Data Processing Agreement (DPA)
Last updated: 17 June 2026
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Triagely Terms and Conditions (the "Terms") between Nair Development Hub SRL ("Triagely", "we", "us") and the customer who accepts the Terms ("Customer", "you"). By using the Service to process personal data, you agree to this DPA. No separate signature is required; however, if your organisation requires a counter-signed copy, contact us at contact@triagely.net.
Capitalised terms not defined here have the meaning given in the Terms or in the GDPR.
1. Definitions
- GDPR — Regulation (EU) 2016/679 (the General Data Protection Regulation) and applicable Romanian data-protection law.
- Customer Personal Data — personal data contained in the feedback content and related data that Triagely processes on the Customer's behalf in providing the Service (described in Annex A).
- Controller, Processor, Sub-processor, Data Subject, Personal Data Breach, and Processing have the meanings given in the GDPR.
- Sub-processor — a third party engaged by Triagely to process Customer Personal Data.
2. Roles of the parties
In respect of Customer Personal Data, the Customer is the Controller (or itself a processor acting for another controller) and Triagely is the Processor. Each party will comply with its obligations under the GDPR.
This DPA applies only to Triagely's processing of Customer Personal Data as a Processor. Personal data for which Triagely is itself the controller (such as account and billing data) is governed by our Privacy Policy, not this DPA.
3. Processing instructions
Triagely will process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law (in which case Triagely will inform the Customer of that legal requirement before processing, unless the law prohibits it).
The Customer's instructions are: (a) the Terms and this DPA; (b) the Customer's configuration and use of the Service; and (c) any further written instructions agreed by the parties. The purpose and subject matter of processing are set out in Annex A.
Triagely will inform the Customer if, in its opinion, an instruction infringes the GDPR.
4. Customer obligations
The Customer warrants and undertakes that:
- it has a valid legal basis to collect the personal data of its end users and to provide it to Triagely for processing;
- it has provided all required notices to, and obtained any required consents from, its end users;
- it will not submit, and will configure its use of the Service so as not to collect, special-category (sensitive) personal data within the meaning of Article 9 GDPR, or data relating to criminal convictions; and
- its instructions for processing comply with applicable law.
The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired it.
5. Confidentiality
Triagely will ensure that persons authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality and process the data only as instructed.
6. Security
Triagely will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex B, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
7. Sub-processors
- The Customer provides a general authorisation for Triagely to engage Sub-processors to process Customer Personal Data. The current Sub-processors are listed in Annex C.
- Triagely will impose on each Sub-processor data-protection obligations that are no less protective than those in this DPA, and remains responsible to the Customer for the performance of each Sub-processor.
- Triagely maintains a current list of Sub-processors in Annex C (also published on our website). Triagely will publish any addition or replacement of a Sub-processor to that list before the new Sub-processor begins processing Customer Personal Data, and Customers may subscribe to be notified of changes. This published notice satisfies Triagely's obligation to inform the Customer; Triagely is not required to send individual notices for each change.
- The Customer may object to a new Sub-processor on reasonable data-protection grounds within a reasonable period after the change is published. If the Customer objects and the parties cannot resolve the matter, the Customer may terminate the affected part of the Service.
8. Assistance to the Customer
Taking into account the nature of the processing, Triagely will assist the Customer by appropriate technical and organisational measures, insofar as possible, to:
- respond to requests from Data Subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, and objection);
- comply with the Customer's obligations regarding security of processing, breach notification, data-protection impact assessments, and prior consultation with a supervisory authority.
Where Triagely receives a request directly from a Data Subject relating to Customer Personal Data, it will not respond directly (except to direct them to the Customer) and will, where lawful, forward the request to the Customer without undue delay.
9. Personal data breaches
Triagely will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide the Customer with information reasonably available to it to help the Customer meet its own breach-notification obligations.
