Data Processing Addendum

Purpose and status

This Data Processing Addendum is a lawyer-review-ready draft for business customers that need data-processing terms for personal data processed in TrendRise workspaces. It is designed to work with the Terms of Use, Privacy Policy, Security page, Subprocessors page, Cookie Policy, and any signed order form or customer agreement.

This DPA is not final legal advice and must be reviewed by counsel before TrendRise offers it as a signed or click-accepted agreement.
This DPA is written for business customers, teams, agencies, and organizations that act as controllers or businesses for personal data they submit into TrendRise.
This DPA is not intended for consumer-only use, healthcare-regulated workflows, payment-card processing by TrendRise, regulated financial advice, employment screening, children's data processing, or other high-risk regulated processing unless a separate written agreement expressly allows it.
Questions about this DPA should be sent to legal@trendrise.io or privacy@trendrise.io.

How this DPA becomes part of the agreement

This DPA should become binding only when it is incorporated into a signed agreement, order form, enterprise agreement, online DPA acceptance flow, or other written agreement between TrendRise and the customer.

If a signed agreement says this DPA applies, this DPA forms part of that agreement.
If there is a conflict between this DPA and the Terms of Use on personal-data processing for customer-controlled workspace content, this DPA should control for that processing.
If there is a conflict between this DPA and the EU Standard Contractual Clauses or another mandatory transfer mechanism, the mandatory transfer terms should control to the extent required by law.
Commercial terms such as fees, payment, credits, service levels, warranties, liability caps, indemnity, and termination remain in the main agreement unless this DPA says otherwise or law requires otherwise.

Key definitions

Terms such as controller, processor, personal data, personal information, processing, data subject, subprocessor, personal-data breach, and supervisory authority should have the meanings given by applicable data-protection laws unless this DPA defines them differently.

Customer Personal Data means personal data that the customer submits to TrendRise or causes TrendRise to process through a TrendRise workspace, product workflow, support request, import, generated output, source note, or artifact workflow where TrendRise processes it on the customer's behalf.
Customer means the organization, business, agency, team, or other legal entity that enters into the agreement with TrendRise.
TrendRise means the TrendRise legal entity identified in the agreement, once counsel finalizes the entity details.
Applicable Data Protection Laws may include GDPR, UK GDPR, Swiss data protection law, US state privacy laws, and other privacy/data-protection laws that apply to the customer, TrendRise, or the processing.
Restricted Transfer means a transfer of Customer Personal Data that requires an approved transfer tool, such as Standard Contractual Clauses, under applicable law.

Roles

For Customer Personal Data in customer-controlled workspace content, the customer is generally the controller or business and TrendRise is generally the processor, service provider, or contractor, unless a signed agreement or applicable law states a different role.

The customer determines the purposes and means of processing Customer Personal Data, including what data is submitted, why it is submitted, which users are invited, which workflows are used, and whether the data should be deleted or exported.
TrendRise processes Customer Personal Data to provide, secure, support, troubleshoot, maintain, improve, and protect the service according to documented instructions and the agreement.
TrendRise is generally the controller for its own website visitors, direct account administration, billing, payment records, Stripe metadata, credit ledgers, fraud prevention, security logs, Partner attribution records, legal compliance records, tax records, aggregated analytics, and support operations not performed solely on the customer's behalf.
Where TrendRise is a controller, the Privacy Policy controls that processing unless a signed agreement says otherwise.
If a processing activity involves joint-control, independent-control, or marketplace-style roles, counsel should define that separately before launch.

Customer responsibilities

The customer is responsible for Customer Personal Data and for deciding whether TrendRise is appropriate for a particular processing activity.

The customer must have all required notices, consents, contracts, lawful bases, rights, permissions, and authority to submit Customer Personal Data to TrendRise.
The customer must not submit data that the agreement, Terms, Privacy Policy, product UI, support guidance, or this DPA prohibits.
The customer is responsible for account configuration, workspace membership, user permissions, access reviews, exports, deletion choices, and instructions given by its users.
The customer must use available product controls and support channels before requesting custom compliance assistance where practical.
The customer remains responsible for its own products, launches, creator relationships, customers, datasets, source choices, marketing, and legal compliance outside TrendRise.

Documented processing instructions

TrendRise should process Customer Personal Data only on documented customer instructions, unless applicable law requires otherwise. Documented instructions include the agreement, this DPA, order forms, workspace actions, product settings, user-initiated workflows, support requests, API requests where enabled, deletion/export requests, and other written instructions accepted by TrendRise.

