Trust Center

Effective Date: 1 August 2026


TriFact365 provides the Service to business customers via a secure, cloud-based platform that is accessible worldwide: our customers can use the Service anywhere with an internet connection. This Trust Center describes our data protection, security, and compliance practices.

Our Approach

For us, security is not a separate layer on top of the product, but an inherent feature of the product itself. We design, develop, and manage our Software based on the principle that your data is processed to the minimum extent necessary, stored securely, and accessible only to those who need it to provide the service.

Three guiding principles drive our work:

  • Primary processing within the European Economic Area (EEA). Your Customer Data is primarily processed and stored within the EEA. Specific processing locations for TriFact365 and our subprocessors are listed in the "Our Infrastructure" section below and on our Subprocessors page. Transfers outside the EEA only take place with appropriate safeguards in accordance with the GDPR.

  • No sale, no reuse by third parties. We do not sell Customer Data or share it for commercial purposes or for third-party model training.

  • Tool, not a replacement. Our AI assists with recognition and classification, but you remain ultimately responsible for the results.

Compliance Status Overview

TriFact365's data protection and compliance practices are designed to be applicable globally to customers in all jurisdictions where TriFact365 offers the Service. The frameworks listed below form the core of the compliance framework. For specific local compliance requirements of Customers outside the European Economic Area, the United Kingdom, and Switzerland, additional Addenda are available upon request via our contact page.

Framework

Status

Target / Achieved

Scope

Verifiable via

ISO 27001:2022

ISMS under development in accordance with the standard — external certification in preparation

External certification in preparation — phase [implementation].

TriFact365 SaaS platform

N/A until the start of the audit period

SOC 2 Type II

On roadmap

To follow ISO 27001 certification

TriFact365 SaaS platform

N/A until the start of the audit period

GDPR

Compliant

Ongoing

Full processing

Data Processing Agreement + Privacy Statement

EU AI Act

Non-high-risk classification

Compliant on an ongoing basis for applicable provisions

AI functionalities in the Software

AI Terms and Conditions (classification and implementation)

EU Data Act

Compliant with the transitional regime under Article 29 of the EU Data Regulation

Fully compliant after the transition period expires

SaaS offering

Switching and Data Portability Terms and Conditions (Annex A)

Our Current Status Regarding Certifications

A certification is not an endpoint but a snapshot of work that must continue on an ongoing basis. This is our current status:

ISO 27001

TriFact365's Information Security Management System (ISMS) is under development in accordance with ISO/IEC 27001:2022. External certification is in preparation. Progress and milestones achieved will be updated in this section.

Current phase: [implementation]

Scope: The TriFact365 SaaS platform and the underlying organisation that provides, manages, and supports the SaaS service.

Questions: For specific questions about policies and controls, please contact us via the email address at the bottom of this page.

SOC 2

SOC 2 Type II is on our roadmap. We will begin the process after completing ISO 27001 certification.

Rationale for phasing: ISO 27001 and SOC 2 overlap substantially—our ISMS work covers approximately 70% of the SOC 2 Trust Service Criteria. A sequential approach prevents duplication of effort and accelerates both processes.

Intended scope: TriFact365 SaaS platform + organisation. The final scope will be determined at the start of the audit period.

GDPR

We comply with the General Data Protection Regulation (GDPR). See our Privacy Statement and Data Processing Agreement for full details regarding our roles as a processor and controller.

EU AI Act

Our AI functionalities are designed in such a way that they do not qualify as high-risk AI systems within the meaning of Annex III of the EU AI Act. See our AI Terms and Conditions.

Our Infrastructure

We host the TriFact365 Software with two cloud providers, both located in the Netherlands:

  • Google Cloud Platform (europe-west4 region, Netherlands) — ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1/2/3 certified

  • Microsoft Azure (West Europe region, Netherlands) — ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1/2/3 certified

All Customer Data is primarily processed within the EEA. For details on transfers outside the EEA, see the Data Processing Agreement.

