Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement (the "Service Agreement") between Trike Training, LLC ("Trike," "we," or "us") and the customer identified in the Service Agreement ("Customer," "you," or "your") for Customer's use of the Trike platform and related services (collectively, the "Service").
This DPA applies to Trike's processing of Personal Information on Customer's behalf in connection with the Service. By using the Service, Customer agrees to the terms of this DPA. In the event of any conflict between this DPA and the Service Agreement, this DPA controls solely with respect to the subject matter of this DPA.
1. Definitions
Personal Information means information that identifies, relates to, or is reasonably capable of being associated with a particular individual, that Trike processes on Customer's behalf in connection with the Service.
Data Subject means the individual to whom Personal Information relates.
Process or Processing means any operation performed on Personal Information, including collection, storage, use, disclosure, or deletion.
Sub-processor means a third party engaged by Trike to Process Personal Information on Customer's behalf.
Applicable Privacy Law means all US federal and state laws and regulations relating to privacy, data protection, or the Processing of Personal Information that apply to the Service, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), and equivalent comprehensive privacy laws in other US states.
Security Incident means a confirmed unauthorized acquisition of, access to, loss of, or disclosure of Personal Information in Trike's possession or control.
Terms not defined in this DPA have the meanings given in the Service Agreement.
2. Roles and Scope
2.1. Roles. Customer is the controller, business, or equivalent that determines the purposes and means of Processing Personal Information through the Service. Trike acts as Customer's processor, service provider, or equivalent for Personal Information Processed on Customer's behalf.
2.2. Customer Responsibilities. Customer is responsible for: (a) the accuracy, quality, and legality of Personal Information provided to Trike; (b) the means by which Customer acquired Personal Information; (c) ensuring Customer has the legal right and any required consents to transfer Personal Information to Trike for Processing; and (d) ensuring Customer's instructions to Trike comply with Applicable Privacy Law.
2.3. Scope of Processing. A description of the Personal Information, categories of Data Subjects, purposes, and duration of Processing is set out in Schedule A.
3. Processing Instructions
3.1. Trike will Process Personal Information only on documented instructions from Customer. Documented instructions consist of: (a) the Service Agreement and this DPA, (b) Customer's use and configuration of the Service, and (c) any further written instructions Customer provides that Trike agrees to in writing.
3.2. Trike will notify Customer if it becomes aware that an instruction violates Applicable Privacy Law, after which Trike may suspend performance of that instruction without liability until Customer modifies or withdraws it.
3.3. Trike will not: (a) sell or share Personal Information as those terms are defined under Applicable Privacy Law; (b) retain, use, or disclose Personal Information outside the direct business relationship with Customer; or (c) combine Personal Information with personal information from other sources except as needed to provide the Service or as permitted by Applicable Privacy Law.
4. Confidentiality
Trike will ensure that personnel authorized to Process Personal Information are bound by appropriate confidentiality obligations.
5. Security Measures
5.1. Trike will implement and maintain reasonable and appropriate technical and organizational security measures designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. A summary of these measures is set out in Schedule B.
5.2. Trike may update its security measures from time to time, provided that any update will not materially diminish the overall protection of Personal Information.
6. Sub-processors
6.1. General Authorization. Customer provides general authorization for Trike to engage Sub-processors to Process Personal Information in connection with the Service.
6.2. Current Sub-processors. A list of current Sub-processors is set out in Schedule C and is also available on request at privacy@trike.co.
6.3. Notice of New Sub-processors. Trike will provide Customer with at least fifteen (15) days' prior notice of any new Sub-processor by updating Schedule C or by other written notice. Customer may object to a new Sub-processor on reasonable data protection grounds by providing written notice within ten (10) days of Trike's notice. If the parties cannot resolve the objection in good faith, Customer's sole remedy is to terminate the Service Agreement with respect to the components of the Service that cannot reasonably be provided without the objected-to Sub-processor.
6.4. Sub-processor Obligations. Trike will enter into a written agreement with each Sub-processor that imposes data protection obligations substantially similar in substance to those in this DPA. Trike remains responsible to Customer for each Sub-processor's performance of those obligations.
7. Assistance with Data Subject Requests
7.1. Trike will provide reasonable assistance to enable Customer to respond to requests from Data Subjects exercising their rights under Applicable Privacy Law (including rights of access, correction, deletion, and portability), taking into account the nature of the Processing and the information available to Trike.