TrendRise may decline instructions that are outside the scope of the service, technically impractical, unlawful, unsafe, commercially unreasonable, inconsistent with the agreement, or likely to harm security, privacy, other customers, or service integrity.
TrendRise should notify the customer if TrendRise believes an instruction violates applicable data-protection law, where required and legally permitted.
If applicable law requires TrendRise to process Customer Personal Data outside the customer's instructions, TrendRise should inform the customer before processing unless legally prohibited.
Customer users' actions in the workspace may be treated as instructions from the customer unless TrendRise has reason to believe the action is unauthorized.

Subject matter and duration

The subject matter of processing is the provision of TrendRise as a product opportunity intelligence, research, product-shaping, launch-preparation, Partner/creator workflow, analytics, and support platform. The duration of processing lasts for the term of the agreement and any additional period needed for deletion, return, backup expiry, legal retention, billing, tax, security, fraud prevention, dispute, or compliance purposes.

Processing may begin when a customer or user creates an account, joins a workspace, submits data, connects a source, requests support, runs a workflow, generates an output, exports an artifact, or otherwise uses the service.
Processing may continue after termination where needed to complete deletion/return, preserve security and billing records, comply with law, resolve disputes, prevent fraud, maintain backups until expiry, or enforce the agreement.
The final public DPA should align this duration with the production retention schedule and account deletion workflow.

Nature and purpose of processing

TrendRise may process Customer Personal Data to provide and operate the service, authenticate users, route workspace activity, store customer content, run source checks, generate reports and drafts, save outputs, manage artifacts, provide support, secure accounts, detect abuse, maintain logs, debug errors, administer subscriptions and credits, and comply with the agreement.

Processing operations may include collection, receipt, hosting, storage, organization, retrieval, consultation, analysis, transformation, generation, enrichment, transmission, display, logging, restriction, export, deletion, backup, and support handling.
TrendRise may process workspace context, prompts, source notes, generated outputs, saved artifacts, and user actions when needed for customer-requested product intelligence workflows.
TrendRise may process metadata such as workspace id, user id, timestamps, credit usage, job status, model/provider status, source-search metadata, artifact records, and route/action logs to operate and secure the service.
TrendRise may use aggregated or de-identified operational information to improve reliability, product quality, abuse prevention, cost control, and security where permitted by law and the agreement.

Data subjects

Customer Personal Data may relate to people whose information the customer or its users submit, import, reference, or cause TrendRise to process.

Customer users, admins, members, contractors, employees, founders, agencies, clients, and collaborators.
Customer prospects, customers, leads, subscribers, buyers, waitlist members, support contacts, and community members.
Creators, influencers, Partners, affiliates, applicants, deal contacts, launch collaborators, and audience segments referenced by the customer.
People appearing in public-source snippets, customer notes, research materials, product ideas, imported product records, campaign plans, support messages, or generated outputs.
Other individuals whose personal data the customer chooses to include in workspace content.

Categories of Customer Personal Data

Customer Personal Data may include the categories submitted by the customer or generated through customer-requested workflows.

Identifiers and contact information, such as names, emails, social handles, profile URLs, company names, role titles, and contact notes.
Business and product context, such as market, niche, product idea, product profile, launch plan, creator/deal notes, imported product records, and customer-defined tags.
Public profile or source context, such as public creator information, public listing details, public ad/source snippets, source URLs, public engagement metrics, and public business signals.
Workspace content, prompts, research notes, saved outputs, generated drafts, scripts, briefs, artifact records, launch checklists, creator outreach drafts, and analytics notes.
Usage, support, security, and operational metadata connected to customer-controlled workspace activity.
Any other information the customer or its users choose to submit into TrendRise.

Sensitive and prohibited data

TrendRise is not designed for highly sensitive personal data, regulated health data, raw payment card data, government identifiers, children's data, biometric identifiers, precise location data, private keys, passwords, secrets, or data requiring special compliance regimes unless a signed written agreement expressly allows it.

Customers should not submit special categories of data under GDPR, sensitive personal information under US state privacy laws, protected health information, financial account credentials, criminal-conviction data, or children's data into normal TrendRise workflows.
Customers should not put secrets, API keys, raw card numbers, bank details, passwords, private keys, or regulated credentials into prompts, support tickets, product fields, URLs, browser storage, or uploads.
If sensitive data is accidentally submitted, the customer should promptly delete it where possible and contact privacy@trendrise.io or security@trendrise.io if assistance is needed.
TrendRise may remove, restrict, quarantine, or delete prohibited data where allowed by the agreement and applicable law.

