Legal
Data Processing Agreement
Last updated: June 2026
These Data Processing Agreement terms (“DPA”) apply where Trenith Technologies Private Limited (“Trenith”, “Processor”) processes personal data on behalf of a client (“Client”, “Controller”) in the course of providing services. This DPA forms part of, and is governed by, our Terms & Conditions and the applicable statement of work (SOW). A counter‑signed copy is available on request at legal@trenith.com.
1. Definitions & roles
“Personal data”, “processing”, “controller”, “processor”, and “data subject” have the meanings given under applicable data‑protection law (including the EU/UK GDPR and the India Digital Personal Data Protection Act, 2023 (“DPDP”)). For the personal data Trenith processes to deliver the services, the Client acts as controller (or data fiduciary) and Trenith acts as processor (or data processor). Each party complies with its own obligations under applicable law.
2. Scope, subject‑matter & duration
Trenith processes personal data only to provide the services described in the SOW, for its duration. The subject‑matter, nature and purpose of processing, the types of personal data, and the categories of data subjects are those described in the SOW and the Client’s instructions.
3. Processing on documented instructions
Trenith processes personal data only on the Client’s documented instructions (including the SOW and this DPA), unless required by law, in which case Trenith informs the Client first where legally permitted. Trenith promptly informs the Client if, in its opinion, an instruction infringes applicable data‑protection law.
4. Confidentiality
Trenith ensures that persons authorised to process the personal data are bound by confidentiality and process the data only as instructed.
5. Security measures
Trenith implements appropriate technical and organisational measures to protect personal data, taking into account the state of the art and the risk. These include encryption in transit (TLS/HSTS) and at rest, application‑layer encryption (AES‑256‑GCM) for sensitive credentials, least‑privilege role‑based access, managed secret storage, and abuse protection on public endpoints. A summary is published on our Security page.
6. Sub‑processors
The Client gives general authorisation for Trenith to engage the sub‑processors listed at trenith.com/sub-processors and to appoint new ones, provided Trenith (a) imposes data‑protection obligations on each sub‑processor equivalent to those in this DPA, (b) remains liable for its sub‑processors’ performance, and (c) updates the sub‑processor list and gives the Client advance notice of material changes so the Client may reasonably object.
7. International transfers
Where processing involves transferring personal data across borders (for example to the cloud regions of our sub‑processors), the parties rely on a lawful transfer mechanism, such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or another mechanism valid under applicable law, together with any supplementary measures required.
8. Assistance to the Client
Taking into account the nature of processing, Trenith provides reasonable assistance to help the Client respond to data‑subject requests (access, correction, erasure, portability, objection, grievance redressal) and to meet its security, breach‑notification, and data‑protection‑impact‑assessment obligations.
9. Personal‑data breaches
Trenith notifies the Client without undue delay after becoming aware of a personal‑data breach affecting the Client’s data, and provides information reasonably available to help the Client meet its own notification obligations.
10. Return & deletion
On termination of the services, Trenith deletes or returns the personal data at the Client’s choice, and deletes existing copies unless retention is required by law.
11. Audits
Trenith makes available information reasonably necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by the Client or an auditor it mandates, subject to reasonable confidentiality, notice, and frequency limits.
12. Liability & precedence
Liability under this DPA is subject to the limitations in our Terms & Conditions and the SOW. If there is a conflict on data‑protection matters, this DPA prevails over the Terms; a signed SOW or negotiated DPA prevails over this page.
13. Contact
Data‑protection & DPA requests: legal@trenith.com · Privacy: privacy@trenith.com · Grievance Officer (India): grievance@trenith.com.
These are standard terms provided for transparency and are not legal advice. For a binding, counter‑signed DPA (with SCCs/IDTA annexes and the processing schedule completed for your engagement), contact legal@trenith.com.