Trust Center
Effective Date: 1 August 2026
TriFact365 provides the Service to business customers via a secure, cloud-based platform that is accessible worldwide: our customers can use the Service anywhere with an internet connection. This Trust Center describes our data protection, security, and compliance practices.
Our Approach
For us, security is not a separate layer on top of the product, but an inherent feature of the product itself. We design, develop, and manage our Software based on the principle that your data is processed to the minimum extent necessary, stored securely, and accessible only to those who need it to provide the service.
Three guiding principles drive our work:
Primary processing within the European Economic Area (EEA). Your Customer Data is primarily processed and stored within the EEA. Specific processing locations for TriFact365 and our subprocessors are listed in the "Our Infrastructure" section below and on our Subprocessors page. Transfers outside the EEA only take place with appropriate safeguards in accordance with the GDPR.
No sale, no reuse by third parties. We do not sell Customer Data or share it for commercial purposes or for third-party model training.
Tool, not a replacement. Our AI assists with recognition and classification, but you remain ultimately responsible for the results.
Compliance Status Overview
TriFact365's data protection and compliance practices are designed to be applicable globally to customers in all jurisdictions where TriFact365 offers the Service. The frameworks listed below form the core of the compliance framework. For specific local compliance requirements of Customers outside the European Economic Area, the United Kingdom, and Switzerland, additional Addenda are available upon request via our contact page.
Our Current Status Regarding Certifications
A certification is not an endpoint but a snapshot of work that must continue on an ongoing basis. This is our current status:
ISO 27001
TriFact365's Information Security Management System (ISMS) is under development in accordance with ISO/IEC 27001:2022. External certification is in preparation. Progress and milestones achieved will be updated in this section.
Current phase: [implementation]
Scope: The TriFact365 SaaS platform and the underlying organisation that provides, manages, and supports the SaaS service.
Questions: For specific questions about policies and controls, please contact us via the email address at the bottom of this page.
SOC 2
SOC 2 Type II is on our roadmap. We will begin the process after completing ISO 27001 certification.
Rationale for phasing: ISO 27001 and SOC 2 overlap substantially—our ISMS work covers approximately 70% of the SOC 2 Trust Service Criteria. A sequential approach prevents duplication of effort and accelerates both processes.
Intended scope: TriFact365 SaaS platform + organisation. The final scope will be determined at the start of the audit period.
GDPR
We comply with the General Data Protection Regulation (GDPR). See our Privacy Statement and Data Processing Agreement for full details regarding our roles as a processor and controller.
EU AI Act
Our AI functionalities are designed in such a way that they do not qualify as high-risk AI systems within the meaning of Annex III of the EU AI Act. See our AI Terms and Conditions.
Our Infrastructure
We host the TriFact365 Software with two cloud providers, both located in the Netherlands:
Google Cloud Platform (
europe-west4region, Netherlands) — ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1/2/3 certifiedMicrosoft Azure (
West Europeregion, Netherlands) — ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1/2/3 certified
All Customer Data is primarily processed within the EEA. For details on transfers outside the EEA, see the Data Processing Agreement.
Security Measures
We implement technical and organisational measures appropriate to the nature of the data we process:
encryption of data at rest and in transit
access restrictions based on roles and need-to-know
multi-factor authentication for all employees with access to production systems
logging, monitoring, and audit logging of system access
confidentiality obligations and security awareness training for all employees
regular backups; processing of backups within the EEA
Penetration Tests
We periodically subject our Software to external penetration tests. External penetration tests are conducted at least annually as part of our ISO 27001 implementation. Findings are systematically followed up on and incorporated into our security roadmap.
Data Breaches and Incident Response
In the event of a data breach, we notify affected customers without undue delay and no later than 72 hours after discovery. See our Data Processing Agreement for the full procedure.
Status & Incident History
On our public Status Page, we keep customers and interested parties informed about current outages and past incidents. There, we publish:
The current availability status of the Service
The incident history for the past 90 days
The Status Page is accessible via status.trifact365.com.
The Status Page is a transparency tool in addition to the legal Service Level Agreement. The agreements regarding availability, maintenance, and response times are set forth in the Service Level Agreement; no rights may be derived from the Status Page.
Subprocessors
Our subprocessors for Customer Data are listed on the Subprocessors page. Changes will be announced at least 14 days in advance via email or a notification within the Software; the Customer may object within 10 days through the support channel in the Software. In urgent circumstances—such as a legal obligation or an acute security incident—we may engage or replace a subprocessor with immediate effect, while the right to object remains in effect. See our Data Processing Agreement for the full procedure.
Data Export and Formats
During the term of the Subscription, the Customer may export its own data using the Software's standard export features—either per screen or as an archive export.
These formats are structured, commonly used, and machine-readable within the meaning of Article 30(5) of the EU Data Regulation. A complete description of the export options for each screen is available on the Data Export page. The terms and conditions for export and switching are set forth in the Switching and Data Portability Terms and Conditions.
Termination and Reactivation
Upon termination of the Subscription, the right to use the Software, including the standard export options, expires. The Account remains accessible for 90 days. During that period, the Customer may reactivate the Subscription via the Software; access to the Software will then be restored under the terms and conditions in effect at that time. After 90 days, TriFact365 will delete the Account and the Customer Data, subject to any legal retention obligations.
The Customer is solely responsible for backing up Customer Data in a timely manner. Prior to termination, the Customer may export data using the export features in the Software. If the Customer needs to keep Customer Data available for a longer period—for example, to comply with a legal retention obligation—this requires an active Subscription for the entire duration of that period.
The full legal provisions are set forth in Article 7 of our General Terms and Conditions and in the Switching and Data Portability Terms and Conditions.
Requests from Government Authorities and Law Enforcement Agencies
TriFact365 discloses Customer Data solely on the basis of a legally valid and binding obligation under Dutch or European law. To the extent permitted by law:
we will contest requests that are excessive, vague, or unlawful;
we inform the Customer prior to disclosure, in accordance with Article 9.1 of our Data Processing Agreement;
we will disclose only the strictly necessary data.
TriFact365 does not voluntarily comply with requests from authorities in the absence of a legal obligation.
When transferring personal data outside the European Economic Area, the safeguards set forth in our Data Processing Agreement apply, including the EU Standard Contractual Clauses.
Questions about Compliance
For specific questions about our compliance status or to request supporting documents that are not publicly available, the Customer may submit a request via our contact page. Requests are logged and handled by the appropriate team.
Related Documents
— End of TriFact365 Trust Center —
TriFact365 B.V.
Arnhemseweg 10, 3817 CH Amersfoort, The Netherlands | Chamber of Commerce No. 30262227 | VAT No. NL820778540B01