where such a change cannot be made within 30 days of the Supplier’s receipt of the Customer’s notice, the Customer may, notwithstanding the terms of the Agreement, serve written notice on the Supplier to terminate the Agreement to the extent that the provision of the Services is or would be affected by the appointment.

5. Data Subject Rights

  1. Taking into account the nature of the Processing, the Supplier and each Supplier Affiliate shall assist the Customer in implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising Data Subjects’ rights under the Data Protection Law.
  2. The Supplier shall:
    a. promptly (and in any event, within five (5) Working Days) notify the Customer if it (or any of its Sub-processors) receives a request from a Data Subject; and
    b. fully cooperate with and assist the Customer in relation to any request made by a Data Subject, under the Data Protection Law in respect of Personal Data Processed by the Supplier under the terms of the Agreement or this DPA.

6. Personal Data Breaches

  1. The Supplier shall:
    a. notify the Customer without undue delay (in any event, no later than 72 hours) upon becoming aware of any Personal Data Breach affecting the Personal Data Processed by the Supplier under this DPA;
    b. provide sufficient information to enable the Customer to evaluate the impact of such Personal Data Breach and to meet any obligations on the Customer to report the Personal Data Breach to a Supervisory Authority and/or notify the affected Data Subjects in accordance with the Data Protection Law;
    c. provide the Customer with such assistance as the Customer may reasonably request; and
    d. cooperate with the Customer and take such reasonable commercial steps (as directed by the Customer) to assist in the evaluation, investigation, mitigation and remediation of each such Personal Data Breach.

7. Data Protection Impact Assessment and Prior Consultation

  1. The Supplier and each Supplier Affiliate shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent authorities which the Customer considers necessary pursuant to Articles 35 and 36 of the UK GDPR.
  2. Such assistance from the Supplier shall be limited, in each case, to the Processing of Personal Data under this DPA.

8. Return and Deletion of Personal Data

  1. Subject to the subsequent clause, the Supplier and each Supplier Affiliate shall promptly and in any event, within 30 days of the expiry or termination of the Agreement, delete or return all copies of Personal Data Processed by the Supplier and/or its Sub-processors on behalf of the Customer by such means as the parties shall agree in writing.
  2. The Supplier (and its Sub-processors) may retain Personal Data Processed under this DPA to the extent required by any applicable law to which the Supplier (or any Sub-processor) is subject and only to the extent and for such period as required by applicable law. Where applicable, the Supplier shall notify the Customer of any such requirement and ensure the confidentiality of such Personal Data. Any Personal Data Processed under this DPA and retained by the Supplier (or any Sub-processor) in accordance with this clause shall not be Processed for any other purpose other than the purpose specified in the applicable laws.
  3. The Customer may require the Supplier to provide written certification confirming that it has complied in full with its obligations under this section entitled "Return and deletion of personal data."

9. Audits

  1. The Supplier and each Supplier Affiliate shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA.
  2. The Supplier shall allow for and contribute to audits, including inspections, by the Customer (or any other auditor mandated by the Customer) in relation to the Processing of Personal Data under this DPA.

24A. Notwithstanding clauses 23 and 24, where the Supplier holds a current independent third-party audit report (including but not limited to SOC 2 Type II or ISO 27001) covering the Services and the Processing under this DPA, provision of such report to the Customer on a confidential basis shall satisfy the Supplier’s audit obligations under this section in respect of the matters covered by the report, save where the Customer can demonstrate specific reasonable cause for an on-site audit (such as following a material Personal Data Breach affecting the Customer’s Personal Data, or a formal investigation by a Supervisory Authority).

  1. The Customer (or any other auditor mandated by the Customer) shall give the Supplier or Supplier Affiliate reasonable notice of any audit or inspection, and shall make all reasonable endeavours to avoid causing any damage, injury or disruption to the Supplier or Supplier Affiliate’s premises, equipment, personnel and business in the course of the audit or inspection.
  2. Such audit rights may be exercised only once in any calendar year during the term of the Agreement and for a period of 3 years following the expiry or termination of the Agreement.