Security Measures

We implement technical and organisational measures appropriate to the nature of the data we process:

  • encryption of data at rest and in transit

  • access restrictions based on roles and need-to-know

  • multi-factor authentication for all employees with access to production systems

  • logging, monitoring, and audit logging of system access

  • confidentiality obligations and security awareness training for all employees

  • regular backups; processing of backups within the EEA

Penetration Tests

We periodically subject our Software to external penetration tests. External penetration tests are conducted at least annually as part of our ISO 27001 implementation. Findings are systematically followed up on and incorporated into our security roadmap.

Data Breaches and Incident Response

In the event of a data breach, we notify affected customers without undue delay and no later than 72 hours after discovery. See our Data Processing Agreement for the full procedure.

Status & Incident History

On our public Status Page, we keep customers and interested parties informed about current outages and past incidents. There, we publish:

  • The current availability status of the Service

  • The incident history for the past 90 days

The Status Page is accessible via status.trifact365.com.

The Status Page is a transparency tool in addition to the legal Service Level Agreement. The agreements regarding availability, maintenance, and response times are set forth in the Service Level Agreement; no rights may be derived from the Status Page.

Subprocessors

Our subprocessors for Customer Data are listed on the Subprocessors page. Changes will be announced at least 14 days in advance via email or a notification within the Software; the Customer may object within 10 days through the support channel in the Software. In urgent circumstances—such as a legal obligation or an acute security incident—we may engage or replace a subprocessor with immediate effect, while the right to object remains in effect. See our Data Processing Agreement for the full procedure.

Data Export and Formats

During the term of the Subscription, the Customer may export its own data using the Software's standard export features—either per screen or as an archive export.

Category

Format

Submitted documents and attachments

PDF, or the original file format

Processing results and reports

Excel (.xlsx)

Reports on your own configuration (users, integrations, schemas)

Excel (.xlsx)

Archive export (complete set, per administration)

One or more ZIP files

These formats are structured, commonly used, and machine-readable within the meaning of Article 30(5) of the EU Data Regulation. A complete description of the export options for each screen is available on the Data Export page. The terms and conditions for export and switching are set forth in the Switching and Data Portability Terms and Conditions.

Termination and Reactivation

Upon termination of the Subscription, the right to use the Software, including the standard export options, expires. The Account remains accessible for 90 days. During that period, the Customer may reactivate the Subscription via the Software; access to the Software will then be restored under the terms and conditions in effect at that time. After 90 days, TriFact365 will delete the Account and the Customer Data, subject to any legal retention obligations.

The Customer is solely responsible for backing up Customer Data in a timely manner. Prior to termination, the Customer may export data using the export features in the Software. If the Customer needs to keep Customer Data available for a longer period—for example, to comply with a legal retention obligation—this requires an active Subscription for the entire duration of that period.

The full legal provisions are set forth in Article 7 of our General Terms and Conditions and in the Switching and Data Portability Terms and Conditions.

Requests from Government Authorities and Law Enforcement Agencies

TriFact365 discloses Customer Data solely on the basis of a legally valid and binding obligation under Dutch or European law. To the extent permitted by law:

  • we will contest requests that are excessive, vague, or unlawful;

  • we inform the Customer prior to disclosure, in accordance with Article 9.1 of our Data Processing Agreement;

  • we will disclose only the strictly necessary data.

TriFact365 does not voluntarily comply with requests from authorities in the absence of a legal obligation.

When transferring personal data outside the European Economic Area, the safeguards set forth in our Data Processing Agreement apply, including the EU Standard Contractual Clauses.

Questions about Compliance

For specific questions about our compliance status or to request supporting documents that are not publicly available, the Customer may submit a request via our contact page. Requests are logged and handled by the appropriate team.

Related Documents


End of TriFact365 Trust Center

TriFact365 B.V.
Arnhemseweg 10, 3817 CH Amersfoort, The Netherlands | Chamber of Commerce No. 30262227 | VAT No. NL820778540B01