Data Processing Agreement
The UK GDPR Article 28 contract governing how Trinity processes personal data on behalf of dealership customers. Incorporated by reference into the Terms of Service.
- Last updated
- 22 April 2026
- Version
- 1.0
Overview and structure
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer and Trinity — operated by Future Laboratories LTD (company number 17047436), a company registered in England and Wales with its registered office at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ ("Trinity", "we", "us") — that incorporates or otherwise references this DPA, including the Trinity Terms of Service (the "Agreement").
This DPA governs the Processing of Personal Data by Trinity in the course of providing the Services. It is designed to satisfy Article 28 of the UK GDPR and applies whenever Trinity acts as a Processor on the Customer's behalf. Capitalised terms used but not defined in this DPA have the meanings given in the Agreement or in the Definitions section below.
In the event of any conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA prevails.
Trinity as Processor; Customer as Controller
For the Services provided under the Agreement, Trinity acts as a Data Processor on the Customer's behalf, and the Customer acts as the Data Controller. The details of the Processing are set out below.
| Subject matter | Provision of Trinity's AI voice platform for car dealerships, including call ingestion, transcription, analysis, and voice automation. |
|---|---|
| Duration | For the term of the Agreement and any post-termination period required to fulfil Trinity's obligations (including deletion or return of Personal Data). |
| Nature and purpose | Ingestion of completed telephone calls and related metadata from Customer's telephony platform; speech-to-text transcription; AI-driven analysis (categorisation, summaries, quality signals); storage and retrieval through the Trinity dashboard; operational logging and security monitoring. |
| Types of Personal Data | Voice recordings (audio); call metadata (direction, caller and callee numbers, timestamps, duration, agent extension); transcripts and speaker-diarised turn labels; derived analytics generated from the above; Customer and Authorised User account information (name, email, role). |
| Categories of Data Subjects | Callers whose voices are recorded (the dealership's customers or prospects); dealership agents; Customer's Authorised Users; incidental third parties mentioned during a call. |
| Special-category data | Voice recordings may incidentally contain special-category Personal Data under Article 9 of the UK GDPR (for example, health information mentioned in passing). Trinity does not use voice recordings for biometric identification and does not intentionally process Article 9 data. |
Trinity's obligations as Processor
When acting as a Processor on the Customer's behalf, Trinity will, to the extent required by Data Protection Law:
3.1 Processing only on documented instructions
Process Personal Data only on the Customer's documented instructions (which include the instructions set out in the Agreement and this DPA, and configuration choices made by the Customer through Trinity's interfaces), unless required to Process Personal Data by applicable Law, in which case Trinity will inform the Customer of that legal requirement before Processing, unless the Law prohibits such notification on important grounds of public interest. Trinity will inform the Customer if, in its opinion, an instruction violates Data Protection Law.
3.2 Confidentiality
Ensure that all persons Trinity authorises to Process Personal Data are granted access on a need-to-know basis and are committed to respecting the confidentiality of that Personal Data, whether by written agreement or by statutory duty.
3.3 Security measures
Implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. The measures in place as at the effective date of this DPA are described in Annex B.
3.4 Assistance with data subject requests
Taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to enable the Customer to meet its obligation to respond to requests from Data Subjects exercising rights under Data Protection Law (access, rectification, erasure, restriction, portability, objection). If Trinity receives a request directly from a Data Subject that relates to Customer-controlled data, Trinity will inform the Customer without undue delay and (unless legally prohibited or instructed otherwise) direct the Data Subject to the Customer.
3.5 Law-enforcement requests
Inform the Customer of any legally compelled request Trinity receives from a Governmental Authority requiring disclosure of the Customer's Personal Data, unless prohibited by Law.
3.6 Breach notification
If Trinity experiences a Data Incident affecting Personal Data Processed on the Customer's behalf, or becomes aware of a Data Incident at a Sub-processor, Trinity will notify the Customer without undue delay, and in any event within 72 hours of Trinity's first becoming aware of the incident (whether by direct detection or by notification from a Sub-processor). Notification will describe, to the extent known at the time, the nature of the incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the incident.
Trinity may provide an initial notification with the information then known and will provide further information as it becomes available, in order to assist the Customer in meeting its own notification obligations under Article 33 of the UK GDPR.
3.7 DPIA assistance
Provide reasonable assistance to the Customer, taking into account the nature of the Processing and the information available to Trinity, with data protection impact assessments and prior consultations with supervisory authorities.
3.8 Return or deletion
At the Customer's choice, return or delete all Personal Data Processed under the Agreement, and delete existing copies, following termination of the Agreement, unless applicable Law requires continued retention. Trinity will complete deletion within 30 days of a written request following termination, subject to any longer period required by backup cycles or Law.
3.9 Audit rights
Make available to the Customer information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR, and allow for and contribute to audits conducted by the Customer or a mutually agreed independent auditor, no more than once per calendar year and on at least 30 days' prior written notice. Trinity may satisfy audit requests by providing relevant documented certifications, penetration-test summaries, or written responses to a security questionnaire of reasonable scope. All information provided is Trinity's confidential information.