7.2. Where the Service provides self-service tools that enable Customer to fulfill such requests directly, Customer will use those tools as the first means of response.
7.3. Assistance beyond what is reasonably available through the Service or self-service tools may be subject to additional fees at Trike's then-current rates.
8. Security Incident Notification
8.1. Trike will notify Customer without undue delay after confirming a Security Incident affecting Customer's Personal Information.
8.2. The notification will include, to the extent then known: (a) a description of the nature of the Security Incident, (b) the categories of Personal Information affected, (c) the actions Trike has taken or plans to take to address the Security Incident, and (d) a contact point for further information.
8.3. Customer is responsible for any notifications required to Data Subjects, regulators, or other third parties arising from a Security Incident.
8.4. Trike's notification of, or response to, a Security Incident is not an acknowledgment of fault or liability.
9. Audits
9.1. Documentation. On Customer's reasonable written request and no more than once per twelve (12) month period, Trike will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, which may include then-current certifications, summary audit reports, or completed standardized security questionnaires (such as SIG or CAIQ).
9.2. On-Site Audits. On-site audits of Trike's facilities or systems are not included as part of the Service and will be permitted only if: (a) Customer can demonstrate that the documentation provided under Section 9.1 is insufficient to satisfy a specific legal obligation of Customer; (b) Customer provides at least thirty (30) days' prior written notice; (c) the audit is conducted during business hours, in a manner that does not unreasonably disrupt Trike's operations; (d) Customer's auditor signs a confidentiality agreement reasonably acceptable to Trike; and (e) Customer bears all costs of the audit, including Trike's reasonable costs of cooperation.
9.3. Audits will not be permitted to access Trike's other customers' data, proprietary technology, source code, or commercially sensitive information.
10. International Transfers
Trike Processes Personal Information primarily in the United States. To the extent Trike or its Sub-processors Process Personal Information outside the United States, Trike will rely on appropriate safeguards as required by Applicable Privacy Law.
11. Return and Deletion
11.1. On termination or expiration of the Service Agreement, Trike will, within ninety (90) days, delete or, on Customer's written request, return all Personal Information in Trike's possession or control, except to the extent retention is required by applicable law or is contained in routine backup media that will be deleted in the ordinary course.
11.2. Customer may export Personal Information using the Service's standard export functions at any time during the term of the Service Agreement.
12. CCPA / CPRA Service Provider Terms
To the extent Trike Processes Personal Information of California residents, the following additional terms apply, and the terms "personal information," "sell," "share," "service provider," and "business" have the meanings given in the CCPA/CPRA:
12.1. Customer is a "business" and Trike is a "service provider."
12.2. Trike will not: (a) sell or share personal information; (b) retain, use, or disclose personal information for any purpose other than the business purposes specified in this DPA and the Service Agreement, including the purposes set out in Schedule A; (c) retain, use, or disclose personal information outside the direct business relationship between the parties; or (d) combine personal information received from Customer with personal information from other sources, except as permitted by the CCPA/CPRA.
12.3. Trike will notify Customer if Trike determines it can no longer meet its obligations under the CCPA/CPRA.
12.4. Customer may take reasonable and appropriate steps to ensure Trike uses personal information consistently with Customer's obligations under the CCPA/CPRA, and to stop and remediate unauthorized use of personal information.
12.5. Trike certifies that it understands the restrictions in this Section 12 and will comply with them.
13. Other US State Privacy Laws
To the extent Personal Information is subject to comprehensive privacy laws of other US states (including, without limitation, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, New Hampshire, New Jersey, and Delaware), Trike will Process Personal Information in accordance with the requirements applicable to processors under those laws, and the terms of this DPA will be interpreted to give effect to those requirements.
14. Liability
14.1. Each party's liability under or in connection with this DPA, whether in contract, tort (including negligence), or otherwise, is subject to and counts toward the limitations and exclusions of liability set out in the Service Agreement.
14.2. Without limiting Section 14.1, in no event will Trike's aggregate liability under or in connection with this DPA exceed the amounts paid by Customer to Trike under the Service Agreement during the twelve (12) months immediately preceding the event giving rise to the claim.
14.3. In no event will Trike be liable for indirect, incidental, consequential, special, exemplary, or punitive damages, lost profits, lost revenue, loss of business opportunity, or loss of data, even if advised of the possibility of such damages.
