Data Processing Agreement

Last updated: December 23, 2025

1. Data Processing Agreement

1.1. This Data Processing Agreement (the "Data Processing Agreement"), published by API Hero Ltd (trading as Trigger.dev) forms part of the Terms of Service between Trigger.dev and the Customer for the provision of the Trigger.dev Service and sets out the terms upon which Trigger.dev will process Relevant Personal Data on the Customer's behalf when providing the Trigger.dev Service and acting as a data processor.

During the course of providing the Trigger.dev Service, Trigger.dev may process Relevant Personal Data that is subject to Data Protection Laws. By using the Trigger.dev Service or entering into an Agreement with Trigger.dev, the Customer appoints Trigger.dev to process such Relevant Personal Data in accordance with this Data Processing Agreement.

2. Interpretation

2.1. In this Data Processing Agreement the definitions and rules of interpretation set out in the Terms of Service apply and, save where the context requires otherwise, the following words and expressions have the following meaning:

"Business Day" means a day other than a Saturday, Sunday or bank or public holiday in England;
"Data Subject Request" means a request made by a data subject to exercise any rights of data subjects under Data Protection Laws relating to the Relevant Personal Data;
"EEA" means the European Economic Area;
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Relevant Personal Data transmitted, stored or otherwise processed by the Processor or any Sub-processor;
"Standard Contractual Clauses" means the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the EU GDPR as set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or any set of clauses approved by the European Commission which amends, replaces or supersedes these and, where UK GDPR applies, the UK ICO's International Data Transfer Addendum to the Standard Data Protection Clauses;
"Sub-processor" means any data processor (including any affiliate of Trigger.dev) appointed by Trigger.dev to process Relevant Personal Data on behalf of the Customer;
"Supervisory Authority" means any regulatory authority responsible for the enforcement of Data Protection Laws; and
"UK" means the United Kingdom.

3. Processing of Relevant Personal Data

3.1. Each party acknowledges and agrees that for the purposes of the Agreement and Data Protection Laws, the Customer shall be the controller and Trigger.dev the processor in respect of the Relevant Personal Data.

3.2. Each party confirms that in the performance of the Agreement it will comply with Data Protection Laws.

3.3. Trigger.dev shall only process the types of Relevant Personal Data relating to the categories of data subjects for the specific purposes in each case as set out in Annex 1 (Data Processing Information) to this Data Processing Agreement and shall not process the Relevant Personal Data other than in accordance with the Customer's documented instructions (whether in the Agreement or otherwise) unless processing is required by applicable law to which Trigger.dev is subject, in which case Trigger.dev shall, to the extent permitted by such law, inform the Customer of that legal requirement before processing that Relevant Personal Data.

3.4. Trigger.dev shall inform the Customer if, in its opinion, an instruction it receives from the Customer pursuant to the Agreement infringes the GDPR.

4. Customer warranty

4.1. The Customer warrants that it has all necessary rights to provide the Relevant Personal Data to Trigger.dev for the processing to be performed in relation to the Trigger.dev Service.

5. Supplier personnel

5.1. Trigger.dev shall treat all Relevant Personal Data as confidential and shall use reasonable efforts to inform all its relevant employees, contractors and/or any Sub-processors engaged in processing the Relevant Personal Data of the confidential nature of such Relevant Personal Data.

5.2. Trigger.dev shall take reasonable steps to ensure the reliability of any employee, contractor and/or any Sub-processor who may have access to the Relevant Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the Relevant Personal Data, as necessary for the purposes set out in paragraph 3.3 in the context of that person's or party's duties to Trigger.dev.

5.3. Trigger.dev shall ensure that all such persons or parties involved in the processing of Relevant Personal Data are subject to:

5.3.1. confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
5.3.2. user authentication processes when accessing the Relevant Personal Data.

6. Security

6.1. Trigger.dev shall implement the technical and organisational measures set out in Annex 2 (Security Measures) to this Data Processing Agreement and the Customer acknowledges that such measures ensure a level of security of the Relevant Personal Data appropriate to the risks that are presented by the processing.

7. Sub-processing

7.1. The Customer hereby grants its general authorisation to the appointment of Sub-processors by Trigger.dev under the Agreement.

7.2. When Trigger.dev replaces any existing Sub-processor and/or appoints any new Sub-processor, Trigger.dev will use reasonable endeavours to notify the Customer of such changes to Sub-processor(s), and the Customer shall have the right to terminate the Agreement within 30 days after its receipt of such notification if it objects to the new Sub-processor(s).