Security measures

TrendRise should maintain reasonable technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the nature, scope, context, purposes, and risk of processing.

Access controls: role-based internal access where practical, least-privilege access, account authentication, admin restrictions, and removal of access when no longer needed.
Authentication and session security: provider-managed authentication, protected routes, session controls, and workspace membership checks.
Encryption and transport: HTTPS/TLS in transit and provider-managed encryption at rest where available through hosting, database, storage, authentication, and payment providers.
Secrets handling: environment variables and provider-managed secret storage for production secrets; no secrets committed to the repo.
Logging and monitoring: application, provider, billing, source-request, security, and error logs used for operations, troubleshooting, fraud prevention, and incident response.
Backups and resilience: provider-managed database/storage resilience where configured, deployment controls, and reasonable recovery processes.
Tenant and workspace controls: workspace-scoped data access patterns, membership checks, and separation between raw source payloads and scored opportunity records where practical.
Change management: source control, build checks, deployment review, and documentation updates for meaningful product/security changes.
Vendor management: use of subprocessors with contractual, technical, or operational safeguards appropriate to their function.
Incident response: investigation, containment, remediation, documentation, and legally required notice processes.

Security measures may evolve as TrendRise matures. The Security page and any signed security exhibit should reflect the production controls in place at launch.

Customer security responsibilities

The customer remains responsible for security choices under its control.

Protect user credentials, email accounts, devices, and authentication factors.
Invite only authorized users and promptly remove users who no longer need access.
Use appropriate workspace roles, account settings, source choices, exports, and deletion workflows.
Review generated outputs and exported artifacts before sharing them externally.
Do not submit prohibited data, secrets, regulated data, or third-party confidential data without authority.
Notify TrendRise promptly of suspected unauthorized access, compromised accounts, exposed workspace data, or security issues involving Customer Personal Data.

Confidentiality and personnel

TrendRise should ensure that people authorized to process Customer Personal Data are bound by confidentiality obligations or appropriate statutory duties and receive access only where needed for operations, support, security, legal, compliance, or service-delivery reasons.

TrendRise should limit internal access to Customer Personal Data to personnel or contractors with a legitimate need.
Personnel should process Customer Personal Data according to the agreement, this DPA, internal policies, and applicable law.
TrendRise should take reasonable steps to ensure departing personnel lose access to systems where Customer Personal Data may be processed.
Support access should be limited to what is reasonably needed to respond to the customer's request, troubleshoot the service, investigate misuse, or comply with legal obligations.

Subprocessors

The customer gives TrendRise general authorization to use subprocessors to provide, secure, support, host, improve, bill, and operate the service, subject to this DPA and any signed agreement.

TrendRise should maintain a Subprocessors page identifying key providers and the functions they support.
TrendRise should impose data-protection obligations on subprocessors that are appropriate to their role and materially similar to the relevant obligations in this DPA.
TrendRise remains responsible for subprocessors' processing of Customer Personal Data to the extent required by applicable law and the agreement.
TrendRise may add, replace, or remove subprocessors as the service evolves.
Enterprise customers may request additional notice and objection procedures through a signed agreement or order form.
A customer's objection to a new subprocessor should be based on reasonable data-protection grounds and handled through the process in the signed agreement where one exists.

Current subprocessor categories

TrendRise's current operating model may use subprocessors in categories such as hosting, database, storage, authentication, billing, payments, email, AI/model processing, source data, analytics, support, security, internal operations, and deployment infrastructure.

Core providers currently expected include Vercel, Neon or another Postgres provider, Vercel Blob or equivalent storage, GitHub, Clerk, Stripe, Resend, OpenAI or compatible model providers where enabled, Apify and selected source providers where configured, Notion, Slack, and business email providers.
The Subprocessors page should remain the operational provider list and should be updated before broad customer launch.
Providers can process different categories of data depending on the feature used, the customer's configuration, and the provider's function.
Customer-facing subprocessor descriptions should avoid exposing secrets, internal security architecture, or non-public vendor details.

Data subject requests

Taking into account the nature of processing, TrendRise should provide reasonable assistance for customer obligations to respond to data subject requests where Customer Personal Data is processed by TrendRise as processor and the customer cannot reasonably fulfill the request through available product features.