14.4. Nothing in this DPA limits any liability that cannot be limited under applicable law.
15. Term
This DPA will remain in effect for the term of the Service Agreement and will survive termination of the Service Agreement to the extent necessary to give effect to its terms, including Sections 8, 9, 11, 12, 14, and 16.
16. Miscellaneous
16.1. Governing Law and Venue. This DPA is governed by the laws of the State of Georgia, United States, without regard to its conflict of law principles. The exclusive venue for any action arising under this DPA is the state or federal courts located in Athens-Clarke County, Georgia, and the parties consent to the personal jurisdiction of those courts.
16.2. Order of Precedence. In the event of any conflict between this DPA and the Service Agreement, this DPA controls with respect to the subject matter of this DPA.
16.3. Amendments. Trike may amend this DPA from time to time by posting the updated DPA at https://trike.co/legal/dpa or by providing written notice to Customer. Amendments take effect on the date Trike specifies in the updated DPA or notice. Customer's continued use of the Service after the effective date constitutes acceptance of the amendment.
16.4. Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions will continue in full force and effect.
16.5. No Third-Party Beneficiaries. This DPA does not create any third-party beneficiary rights.
16.6. Entire Agreement. This DPA, together with the Service Agreement, constitutes the entire agreement between the parties with respect to its subject matter and supersedes any prior or contemporaneous agreements on that subject.
Schedule A — Description of Processing
Categories of Data Subjects
Customer's employees and other workforce members who use the Trike platform
Customer's administrators and other authorized users
Customer's business contacts who interact with the Trike platform on Customer's behalf
Categories of Personal Information
Identifiers: name, email address, phone number, mailing address, employee ID, username
Authentication data: passwords (hashed), 2FA tokens, recovery information
Employment-related information: job title, location or store assignment, role, manager, hire date, employment status
Learning and training records: courses assigned and completed, assessment scores, certifications, completion timestamps, training history, performance feedback
Operational data: forms, inspections, tasks, and other records created within the Trike platform
Usage and device data: IP address, device type, operating system, browser type, log data, timestamps
Communications: support messages, comments, and content posted within the Trike platform
Purposes of Processing
Providing, operating, securing, and improving the Trike platform
Provisioning user accounts and managing access
Delivering training assignments and tracking completion
Producing compliance and recordkeeping outputs on Customer's behalf
Sending service-related messages, including 2FA codes, account notifications, and security alerts
Customer support
Detecting and preventing fraud, abuse, and security incidents
Complying with legal obligations applicable to Trike
Duration of Processing
The term of the Service Agreement, plus the retention period set out in Section 11.
Schedule B — Technical and Organizational Security Measures
Trike implements measures including:
Encryption. Personal Information is encrypted in transit using TLS 1.2 or higher and at rest using industry-standard encryption.
Access Control. Role-based access controls and database row-level security restrict access to Personal Information to authorized personnel and authorized Customer users.
Authentication. Multi-factor authentication is available for Customer administrators and is enforced for Trike personnel with access to production systems.
Network Security. Production systems are protected by firewalls, network segmentation, and DDoS mitigation through Trike's hosting providers.
Logging and Monitoring. Production systems are monitored for security events, and audit logs are retained.
Vulnerability Management. Trike applies security patches and conducts dependency scanning on a regular basis.
Personnel Security. Trike personnel with access to Personal Information are subject to confidentiality obligations and receive security awareness training.
Incident Response. Trike maintains an incident response process to detect, respond to, and notify Customer of Security Incidents.
Business Continuity. Trike maintains backup and recovery procedures designed to restore the Service and Personal Information after an incident.
Trike may update these measures from time to time consistent with Section 5.2.
Schedule C — Approved Sub-processors
The current approved Sub-processors are:
Sub-processor | Service | Location |
|---|---|---|
Supabase, Inc. | Database and application hosting | United States |
Vercel Inc. | Web application hosting | United States |
Anthropic PBC | AI processing for Trike platform features | United States |
Merge API, Inc. (Merge.dev) | HRIS / payroll system integrations | United States |
Stripe, Inc. | Payment processing for paying customers | United States |
Resend Inc. | Transactional email delivery | United States |
Twilio Inc. and/or Telnyx LLC | SMS message delivery | United States |
This list may be updated from time to time consistent with Section 6. The current list is also available on request at help@trike.co.