10. Deletion and return
On termination of the Service, or earlier on the Customer's instruction, Triagely will delete Customer Personal Data, and the Customer may export its data using the Service's export functionality before deletion. Triagely may retain Customer Personal Data to the extent required by law, and may retain non-personal records (such as the deletion tombstone described in our Privacy Policy) that do not contain Customer Personal Data.
11. Audits
Triagely will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. To minimise disruption, the parties will agree on the scope, timing, and reasonable cost of any audit in advance, and Triagely may satisfy audit requests by providing relevant documentation, certifications, or summaries of its security measures where these reasonably address the Customer's request.
12. International transfers
Where Triagely or a Sub-processor processes Customer Personal Data outside the European Economic Area, such transfers are made subject to appropriate safeguards under Chapter V of the GDPR — primarily the European Commission's Standard Contractual Clauses (SCCs), certification under the EU–U.S. Data Privacy Framework where applicable, and/or the relevant provider's own data-protection commitments. Triagely's primary data store, application hosting, and product analytics are hosted within the EEA.
13. Liability and relationship to the Terms
This DPA is subject to the provisions of the Terms, including the limitations and exclusions of liability set out there. In the event of a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA prevails.
14. Term
This DPA takes effect when the Customer accepts the Terms and continues for as long as Triagely processes Customer Personal Data on the Customer's behalf.
15. Governing law
This DPA is governed by the laws of Romania, consistent with the governing-law provisions of the Terms.
Annex A — Description of the processing
- Subject matter: provision of the Triagely Service (collecting, organising, deduplicating, summarising, and ranking product feedback).
- Duration: for the term of the Customer's use of the Service, until deletion as described in Section 10.
- Nature and purpose: receiving, storing, analysing (including via AI sub-processors), organising, and displaying feedback to the Customer, solely to provide the Service.
- Types of Customer Personal Data: personal data contained in free-form feedback submitted by the Customer's end users, which may include names, email addresses, URLs, message content, and any other information an end user chooses to include; and, for forwarded emails, sender details and email subject/body. The Customer must not submit special-category data.
- Categories of Data Subjects: the Customer's own end users and any individuals referenced in the feedback they submit.
Annex B — Technical and organisational measures
Triagely maintains, at a minimum, the following measures (as described more fully in our Privacy Policy):
- Access control: Row-Level Security on all database tables; clients can read only their own data and cannot write directly — all writes pass through Triagely's server after an ownership check. AI-derived data, billing records, and internal counters are accessible only to privileged server processes.
- Credential protection: API keys are stored only as a one-way SHA-256 hash plus a short display prefix; raw keys are never stored.
- Service protections: origin allowlisting and a separate public key for the widget; per-key and per-IP rate limiting; request size limits; input sanitisation; authenticated and signature-verified webhooks.
- Confidentiality: access to stored content is restricted; Triagely does not access feedback content in the ordinary course and accesses specific content only at the Customer's request or where legally required or strictly necessary to secure the Service or prevent abuse.
- Resilience and deletion: data is hosted with reputable providers (see Annex C); deletion flows remove Customer data on request or on account/project deletion.
Annex C — Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | EU (Ireland) |
| Vercel Inc. | Hosting / CDN, analytics, performance | EU (Frankfurt) |
| PostHog | Product analytics | EU |
| Stripe | Payments and subscriptions | US / global |
| OpenRouter — AI gateway routing feedback to third-party model providers (currently OpenAI and Anthropic) | AI analysis of feedback | US |
| Postmark (AC PM, LLC) | Inbound email parsing / forwarding | US |
| Loops (Astrodon Corporation) | Waitlist email marketing | US |
| Reddit Ads | Conversion measurement (waitlist only; hashed email) | US |
| Optional OAuth sign-in | US / global |
The current list of Sub-processors is maintained here and on our website. Changes (additions or replacements) are published to this list before the new Sub-processor begins processing Customer Personal Data, as described in Section 7. You can subscribe to be notified of changes at [subscribe URL — to be set up].