3.10 No training on Customer Personal Data
Trinity shall not use Customer Personal Data — including Customer Data, Outputs, or Derived Data — to train, retrain, or fine-tune any machine-learning model for any purpose other than providing the Services to the Customer. Trinity contractually requires the same restriction of its AI Sub-processors and operates on zero-retention, no-training enterprise tiers with its large language model providers where those tiers are available.
3.11 No biometric identification
Trinity does not use voice recordings for biometric identification of Data Subjects and does not generate persistent voiceprints or voice templates. Speech-to-text transcription and intra-call speaker diarisation (labelling turns within a single call) do not, in Trinity's assessment, constitute processing for the purpose of uniquely identifying a natural person under Article 9 of the UK GDPR.
Sub-processors
The Customer provides a general authorisation for Trinity to engage the Sub-processors listed in Annex A. Trinity will:
- Enter into a written agreement with each Sub-processor that imposes on that Sub-processor data-protection obligations comparable to those imposed on Trinity under this DPA.
- Remain liable to the Customer for the acts and omissions of any Sub-processor to the same extent Trinity would be liable if performing the Services directly.
- Notify the Customer of any intended addition or replacement of a Sub-processor at least 30 days in advance (by email or through the Trinity dashboard), during which period the Customer may object on reasonable, documented data-protection grounds. If the Customer does not object in writing within the 30-day notice period, the Customer is deemed to have authorised the change.
If the Customer reasonably objects to a proposed Sub-processor change, Trinity will work in good faith to find a mutually acceptable solution (for example, by excluding the Customer's data from that Sub-processor or by using an alternative Sub-processor). During the objection period, Trinity will not engage the proposed Sub-processor to Process the Customer's Personal Data.
If no mutually acceptable solution is reached within 30 days of the objection, the Customer may terminate the parts of the Services that materially depend on the proposed Sub-processor by written notice, and Trinity will refund any prepaid but unused fees attributable to the terminated portion.
International data transfers
Trinity's core infrastructure is hosted in the European Union and United Kingdom. Where Trinity's Sub-processors offer UK or EU processing regions, Trinity selects those regions. Transfers of UK Personal Data to Sub-processors in the European Economic Area rely on the UK's recognition of the EEA as providing an adequate level of protection, in force from time to time under the UK GDPR international transfer regime.
Some Sub-processor categories listed in Annex A include providers that process Personal Data in the United States (notably certain AI language model providers). Transfers of UK Personal Data to those Sub-processors are protected by the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner's Office, together with supplementary measures (encryption in transit and at rest, and enterprise zero-retention or zero-data-retention terms with AI Sub-processors where enabled).
The Customer acknowledges and consents to these transfers where they are necessary for the performance of the Services.
Customer's obligations as Controller
The Customer will:
- Provide Trinity only with Instructions that are lawful under Data Protection Law.
- Ensure the Customer has an appropriate legal basis for the Processing of Personal Data contemplated by the Agreement, including for the recording and analysis of telephone calls.
- Provide all necessary notices to Data Subjects (for example, via IVR greetings and privacy notices) and obtain all necessary consents where required by Data Protection Law or PECR.
- Promptly remove Authorised Users who should no longer have access to the Services.
- Not configure the Services in a way that would cause Trinity to Process Personal Data outside the scope described in this DPA.
Liability
The liability of each party arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, including the twelve-month fees cap and its associated carve-outs.
Notwithstanding the foregoing, neither party limits liability where it cannot lawfully be limited under applicable Law. For the avoidance of doubt, nothing in this DPA or the Agreement limits any liability either party may have directly to a Data Subject under Article 82 of the UK GDPR.
Term and termination
This DPA is effective from the date the Customer accepts the Agreement and remains in force for the duration of the Agreement and any period required to fulfil post-termination obligations, including return or deletion of Personal Data.
Termination of this DPA has no effect on any obligations of confidentiality, security, or data protection that by their nature survive termination.
Governing law and jurisdiction
This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales for any dispute arising out of or in connection with this DPA, save that either party may seek interim or injunctive relief in any competent jurisdiction to protect its rights.
Definitions
Capitalised terms used but not defined in this DPA have the meanings given in the Agreement. In this DPA:
- "Customer Data" means information the Customer or its Authorised Users provide to Trinity, or that Trinity ingests from the Customer's telephony platform on its behalf, including call recordings, transcripts, and call metadata.
- "Data Incident" means a confirmed unauthorised or unlawful Processing, use, access, loss, disclosure, destruction, or alteration of Personal Data in Trinity's or its Sub-processors' possession or control.
- "Data Protection Law" means the UK GDPR (as defined below), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and any other applicable privacy or data-protection law or regulation.
- "Derived Data" means aggregated analytics generated from Customer Data.
- "Outputs" means results produced by Trinity's AI from Customer Data, including transcripts, summaries, analyses, and categorisations.
- "Personal Data" has the meaning given in the UK GDPR.
- "Processor", "Controller", "Data Subject", and "Processing" have the meanings given in the UK GDPR.
- "Sub-processor" means an entity engaged by Trinity to Process Personal Data on Trinity's behalf in connection with the Services.