Requests may involve access, deletion, correction, restriction, portability, objection, opt-out, or similar rights under applicable law.
The customer is responsible for verifying the request, deciding how to respond, and communicating with the data subject unless TrendRise is independently required to respond.
TrendRise may redirect requests from data subjects to the customer where TrendRise acts as processor.
TrendRise may charge reasonable fees or require a separate statement of work for requests that are unusually complex, broad, manual, repetitive, or outside standard product controls, where allowed by law and the agreement.

DPIAs and regulatory consultations

TrendRise should provide reasonable information and assistance for customer data protection impact assessments, prior consultations, security obligations, and regulatory inquiries where required by applicable law and where the information is available to TrendRise.

Assistance may include security summaries, subprocessor information, transfer information, product-processing descriptions, and incident information where applicable.
TrendRise is not responsible for the customer's DPIA conclusions, lawful basis, notices, data minimization, source choices, marketing choices, creator/customer processing, or use of generated outputs.
Customers should notify TrendRise before using TrendRise for high-risk processing that may require a DPIA or prior consultation.
Custom questionnaires, audits, legal reviews, or security reviews may require reasonable scope limits, confidentiality, scheduling, and fees.

Personal-data breaches

TrendRise should notify affected customers without undue delay after confirming a personal-data breach affecting Customer Personal Data, where required by applicable law. TrendRise should investigate, contain, remediate, document, and communicate known information as it becomes reasonably available.

Notice may include the known nature of the incident, affected systems or data categories where known, approximate affected records where known, mitigation steps, recommended customer actions, and a contact point.
TrendRise may provide notices in phases as investigation develops.
A notice is not an admission of fault, liability, legal violation, or breach of contract.
The customer is responsible for determining whether it must notify regulators, data subjects, customers, clients, partners, or other parties unless applicable law requires TrendRise to notify directly.
TrendRise may delay or limit details where disclosure would harm security, violate law, compromise an investigation, reveal another customer's information, or expose sensitive security controls.

Incident cooperation

The parties should cooperate reasonably on confirmed personal-data breaches affecting Customer Personal Data.

The customer should promptly provide information TrendRise reasonably requests to investigate incidents involving the customer's workspace, users, exports, integrations, or instructions.
TrendRise may require the customer to rotate credentials, remove users, disable integrations, review exports, pause workflows, or take other protective steps.
The customer should not publicly attribute an incident to TrendRise until the facts are reasonably established.
TrendRise may preserve relevant records for security, legal, insurance, compliance, fraud-prevention, and dispute purposes.

International transfers

Customer Personal Data may be processed in countries where TrendRise, its personnel, or its subprocessors operate. Where a Restricted Transfer occurs, the parties should rely on a lawful transfer mechanism such as an adequacy decision, Standard Contractual Clauses, the UK International Data Transfer Addendum or International Data Transfer Agreement, the Swiss addendum or adaptations where applicable, an approved certification or code, or another lawful transfer mechanism.

For EEA transfers to a non-EEA processor or subprocessor, the 2021 European Commission Standard Contractual Clauses may apply where required.
The appropriate SCC module should be selected based on the parties' roles, such as controller-to-processor, processor-to-processor, controller-to-controller, or processor-to-controller.
For UK transfers, the parties may need the UK Addendum or UK IDTA, subject to counsel review.
For Swiss transfers, Swiss law-specific adaptations may be required, subject to counsel review.
Where transfer-impact assessment or supplementary measures are required, the parties should cooperate reasonably using information available to them.
Subprocessors may rely on their own lawful transfer mechanisms, but TrendRise should maintain appropriate contractual safeguards where required.

SCC order of precedence

Where Standard Contractual Clauses apply to a Restricted Transfer, the SCCs should prevail over conflicting terms in this DPA or the main agreement to the extent required by the SCCs. The parties should not modify the SCCs except to select modules, complete appendices, add allowed business terms, or make permitted local-law adaptations.

Commercial liability caps, warranty disclaimers, confidentiality terms, audit limits, or support procedures should not undermine mandatory SCC rights or obligations.
The final DPA should include completed SCC appendices once counsel confirms the legal entity, exporter/importer roles, transfer countries, subprocessor list, technical and organizational measures, and supervisory authority.
If a new transfer tool replaces or supplements the SCCs, TrendRise may update the DPA or execute updated transfer terms as required.

Government and law-enforcement requests

If TrendRise receives a legally binding request from a government, court, regulator, or law-enforcement authority for Customer Personal Data, TrendRise should evaluate the request and respond as required by law.