10. Restricted Transfers

  1. For the purposes of this section entitled "Restricted transfers", a "Restricted Transfer" is an onward transfer of Personal Data from the Supplier (or a Sub-Processor) to a Sub-Processor, in each case, where such transfer would be prohibited by Data Protection Law in the absence of a defined appropriate safeguard (e.g. the EU Standard Contractual Clauses and the Addendum).

27.1 The Supplier confirms that all Sub-processors engaged as of the Effective Date have in place valid and compliant international transfer mechanisms in accordance with Data Protection Law, including, where applicable, the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

  1. Subject to the subsequent clause:
    a. Where the Customer is established outside the United Kingdom or, in respect of EEA Personal Data, outside the European Economic Area, or where the Customer transfers Personal Data from the EEA to the Supplier in the United Kingdom or to a Sub-processor outside an adequacy jurisdiction, the Customer (as "data exporter") and the Supplier (as "data importer") shall be deemed to have entered into Module 2 (Controller to Processor) of the EU Standard Contractual Clauses, as supplemented by the UK International Data Transfer Addendum where the transfer is from the United Kingdom.
    b. The Supplier (as "data exporter") and each Sub-processor (as "data importer") shall enter into Module 3 (Processor to Processor) of the EU Standard Contractual Clauses, as supplemented by the UK International Data Transfer Addendum where applicable, in respect of any Restricted Transfer from the Supplier to a Sub-processor.
  2. The preceding clause shall not apply to a Restricted Transfer unless its effect, together with other reasonably practical compliance steps (which do not include obtaining consent from Data Subjects) is to allow the Restricted Transfer to take place without breach of applicable Data Protection Law.

11. Liability

  1. Nothing in this DPA limits or excludes either party’s liability for death or personal injury caused by its negligence, or fraud or fraudulent misrepresentation.
  2. Subject to the preceding clause, the total liability of either party to the other for any non-compliance with this DPA shall be subject to any limitation regarding monetary damages set forth in the Agreement.

12. General Terms

  1. Except in respect of any provision of this DPA that expressly or by implication is intended to come into or continue in force on or after the expiry or termination of the Agreement, this DPA shall be coterminous with the Agreement.
  2. No party may assign, transfer or sub-contract to any third party the benefit and/or burden of the DPA without the prior written consent (not to be unreasonably withheld) of the other party.
  3. No variation of the DPA will be valid or binding unless it is recorded in writing and signed by or on behalf of both parties.
  4. The Contracts (Rights of Third Parties) Act 1999 does not apply to the DPA and no third party has any right to enforce or rely on any provision of the DPA.
  5. Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
  6. If any court or competent authority finds that any provision (or part) of the DPA is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of the DPA will not be affected.

13. Governing Law and Jurisdiction

  1. This DPA will be governed by and interpreted according to the law of England and Wales and all disputes arising under the DPA (including non-contractual disputes or claims) shall be subject to the exclusive jurisdiction of the English and Welsh courts.

Schedule 1 - Processing Activities

This Schedule 1 sets out the details of the Processing of Personal Data as required by Article 28(3) of the UK GDPR. The subject matter and duration of the Processing are set out in the Agreement and this DPA.

Nature and purpose of the Processing of Personal Data

The Supplier will Process Personal Data solely for the purpose of providing the Services to the Customer in accordance with the Agreement, including signal intelligence (the surfacing of engagement signals from publicly available sources and third-party data providers), social listening, analytics, B2B contact enrichment, workflow automation, integration with the Customer’s connected systems, and related support and maintenance activities.