- "UK GDPR" means the United Kingdom General Data Protection Regulation, as transposed by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended from time to time, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and the Data (Use and Access) Act 2025.
- "UK IDTA" means the United Kingdom International Data Transfer Agreement issued by the UK Information Commissioner's Office.
Annex A — Sub-processor categories
Trinity engages Sub-processors within the categories listed below to provide the Services. The Customer provides general authorisation for these engagements. Each Sub-processor is bound by a written agreement imposing data-protection obligations comparable to those Trinity accepts under this DPA.
Trinity maintains a current list of the specific named entities engaged in each category, together with the contractual transfer safeguards in place for each. This list is available to the Customer on written request to privacy@trinityapp.ai.
Trinity selects Sub-processors that offer UK or EU processing regions where operationally supported, and applies the transfer mechanisms described below where UK Personal Data is processed outside the UK/EEA.
| Category | Purpose | Processing location | Transfer safeguard |
|---|---|---|---|
| Application platform | Application database, backend functions, and dashboard hosting | European Union (UK/EU regions where supported) | UK adequacy recognition of the EEA (under the UK GDPR, in force from time to time) |
| Voice and telephony infrastructure | Call media, SIP connectivity, and call-recording object storage | European Union (UK/EU regions where supported) | UK adequacy recognition of the EEA (under the UK GDPR, in force from time to time) |
| Authentication and identity | Administrator login, session management, and identity federation | European Union (UK/EU regions where supported) | UK adequacy recognition of the EEA (under the UK GDPR, in force from time to time) |
| AI speech services | Speech-to-text transcription and text-to-speech synthesis | Predominantly European Union; certain providers in the United States | UK adequacy recognition of the EEA where EU region used; UK IDTA (or UK Addendum to EU SCCs) where US processing occurs, together with enterprise zero-retention terms where enabled |
| AI language models | Large language model inference for call analysis and agent behaviour | Predominantly United States, with UK/EU routing or data residency where available | UK IDTA (or UK Addendum to EU SCCs), together with enterprise zero-data-retention terms where enabled |
| Email delivery | Transactional email notifications to Authorised Users | European Union (UK/EU regions where supported) | UK adequacy recognition of the EEA (under the UK GDPR, in force from time to time) |
| Observability and logging | Application log aggregation, error tracking, and security monitoring | European Union (UK/EU regions where supported) | UK adequacy recognition of the EEA (under the UK GDPR, in force from time to time) |
| Product analytics | Aggregated dashboard usage analytics; no call recordings, transcripts, or call content | European Union (UK/EU regions where supported) | UK adequacy recognition of the EEA (under the UK GDPR, in force from time to time) |
| Integration orchestration | OAuth connection broker for third-party integrations (for example, calendar or CRM) | European Union (UK/EU regions where supported) | UK adequacy recognition of the EEA (under the UK GDPR, in force from time to time) |
| Calendar and scheduling | Appointment booking, availability, and scheduling where enabled per business | Configurable per integration; UK/EU region used where the provider supports it | UK adequacy recognition of the EEA where applicable; UK IDTA otherwise |
| Payment processing | Customer billing and subscription fees (Customer account data only; no call content) | United Kingdom | UK domestic processing; Trinity's payment Sub-processor is contracted through its UK entity, with any onward transfers handled under that Sub-processor's own UK Addendum to EU SCCs |
Annex B — Technical and Organisational Measures
Trinity maintains the following technical and organisational measures to protect Personal Data Processed under this DPA. These measures are subject to continuous improvement; Trinity may change them provided the overall level of security is not diminished.
Access control
- Least-privilege access for internal staff; production access restricted to authorised engineering personnel.
- Multi-factor authentication required for admin access.
- Access to Customer Data is revoked promptly on role change or departure.
Encryption
- Data in transit: TLS 1.2 or higher for all external connections.
- Data at rest: AES-256 encryption as standardly applied by Trinity's hosting Sub-processors (including application platform, voice infrastructure, object storage, and observability providers).
- Customer-supplied secrets (for example, telephony-integration client secrets) encrypted at the application layer with AES-256-GCM using a rotation-capable master key held by Trinity.
Network and infrastructure security
- Production environment segmented from non-production.
- Outbound-only connections to Sub-processors by default.
- Web application firewall and denial-of-service protection for public endpoints.
Logging and monitoring
- Audit logs for all access to Customer Data.
- Operational log retention of at least one year for security investigations.
- Alerting on anomalous access patterns and configuration changes.
Vulnerability management
- Dependency scanning on all production code paths.
- Timely patching: critical vulnerabilities within 7 days; high within 30 days.
Incident response
- Documented incident-response plan covering detection, triage, containment, and Customer notification.
- Customer notification process aligned to the timeline committed in Section 3.6.
- Post-incident review to identify and close root causes.
Business continuity and backup
- Geographically redundant data storage where supported.
- Regular backup of Customer Data with tested restore procedures.
- Documented recovery objectives aligned with the Services' availability commitments.
Personnel security
- Confidentiality obligations in employment and contractor agreements.
- Secure development practices and code review for all changes.