7.3. The Customer's sole remedy if it does not agree to the replacement or appointment of a Sub-processor shall be to terminate the Agreement.

7.4. With respect to each Sub-processor, Trigger.dev shall:

7.4.1. enter into a written contract with the Sub-processor which shall contain terms materially the same as those set out in this Data Processing Agreement;
7.4.2. remain liable to the Customer for any failure by the Sub-processor to fulfil its obligations in relation to the processing of any Relevant Personal Data.

7.5. An up-to-date list of Trigger.dev's Sub-processors is maintained at https://trigger.dev/legal/subprocessors and may be updated from time to time in accordance with this Data Processing Agreement.

8. Data subject rights

8.1. Trigger.dev shall refer all Data Subject Requests it receives to the Customer without undue delay and, in any event, within 2 Business Days. The Trigger.dev Service will enable the Customer to access, rectify and restrict processing of the Relevant Personal Data, and to erase and export the Relevant Personal Data.

8.2. In the event that the Customer cannot fulfil any Data Subject Request itself using the means described in paragraph 8.1, Trigger.dev shall co-operate as reasonably requested by the Customer to enable the Customer to comply with any such request.

9. Incident management

9.1. In the case of a Personal Data Breach, Trigger.dev shall not later than 72 hours after having become aware of it notify the Personal Data Breach to the Customer providing the Customer with sufficient information which allows the Customer to meet any obligations to report a Personal Data Breach under Data Protection Laws.

10. Data protection impact assessments and prior consultation

10.1. Trigger.dev shall, at the Customer's request, provide reasonable assistance to the Customer with any data protection impact assessments which are required under applicable Data Protection Laws and with any prior consultations to any Supervisory Authority of the Customer or any of its affiliates which are required under Data Protection Laws, in each case in relation to processing of Relevant Personal Data by Trigger.dev on behalf of the Customer and taking into account the nature of the processing and information available to Trigger.dev.

11. Deletion or return of Relevant Personal Data

11.1. On cessation of processing of Relevant Personal Data by Trigger.dev, or termination of the Agreement, Trigger.dev shall permit Customer (at its option) to:

11.1.1. extract a complete copy of all Relevant Personal Data by secure file transfer and securely wipe all other copies of the Relevant Personal Data processed by Trigger.dev or any Sub-processor unless required to retain such data in order to comply with applicable laws; or
11.1.2. request Trigger.dev to delete the Relevant Personal Data (and procure that any Sub-processor does the same) unless required to retain such data in order to comply with applicable laws.

11.2. If the Customer fails to exercise its rights under paragraphs 11.1.1 and 11.1.2 above, Trigger.dev shall delete the Relevant Personal Data (and procure that any Sub-processor does the same) within 90 days following the termination of the Agreement, unless required to retain such data in order to comply with applicable laws.

12. Audit rights

12.1. Trigger.dev shall make available to the Customer on request all information reasonably necessary to demonstrate compliance with this Data Processing Agreement and Data Protection Laws and allow for and contribute to audits in accordance with Trigger.dev's or its Sub-processors' policies in place from time to time.

12.2. Prior to conducting any audit pursuant to paragraph 12.1, the Customer must submit an audit request to Trigger.dev and the Customer and Trigger.dev must agree the start date, scope and duration of and security and confidentiality controls applicable to any such audit.

12.3. Trigger.dev may (acting reasonably) object to the appointment by the Customer of an independent auditor to carry out an audit pursuant to paragraph 12.1 and, where this is the case, the Customer shall be required to appoint another auditor or conduct the audit itself.

13. International transfers of Relevant Personal Data

13.1. In the event that a transfer of Relevant Personal Data to Trigger.dev or any Sub-processor is reasonably considered to involve a transfer of Relevant Personal Data outside of the UK and/or the EEA to a country which is not recognised by the UK ICO or the European Commission (as the case may be) as having an adequate level of protection for personal data, Trigger.dev shall use reasonable endeavours to enter into Standard Contractual Clauses with the relevant Sub-processor for such transfer of Relevant Personal Data.

14. Costs

14.1. The Customer shall pay any reasonable costs and expenses incurred by Trigger.dev in meeting the Customer's requests made under paragraphs 8, 10 and 12 of this Data Processing Agreement.

15. Liability

For the avoidance of doubt, each party's liability, taken together in the aggregate, arising out of or related to this Data Processing Agreement, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability contained within the Terms of Service, and any reference to the liability of a party means the aggregate liability of that party under the Agreement (including under this Data Processing Agreement) collectively.