Categories of Data Subjects

The Personal Data Processed under this DPA relates to the following categories of Data Subjects:

  • Business professionals (including employees, executives, and other working professionals) who engage publicly with topics, companies, or content relevant to the Customer’s target market;
  • Individuals identifiable from publicly accessible business profile data (for example, professional networking profiles, public posts, and other publicly available content);
  • Individuals whose business contact details the Customer instructs the Supplier to enrich via third-party data providers;
  • Customer end users (employees of the Customer) where the Supplier processes such data as part of the Customer’s administration of the Service.

Types of Personal Data

The Personal Data Processed under this DPA may include the following types of data:

  • Public profile information (including names, usernames, display names, biographies, profile URLs, job titles, employers, location, and similar professional identifiers);
  • Publicly available content and engagement data from online platforms (including posts, comments, likes, follower counts, and engagement metrics);
  • Business contact details (such as business email addresses and business phone numbers) obtained from third-party data providers or public sources;
  • Platform-specific identifiers and metadata;
  • Usage, interaction, and technical metadata generated through use of the Services.

Special categories of Personal Data

The Supplier does not intentionally Process special categories of Personal Data (as defined under Article 9 UK GDPR) under the Services.

Categories of recipients

Personal Data may be disclosed to the Supplier’s authorised Personnel and approved Sub-processors solely in accordance with this DPA and as necessary to provide the Services.

Explicit exclusions

For the avoidance of doubt, the Services are not intended to Process Personal Data relating to the Customer’s own customers, clients, or their respective employees or representatives, except to the extent such data constitutes publicly available business or profile data processed in accordance with this Schedule.

Obligations and rights of the Customer

The obligations and rights of the Customer are set out in the Agreement and this DPA.

Schedule 2 - Technical and Organisational Measures

The Supplier maintains the following technical and organisational measures, designed to ensure a level of security appropriate to the risk pursuant to Article 32 UK GDPR. The Supplier’s information security practices are described in summary form below; further detail is available on request to support customer due diligence.

1. Encryption

a. Encryption in transit using TLS 1.2 or higher for all customer-facing endpoints.
b. Encryption at rest using AES-256 or equivalent for Personal Data stored in production databases.
c. Encryption key management using provider-managed key management services (e.g., AWS KMS via Supabase).

2. Access Control

a. Role-based access controls (RBAC) applied to production systems.
b. Principle of least privilege applied to personnel access to Personal Data.
c. Multi-factor authentication (MFA) required for all administrative access to production systems.
d. Single sign-on (SSO) via verified identity providers for employee access where supported.
e. Periodic access reviews with revocation of unused credentials.

3. Authentication

a. Customer authentication via Clerk (SOC 2 Type II certified) or equivalent identity provider.
b. Customer credentials stored as hashed values only; never in plaintext.
c. Session management using secure cookies (Secure, HttpOnly, SameSite attributes).

4. Logging and Monitoring

a. Audit logging of administrative actions and access to production systems.
b. Application performance monitoring and error tracking, with Personal Data scrubbing configured.
c. Anomaly detection and alerting on suspicious activity.

5. Network and Infrastructure Security

a. Web application firewall (WAF) and edge security via Cloudflare.
b. Distributed denial-of-service (DDoS) protection at edge.
c. Network segmentation between production, staging, and development environments.
d. Production hosted on SOC 2 Type II and/or ISO 27001 certified cloud providers (including Vercel, Supabase, Cloudflare).

6. Data Backup and Resilience

a. Automated encrypted backups of production Personal Data.
b. Backup retention and periodic disaster recovery testing.

7. Personnel Security

a. Background screening for personnel with production access (where legally permitted).
b. Confidentiality obligations in all employee and contractor agreements.
c. Data protection awareness training for personnel handling Personal Data.

8. Vendor and Sub-processor Security

a. Security and data protection due diligence on Sub-processors before engagement.
b. Written data processing terms in place with all Sub-processors.
c. Periodic review of Sub-processor security posture.

9. Incident Response

a. Documented incident response plan with designated responders.
b. Breach notification process aligned with UK GDPR Article 33 timelines.