TrendRise should notify the customer where legally permitted and appropriate.
TrendRise may challenge, narrow, or seek clarification of requests where reasonable and legally permitted.
TrendRise may be prohibited from giving notice or details in some circumstances.
TrendRise should avoid voluntarily disclosing Customer Personal Data to government authorities except where legally required, necessary to protect rights/safety/security, or permitted by the agreement and applicable law.

Deletion and return

Upon termination of the agreement or a valid deletion request, TrendRise should delete or return Customer Personal Data according to available product workflows and legal obligations, subject to retention needed for billing, tax, security, fraud prevention, backup, dispute, legal, compliance, audit, enforcement, and legitimate business-continuity purposes.

Customers may be able to export or copy certain workspace content before termination, depending on product functionality.
TrendRise may delete active workspace content after termination, account closure, nonpayment, policy violation, or customer request according to the retention schedule and product capabilities.
Backups may expire on a delayed cycle and may not be individually searchable or restorable for one customer except through disaster-recovery processes.
TrendRise may retain limited records such as billing, invoices, credit ledgers, fraud logs, security logs, support records, legal notices, dispute records, Partner attribution, commission records, policy-version stamps, and aggregated/de-identified records.
Deletion of Customer Personal Data from active systems may not delete copies already exported, downloaded, sent to third parties, or processed by the customer outside TrendRise.

Return format and export limits

Where TrendRise offers return or export of Customer Personal Data, export format and scope depend on available product functionality and the nature of the data.

Exports may include reports, workspace content, generated outputs, artifacts, CSV files, Markdown files, PDFs, ZIPs, or other formats supported by the product.
TrendRise may omit internal logs, security signals, fraud signals, confidential system information, other customers' data, proprietary scoring logic, provider secrets, and data that cannot reasonably be exported.
Custom exports may require a separate statement of work, reasonable fees, identity verification, or additional security review.

Audit and records

TrendRise should make reasonable information available to demonstrate compliance with this DPA where required by applicable law. Audit rights should be exercised in a way that protects security, confidentiality, other customers, and service availability.

Reasonable compliance information may include this DPA, the Security page, Subprocessors page, privacy documentation, security summaries, questionnaire responses, certifications if available, penetration-test summaries if available, or other appropriate materials.
Onsite audits, source-code reviews, raw log access, vulnerability details, provider contracts, and unrestricted system access are not standard and should require a signed enterprise agreement, strict confidentiality, scope limits, advance notice, and security controls.
Audits should occur no more than once per year unless required by law or after a confirmed material incident affecting Customer Personal Data.
The customer should first use available documentation before requesting a custom audit.
TrendRise may charge reasonable fees for custom audit support where allowed by law and the agreement.

Records of processing

TrendRise should maintain records reasonably needed to show its processing as a processor for Customer Personal Data and as a controller for its own operational records, where required by applicable law.

Records may include processing purposes, categories of data, subprocessor categories, transfer mechanisms, technical and organizational measures, and incident documentation.
TrendRise may also maintain operational records such as credit usage, generated-output metadata, source-search logs, artifact records, support records, and admin action logs.
The final production records should align with the Privacy Policy, Subprocessors page, Security page, and retention schedule.

AI and model-provider processing

TrendRise may use AI/model providers or compatible model infrastructure to generate reports, product briefs, scripts, summaries, research outputs, launch plans, creator outreach, and other customer-requested materials where enabled.

Customers should avoid submitting sensitive or prohibited data into prompts, source notes, product profiles, support tickets, or generated-output workflows.
TrendRise should configure model-provider use consistent with the agreement, DPA, provider terms, and product settings available at the time.
Model providers may process prompts, workspace context, source excerpts, generated outputs, metadata, and error information needed to deliver the requested workflow.
TrendRise may use deterministic or saved-output fallbacks where a provider is unavailable or where saved output can be reused without a new provider call.
Counsel and engineering should finalize whether any provider uses Customer Personal Data for model training, abuse monitoring, retention, or service improvement before public launch and document that in the DPA/Subprocessors page.

Source-provider and public-data processing

TrendRise may use public, licensed, or authorized source providers to search trends, markets, social platforms, ads, creator profiles, product listings, marketplaces, and related evidence. These workflows can combine customer instructions with source-provider results.