16. Miscellaneous

16.1. Any obligation imposed on Trigger.dev under the Agreement in relation to the processing of Relevant Personal Data shall survive any termination or expiration of the Agreement.

16.2. In the event of inconsistencies between any provision of this Data Processing Agreement and the remainder of the Agreement, the provision of this Data Processing Agreement shall prevail with regard to the parties' obligations relating to the processing of the Relevant Personal Data.

Annex 1: Data Processing Information

This Annex 1 includes certain details of the processing of Relevant Personal Data as required by Article 28(3) GDPR.

Item	Details
Subject matter, nature and purposes of the processing	Processing for the purposes of provision of the Trigger.dev Service and any technical support in connection with the Customer's use of the services.
Duration of the processing	The duration of the Agreement.
Type of personal data	Personal data Customer processes using the Trigger.dev Service intentionally or inadvertently.
Categories of data subjects	Customers (if applicable) and Customers' Users.

Annex 2: Security Measures

As from the Commencement Date, Trigger.dev will implement and maintain the security measures set out in this Annex 2 to this Data Processing Agreement. Trigger.dev may update or modify such security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Trigger.dev Service.

1. Data and Physical Security

Trigger.dev utilizes services to provide the infrastructure (data centres, servers and similar) to provide the Trigger.dev Service. A full list of such services is available on Trigger.dev's Sub-processors page on the Website: https://trigger.dev/legal/subprocessors.

2. Network and Application

2.1. Intrusion Detection

Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Trigger.dev's intrusion detection involves:

Tightly controlling the size and make-up of Trigger.dev's attack surface through preventative measures;
Employing intelligent detection controls at data entry points; and
Employing technologies that automatically remedy certain dangerous situations.

2.2. Incident Response

Trigger.dev monitors a variety of communication channels for security incidents, and Trigger.dev's security personnel will react promptly to known incidents.

2.3. Transit Encryption Technologies

Trigger.dev makes HTTPS encryption (also referred to as SSL or TLS connection) available. Trigger.dev servers support ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.

2.4. Audit

Trigger.dev has an infrastructure and network and application audit logging for compliance and security monitoring.

2.5. Secure Coding

All code is scanned through static analysis on a daily basis to identify bugs and vulnerabilities before they are released. Developers all undergo secure coding training.

2.6. Scans

Trigger.dev runs regular web application and vulnerability scans. Regular scans are made of the infrastructure to identify infrastructure vulnerabilities. Identified issues are reviewed and addressed at the earliest possible time.

3. Business Security

3.1. Business Continuity

Trigger.dev replicates data over multiple systems to help to protect against accidental destruction or loss. Trigger.dev has designed and regularly plans and tests its business continuity planning/disaster recovery programs.

4. Data

4.1. Data Storage, Isolation & Authentication

Trigger.dev stores data in a multi-tenant environment in AWS East-1. Data, database and file system architecture are replicated between multiple geographically dispersed data centres.

Trigger.dev logically isolates data on a per Customer basis at the application layer. Trigger.dev logically separates each Customer's data from the data of other Customers, and data for an authenticated User will not be displayed to another User (unless both Users have access to the same Customer Account).

A central authentication system is used across all services to increase uniform security of data. Customer will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Trigger.dev Service, will enable Customer to determine the product sharing settings applicable to Users for specific purposes. Customer may choose to make use of certain logging capability that Trigger.dev may make available via the Trigger.dev Service, products and APIs.

4.2. Encryption

All data is encrypted at rest using AES-256 industry standard. All data backups are encrypted using the same standard.

4.3. Backups & Redundancy

Backups are created continuously and incrementally to allow recovery from a failure. The backups are stored in S3 for high availability.

5. Personnel Security

Trigger.dev personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Trigger.dev conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labour law and statutory regulations.

Personnel are subject to a duty of confidentiality and must acknowledge receipt of, and compliance with, Trigger.dev's confidentiality and privacy policies.

Personnel are provided with security training.

6. Sub-processor Security

Before onboarding Sub-processors, Trigger.dev conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.

Product

AI Agents

Trigger.dev Realtime

Concurrency & queues

Scheduled tasks

Observability & monitoring

Roadmap

Latest changelogs

Debounced task runs

Batch trigger improvements

Adjacent task runs with ease

Latest blog posts

Trigger.dev raises $16M Series A

How GovSignals is solving government procurement using Trigger.dev

OTel incident post-mortem

Documentation

Guides