10. Customer Data Segregation

a. Logical tenant isolation in multi-tenant systems.
b. Personal Data is not commingled across customer accounts.

11. Audit and Compliance

a. Periodic internal security reviews and vulnerability assessments.
b. SOC 2 certification in progress; status available on request.
c. Compliance with the UK GDPR, the EU GDPR (where applicable), and applicable data protection laws.

Technical and organisational measures are subject to technical progress and further development. The Supplier may update these measures from time to time, provided the level of security is not materially decreased. Material updates will be reflected in the version of this DPA referenced on the Supplier’s website at https://www.trigify.io/policies/dpa.

Schedule 3 - Sub-Processors

The Customer agrees that the Supplier may sub-contract certain obligations under this DPA to Sub-processors.

The Supplier maintains a current list of authorised Sub-processors at https://www.trigify.io/policies/sub-processors, which forms part of this Schedule 3. Updates to that list shall be made in accordance with clauses 13 and 14 of this DPA.

The Sub-processors engaged as of the Effective Date are summarised below. The published list at the URL above is the authoritative current version.

Infrastructure and Hosting

  • Supabase Inc. (Postgres database, authentication, storage) - Region per project at creation; UK IDTA + EU SCCs in place
  • MongoDB Atlas (document database) - Region per cluster at creation; UK IDTA + EU SCCs
  • Vercel Inc. (frontend hosting, serverless functions) - US (global edge); UK IDTA + EU SCCs
  • Cloudflare Inc. (CDN, WAF, DNS) - Global edge with UK PoPs; UK IDTA + EU SCCs
  • Railway (backend compute) - US; UK IDTA + EU SCCs
  • Redis (in-memory cache) - Region per customer configuration; UK IDTA + EU SCCs

Identity and Authentication

  • Clerk Inc. (authentication, session management) - US; UK IDTA + EU SCCs
  • Unkey (API key management) - US; UK IDTA + EU SCCs

Payments

  • Stripe Inc. (payment processing) - US/Ireland; UK IDTA + EU SCCs (Stripe DPA). Stripe acts as joint controller for fraud and KYC purposes.

Communications and Notifications

  • Resend (transactional email) - US; UK IDTA + EU SCCs
  • Twilio (SMS) - US; UK IDTA + EU SCCs
  • Pusher (Bird) (real-time messaging) - Per app cluster; UK IDTA + EU SCCs
  • Svix (outbound webhooks) - Multi-region; UK IDTA + EU SCCs

Monitoring and Observability

  • Sentry (error tracking) - US or EU; UK IDTA + EU SCCs
  • PostHog (product analytics) - EU Cloud or US Cloud; UK IDTA + EU SCCs
  • Datadog (infrastructure monitoring) - US or EU; UK IDTA + EU SCCs

AI Providers (where used to deliver the Services)

  • OpenAI LLC - US; UK IDTA + EU SCCs; configured for zero data retention where supported
  • Anthropic PBC - US; UK IDTA + EU SCCs; configured for zero data retention where supported
  • Google LLC (Gemini API) - US/EU; UK IDTA + EU SCCs (Google DPA)
  • Maxim AI (LLM observability) - US; UK IDTA + EU SCCs

Workflow and Integrations

  • Inngest (background jobs) - US; UK IDTA + EU SCCs
  • Nango.dev (integration runtime) - EU; adequacy decision applies
  • Polytomic (data sync) - US; UK IDTA + EU SCCs

Data Providers (sources for Services-derived insights)

  • People Data Labs, Apollo.io, Clay, Predict Leads, TheirStack, EnsembleData, Podscan, RapidAPI, Better-Contact, Ocean.io, Prospeo, Firecrawl. Region and safeguards per individual vendor; documented in the public Sub-processor list.
Max Mitcham

Max is the Founder & CEO of Trigify.io

Linkedin
Related Reading
Privacy Notice For Individuals in Monitored Content
Read now
Privacy Policy
Read now