Customers are responsible for choosing source searches and for reviewing whether source results are appropriate for their use case.
TrendRise should keep raw provider payloads server-side where practical and return normalized source items to the product.
Source providers may have their own terms, privacy rules, usage limits, and data restrictions.
Customers should not use TrendRise to evade platform terms, scrape prohibited data, collect sensitive data unlawfully, or build unlawful profiles.
If a customer imports private source data or connects private systems in the future, separate processing terms may be required.

US state privacy service-provider terms

Where US state privacy laws apply and TrendRise processes Customer Personal Data as a service provider, processor, or contractor, TrendRise should process that data only for permitted business purposes and not sell or share it as those laws define those terms, except as instructed by the customer or permitted by law.

TrendRise should not retain, use, or disclose Customer Personal Data outside the business purposes described in the agreement except as permitted by applicable law.
TrendRise should not combine Customer Personal Data with personal data from other sources except as permitted by applicable law, such as for security, fraud prevention, service delivery, debugging, or internal operations.
TrendRise should help the customer respond to consumer privacy requests where required and where the customer cannot reasonably do so through the product.
Final CCPA/CPRA and other US state privacy wording should be reviewed by counsel before launch.

De-identified and aggregated data

TrendRise may use aggregated, de-identified, or anonymized information for service improvement, analytics, reliability, security, cost control, product development, benchmarking, and business reporting where permitted by law and the agreement.

TrendRise should not attempt to re-identify de-identified data except to test or validate de-identification, investigate security issues, or comply with law where permitted.
Aggregated or de-identified information should not reveal Customer Personal Data or identify the customer unless the customer has agreed or the information is otherwise public.
The final DPA should align de-identified data language with the Privacy Policy, Terms, and US state privacy requirements.

Limits of assistance

TrendRise's assistance obligations should be limited to what is reasonable, technically feasible, legally required, and available to TrendRise given the nature of the service and processing.

TrendRise is not required to build custom compliance features, change product architecture, provide legal advice, disclose other customers' information, compromise security, or violate provider obligations.
TrendRise may require identity verification, authorization checks, admin approval, written scope, confidentiality, and reasonable fees before performing custom assistance.
TrendRise may refuse requests that are abusive, repetitive, unlawful, unsafe, outside the agreement, or disproportionate to the processing.

Order of documents and liability

This DPA should be read with the main agreement. Commercial liability, indemnity, warranty, dispute-resolution, and remedy terms should remain in the main agreement unless this DPA, the SCCs, or applicable law requires otherwise.

Counsel should confirm whether DPA-specific liability caps, uncapped liabilities, indemnities, third-party beneficiary rights, or regulatory fines need separate treatment.
Nothing in this DPA should limit data subject rights or supervisory authority powers where law does not allow limitation.
If the SCCs apply, their liability and third-party-beneficiary provisions may override conflicting commercial limitations to the extent required.

DPA updates

TrendRise may update this DPA as the product, providers, laws, transfer tools, security measures, subprocessors, and support workflows change. Updates should be handled according to the agreement and applicable law.

Material DPA updates may require notice, customer acceptance, an updated order form, or a signed amendment depending on the customer relationship.
Subprocessor updates should follow the Subprocessors page and any signed notice/objection process.
If a required legal term changes, TrendRise may update the DPA or require execution of revised terms before continuing affected processing.

Final legal review items

Before this DPA is treated as final, counsel should complete the legal entity details, governing agreement references, Article 28 wording, SCC appendices, transfer modules, UK/Swiss transfer addenda, US service-provider terms, subprocessor notice process, audit procedure, security exhibit, breach notice timing, retention schedule, deletion/export workflow, liability language, and product-specific exclusions.

Confirm the exact TrendRise legal entity, registered address, contact details, and whether a DPO or EU/UK representative is required.
Confirm whether this DPA is signed manually, accepted online, incorporated by reference, or attached to order forms.
Confirm the final subprocessor list, provider countries, processing purposes, transfer mechanisms, and notice/objection workflow.
Confirm whether AI/model providers and source providers receive Customer Personal Data and whether any provider training/retention restrictions need stronger language.
Confirm security controls against the actual production environment before publishing the security exhibit.
Confirm whether HIPAA, PCI, children's data, employment data, financial-regulated data, or other high-risk data must be expressly excluded.
This section can be removed once counsel finalizes the DPA.

Contact

DPA, privacy, subprocessor, security, and data-processing questions should be routed to TrendRise's legal, privacy, or security inboxes.

DPA and contract questions: legal@trendrise.io.
Privacy and data-subject request coordination: privacy@trendrise.io.
Security questions and vulnerability reports: security@trendrise.io.
General support: support@trendrise.io.