Legal · Enterprise-ready

Data Processing Addendum

Version 1.0·Last updated: 23 April 2026

This Data Processing Addendum (the "DPA") forms part of, and is governed by, the Traject AI Terms of Service. It applies where Traject AI processes Personal Data on your behalf under Article 28 of the GDPR, equivalent UK GDPR obligations, and India's DPDP Act.

Request signed copy (PDF)See our security posture →

1. Parties and scope

This DPA is entered into between Traject AI Technologies ("Processor"), a business based in India, and you, the business entity that subscribes to the Platform ("Controller"). It applies to all Personal Data that Processor handles on behalf of Controller while delivering the Platform, and forms a contract under Article 28 GDPR.

2. Definitions

Terms not defined here take their meaning from the GDPR / UK GDPR / DPDP Act.

Platform — the Traject AI AI-agent service described at traject-ai.in.
Personal Data — any information relating to an identified or identifiable natural person processed under the Terms of Service.
Data Subject — the end customer or other natural person whose Personal Data is processed.
Sub-processor — a third party engaged by Processor to process Personal Data on Controller's behalf.
SCCs — the Standard Contractual Clauses approved by the European Commission in Decision 2021/914.

3. Scope and instructions

Processor will process Personal Data only (a) on documented instructions from Controller, (b) to deliver the Platform as described in the Terms of Service, and (c) as required by applicable law. The subject matter, duration, nature, purpose, categories of Data Subjects and Personal Data are set out in Annex I.

4. Processor obligations

Process Personal Data only on Controller's documented instructions.
Ensure that personnel authorised to process Personal Data are bound by confidentiality.
Implement appropriate technical and organisational measures ("TOMs") as set out in Annex II.
Assist Controller with Data Subject rights requests (access, rectification, erasure, portability, restriction, objection) within reasonable timeframes.
Assist Controller with data protection impact assessments and prior consultations with supervisory authorities.
Notify Controller without undue delay — and in any event within 72 hours of becoming aware — of any Personal Data breach affecting Controller's data.
On termination, delete or return all Personal Data within 30 days, except where law requires retention.
Make available all information necessary to demonstrate compliance, and allow for audits as described in Section 9.

5. Sub-processors

Controller gives general written authorisation for Processor to engage the sub-processors listed in Annex III to deliver the Platform. Processor will:

Impose on each sub-processor, by written contract, data-protection obligations no less protective than this DPA.
Give Controller at least 30 days' notice of any intended addition or replacement of a sub-processor.
Allow Controller to object to such changes on reasonable data-protection grounds; if the objection cannot be resolved, Controller may terminate the affected service with pro-rata refund.

6. International transfers

Where Processor transfers Personal Data of Data Subjects in the EEA, UK, or Switzerland to a country not recognised as providing adequate protection, the transfer is governed by the SCCs (Module 2: Controller to Processor), which are hereby incorporated by reference. For transfers out of the UK, the UK International Data Transfer Addendum applies; for transfers out of Switzerland, the revised Swiss DPA applies with the term "member state" read as "Switzerland".

For Data Subjects in India, transfers are made in line with the DPDP Act 2023 and applicable Central Government notifications on permissible cross-border transfers.

7. Security measures

Processor maintains the technical and organisational security measures described in Annex II and at /trust. These measures are subject to continuous improvement and may be updated provided that the overall level of protection is not reduced.

8. Assistance with Data Subject rights

Processor provides self-service tools in the Tenant dashboard that enable Controller to retrieve, correct, export, or delete Data Subject records without Processor's intervention. Where a Data Subject contacts Processor directly, Processor will promptly forward the request to Controller and assist as reasonably required.

9. Audits

Processor will make available to Controller all information reasonably necessary to demonstrate compliance with Article 28 GDPR.
Controller may audit Processor's compliance once per calendar year, on 30 days' notice, during normal business hours, at Controller's expense.
Where an external certification (e.g. SOC 2, ISO 27001) is available, Controller will accept such certification in lieu of an on-site audit unless it has specific cause for concern.

10. Breach notification

Processor will notify Controller at the contact email on Controller's account within 72 hours of becoming aware of a Personal Data breach, and will include: the nature of the breach, categories and approximate numbers of Data Subjects and records affected, likely consequences, and measures taken or proposed to mitigate.

11. Return and deletion

On expiry or termination of the Terms of Service, Processor will, at Controller's choice, delete or return all Personal Data within 30 days. Backup copies are purged on the normal backup rotation (within 30 days of the deletion date). Retention beyond this period occurs only where required by law; such retained data is isolated and access-restricted.

12. Liability

The limitation of liability in Section 13 of the Terms of Service applies to this DPA, except where mandatory law (including GDPR Article 82) provides otherwise.

13. Governing law and precedence

This DPA is governed by the same law as the Terms of Service, except that the SCCs are governed by the law of the EU member state specified in Clause 17 thereof (defaulting to Ireland). In the event of conflict, (a) the SCCs prevail over the DPA, and (b) this DPA prevails over the Terms of Service in respect of data-protection matters.

Annex I — Processing details

Subject matter	Provision of the Traject AI AI-agent platform to Controller.
Duration	For the duration of the Terms of Service, plus any post-termination retention described above.
Nature and purpose	Hosting and operating AI agents that reply to end customers, book appointments, capture leads, synchronise calendars, and send transactional email on Controller's behalf.
Data Subject categories	Controller's employees (Tenant users) and Controller's end customers (persons who contact the AI agent).
Personal Data categories	Name, phone number, email, WhatsApp profile, conversation content, booking / lead fields, usage logs, and integration tokens. No special-category data is intended to be processed.

Annex II — Technical and organisational measures

Encryption at rest (AES-256-GCM on sensitive fields; platform-level AES-256 on all Firestore and Cloud Storage data).
Encryption in transit (TLS 1.3; HSTS enforced).
HMAC-SHA256 verification on all WhatsApp webhooks.
Input and output safety screening via Google Model Armor.
Phone-number hashing (HMAC-SHA256) with no plaintext phone stored.
Least-privilege IAM on Google Cloud; secrets in Google Secret Manager.
Per-IP, per-session, and per-tenant rate limits.
Per-tenant spend caps to contain the blast radius of compromised credentials.
Immutable audit log of every agent turn (13-month retention).
Automated dependency scanning (Dependabot) on all repositories.
Confidentiality obligations on all personnel with access.
Documented incident response and breach-notification procedure (72-hour commitment).
Regular review of access rights; immediate revocation on role change or departure.
Segregation of Tenant data via mandatory tenantId filter on every database query.

Annex III — Authorised sub-processors

See Section 6.1 of our Privacy Policy for the up-to-date list with location and purpose.

Summary: Google Cloud (hosting, database, storage, secrets, logging — us-central1); Google Gemini Enterprise Agent Platform (formerly Vertex AI — LLM inference, embeddings, Model Armor); Firebase Authentication; Meta WhatsApp Business Cloud API; Gupshup (partner onboarding in progress); Razorpay (billing); LemonSqueezy (planned); Cal.com and Calendly (Tenant-enabled, optional); SMTP provider (transactional email); Vercel / Firebase Hosting / Netlify (static web hosting and CDN).

Signing

Enterprise customers can request a signing-ready PDF by emailing admin-naren@traject-ai.in with the subject line "DPA request — signing-ready copy". We return a counter-signed copy within 2 business days.