Data Processing Agreement
Last updated: January 1, 2026
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person processed by TripGain on behalf of Client under this Agreement. "Processing" means any operation performed on Personal Data.
2. Data Processing Scope
TripGain shall process Personal Data solely for the purpose of providing travel management services as described in the MSA. The categories of data include: employee names, contact details, travel preferences, booking information, payment data, and travel history.
3. Data Controller and Processor
Client is the Data Controller and TripGain is the Data Processor. Client determines the purposes and means of processing. TripGain processes data only on documented instructions from Client.
4. Sub-processors
Client authorizes TripGain to engage sub-processors including: Amazon Web Services (cloud infrastructure), Stripe (payment processing), Twilio (communications), and Intercom (customer support). TripGain shall notify Client of any sub-processor changes.
5. Data Security
TripGain implements technical and organizational measures including: encryption at rest (AES-256) and in transit (TLS 1.3), access controls, multi-factor authentication, regular security audits, and employee training.
6. Data Breach Notification
TripGain shall notify Client within 24 hours of becoming aware of a personal data breach. Notification shall include nature of breach, categories affected, likely consequences, and remedial measures.
7. Data Retention and Deletion
Upon termination of the MSA, TripGain shall delete or return all Personal Data within 90 days, except where retention is required by applicable law. Data is retained for the duration of the Agreement plus 90 days.
8. International Transfers
Personal Data may be stored and processed in the United States, European Union, and India. TripGain ensures appropriate safeguards including Standard Contractual Clauses for cross-border data transfers.
9. Data Subject Rights
TripGain shall assist Client in responding to data subject requests for access, rectification, erasure, restriction, portability, and objection within applicable legal timeframes.