Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between Esprit Labs Inc. (“Esprit Labs,” “we,” “us,” or “our”), the operator of the Trident product, and the customer that has entered into a subscription or other written agreement for the Trident services (the “Customer,” “you”). It applies where, and to the extent that, Esprit Labs processes personal data on the Customer’s behalf (“Customer Personal Data”) in the course of providing the services (the “Services”).

This DPA reflects the parties’ agreement on the processing of Customer Personal Data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (“ GDPR”), the UK GDPR, and the California Consumer Privacy Act as amended (“CCPA”) (together, “Data Protection Laws”). It should be read together with our Privacy Policy and Terms of Service. Where this DPA conflicts with those documents on the subject of personal-data processing, this DPA controls.

Roles of the parties

For Customer Personal Data processed under the agreement, the Customer is the controller (or, under the CCPA, the business) and Esprit Labs is the processor (or service provider). Each party is responsible for complying with its own obligations under Data Protection Laws. The Customer is responsible for the lawfulness of the personal data it provides and for having an appropriate legal basis for the processing.

Scope of processing

The subject matter, duration, nature, and purpose of the processing, the types of personal data, and the categories of data subjects are described in Annex 1. Esprit Labs processes Customer Personal Data only to provide and support the Services and as otherwise instructed by the Customer.

Processing instructions

Esprit Labs processes Customer Personal Data only on the Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law (in which case we will inform the Customer of that requirement before processing, unless the law prohibits such notice). The agreement, this DPA, and the Customer’s use and configuration of the Services constitute the Customer’s complete documented instructions. We will inform the Customer if, in our opinion, an instruction infringes Data Protection Laws.

Confidentiality

We ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and have received appropriate data-protection training. Access is limited to personnel who need it to provide the Services.

Security measures

We implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of processing. A summary of these measures is set out in Annex 2, and an overview of our broader security program is on our Security page. We may update these measures provided the overall level of protection is not materially reduced.

Subprocessors

The Customer provides general authorization for Esprit Labs to engage subprocessors to process Customer Personal Data, subject to this section. A current list of subprocessors is available on request (see Annex 3). We impose data-protection obligations on each subprocessor that are no less protective than those in this DPA and remain responsible for each subprocessor’s performance. We will give the Customer reasonable prior notice of the addition or replacement of a subprocessor, and the Customer may object on reasonable data-protection grounds within the notice period; if the parties cannot resolve the objection, the Customer may terminate the affected portion of the Services.

Data subject rights

Taking into account the nature of the processing, we provide reasonable assistance, through appropriate technical and organizational measures, to enable the Customer to respond to requests from data subjects exercising their rights under Data Protection Laws (such as access, rectification, erasure, restriction, portability, and objection). If we receive such a request directly, we will, unless legally prohibited, promptly notify the Customer and will not respond except on the Customer’s documented instructions.

Personal data breaches

We notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide the information reasonably available to us to assist the Customer in meeting its own breach-notification obligations under Data Protection Laws.

International transfers

Esprit Labs is headquartered in the United States. Where we process Customer Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland in a country that has not been recognized as providing an adequate level of protection, such transfers are governed by the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), which are incorporated into this DPA by reference and completed with the details in the Annexes.

Return and deletion

Upon termination or expiry of the agreement, we will, at the Customer’s choice, delete or return Customer Personal Data and delete existing copies, unless retention is required by applicable law. Subject to that exception, deletion occurs within a commercially reasonable period in accordance with our standard data-retention practices. Customers may request deletion at any time by writing to junaid@usetrident.dev.

Audits

We make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party certifications and audit reports where available. Where Data Protection Laws require an audit right that such information does not satisfy, the Customer may, on reasonable prior written notice and no more than once per year (unless required by a supervisory authority), conduct an audit limited to systems and information relevant to the processing of Customer Personal Data, subject to confidentiality obligations and conducted so as to minimize disruption to our operations.

CCPA terms

To the extent the CCPA applies, Esprit Labs acts as a service provider with respect to Customer Personal Data and processes it solely for the business purpose of providing the Services. We do not sell or share Customer Personal Data, do not retain, use, or disclose it for any purpose other than performing the Services (or as otherwise permitted by the CCPA), and do not combine it with personal information from other sources except as permitted by the CCPA.

Annexes

Annex 1 — Details of processing

• Subject matter — our provision of the Services to the Customer.
• Duration — the term of the agreement, plus any period required to return or delete Customer Personal Data.
• Nature and purpose — hosting, processing, analysis, and security monitoring of cloud and AI-agent telemetry and related data to provide the Services.
• Types of personal data — account and contact details (such as name, work email, and organization); usage and log data; and any personal data contained within content the Customer connects to or routes through the Services.
• Categories of data subjects— the Customer’s authorized users and personnel, and individuals whose data is contained in content processed by the Services.

Annex 2 — Technical and organizational measures

• Encryption of Customer Personal Data in transit and at rest using industry-standard protocols.
• Role-based access controls, least-privilege access, and multi-factor authentication for administrative access.
• Network security controls, logging, and monitoring to detect and respond to unauthorized activity.
• Regular backups, resilience measures, and a documented incident-response process.
• Vulnerability management, secure development practices, and periodic security testing.
• Personnel confidentiality obligations and ongoing security and data-protection training.

Annex 3 — Subprocessors

We engage a limited set of infrastructure and operational subprocessors to deliver the Services, which may include cloud-hosting, data-storage, communications, and analytics providers. The current list of subprocessors, including each provider’s purpose and processing location, is maintained by Esprit Labs and made available on request to junaid@usetrident.dev.

Contact

Questions about this DPA, requests to exercise rights, or requests for the current subprocessor list may be sent to the address below. This DPA is provided as a standard template and does not constitute legal advice.