Trikaraa Policies

Data Processing Agreement (DPA)

Effective Date: [Insert Date]

This Data Processing Agreement ("DPA") forms part of the applicable enterprise agreement, subscription agreement, master services agreement, pilot agreement, or other contractual arrangement ("Agreement") between:

  • The client organisation ("Controller" or "Client") and
  • TRIKARAA powered by Hexateal ("Processor", "TRIKARAA", "Hexateal", "we", "our", or "us")

This DPA governs the processing of personal data and organisational data in connection with the provision of the TRIKARAA platform and associated services.

1. Purpose and Scope

This DPA establishes the responsibilities, obligations, and safeguards related to:

  • processing of personal and organisational data
  • confidentiality and security
  • enterprise governance
  • AI and analytics-related processing
  • data access and handling
  • breach notification procedures
  • deletion and retention obligations

This DPA applies where TRIKARAA processes personal data or organisational data on behalf of the Client.

2. Definitions

2.1 Controller

The Client organisation that determines the purposes and means of processing personal data.

2.2 Processor

TRIKARAA powered by Hexateal acting on behalf of the Client in processing personal data or organisational data.

2.3 Personal Data

Any information relating to an identified or identifiable individual.

2.4 Organisational Data

Any enterprise, workforce, operational, behavioural, analytical, or business-related information processed within the platform.

2.5 Processing

Any operation performed on data including collection, storage, organisation, access, analysis, transmission, deletion, or use.

2.6 Applicable Laws

Applicable privacy, data protection, labour, employment, cybersecurity, and regulatory laws governing the processing of personal or organisational data.

3. Nature of the Platform

TRIKARAA operates as:

  • an organisational intelligence environment
  • a leadership decision-support system
  • a contextual reflection and decision clarity framework

The platform may utilise:

  • analytics systems
  • AI and machine learning models
  • organisational intelligence frameworks
  • behavioural and operational pattern analysis
  • decision-support processing

TRIKARAA is not intended to:

  • replace organisational governance
  • independently determine employment outcomes
  • provide legal, medical, psychiatric, or financial advice
  • function as an autonomous decision-making system

4. Scope of Data Processing

The Processor may process data necessary to:

  • provide platform functionality
  • support organisational intelligence capabilities
  • support leadership decision environments
  • maintain platform security and reliability
  • support analytics and reporting
  • perform troubleshooting and diagnostics
  • improve system functionality
  • fulfil contractual obligations

Categories of processed data may include:

  • user profile information
  • workforce analytics
  • organisational structures
  • leadership and capability data
  • behavioural interaction information
  • operational metrics
  • decision-support inputs
  • enterprise system integration data

5. Controller Responsibilities

The Client organisation represents and warrants that it:

  • has lawful authority to process and share the data
  • has obtained required notices, permissions, or consents where applicable
  • will comply with applicable data protection and employment laws
  • will ensure appropriate governance and oversight
  • remains responsible for the legality and accuracy of uploaded data

The Client remains solely responsible for:

  • employment decisions
  • organisational governance
  • workforce actions
  • interpretation of platform outputs
  • compliance with applicable laws and regulations

6. Processor Responsibilities

TRIKARAA and Hexateal agree to:

  • process data only for authorised purposes
  • implement commercially reasonable security safeguards
  • maintain confidentiality obligations
  • restrict unauthorised access
  • support organisational governance requirements where reasonably applicable
  • notify the Client of confirmed security incidents as required under applicable law

TRIKARAA will not knowingly:

  • sell Client personal data to unrelated third parties
  • use Client data for unrelated commercial purposes
  • disclose confidential data except as authorised or legally required

7. Confidentiality Obligations

TRIKARAA and Hexateal shall ensure that personnel with access to Client data:

  • are subject to confidentiality obligations
  • receive appropriate access restrictions
  • are authorised to process data only where necessary

The Client is responsible for:

  • internal access management
  • role-based permissions
  • governance of authorised users

8. Security Measures

TRIKARAA and Hexateal shall implement commercially reasonable administrative, technical, and organisational safeguards.

Security measures may include:

  • access controls
  • authentication mechanisms
  • encrypted transmission where applicable
  • infrastructure monitoring
  • activity logging
  • vulnerability management
  • role-based permissions
  • secure hosting practices

No platform can guarantee absolute security.

Both parties acknowledge the inherent risks associated with internet-based systems and digital data processing.

9. AI and Analytics Processing

The platform may utilise:

  • AI systems
  • machine learning models
  • organisational intelligence frameworks
  • predictive analytics
  • behavioural pattern analysis

The Client acknowledges that:

  • AI-generated outputs are probabilistic in nature
  • outputs may not always be complete or contextually sufficient
  • human oversight and independent evaluation remain essential

TRIKARAA outputs must not be treated as autonomous organisational decisions.

10. Restricted and Sensitive Processing

The platform must not knowingly be used for:

  • unlawful discrimination
  • unlawful employee profiling
  • coercive surveillance
  • automated employment actions without human oversight
  • medical diagnosis
  • psychiatric evaluation
  • unlawful behavioural targeting
  • emergency response management

Sensitive organisational matters including:

  • harassment
  • discrimination
  • misconduct
  • self-harm concerns
  • violence
  • legal disputes

must be escalated through appropriate organisational channels.

11. Subprocessors

TRIKARAA and Hexateal may utilise approved subprocessors, vendors, hosting providers, or infrastructure providers necessary for platform operation.

Where applicable:

  • commercially reasonable safeguards shall be implemented
  • subprocessors shall be subject to appropriate confidentiality and security obligations

A list of significant subprocessors may be provided upon reasonable request where contractually required.

12. International Data Transfers

Depending on infrastructure configuration, data may be processed or stored in jurisdictions outside the Client's local region.

TRIKARAA and Hexateal shall implement commercially reasonable safeguards for international transfers where applicable under relevant law.

13. Security Incident and Breach Notification

In the event of a confirmed security incident involving Client data, TRIKARAA and Hexateal shall:

  • take commercially reasonable steps to contain and investigate the incident
  • notify the Client within a commercially reasonable timeframe where legally required
  • cooperate reasonably in providing relevant incident information

Notification of an incident does not constitute admission of liability.

14. Data Retention and Deletion

Client data may be retained:

  • for the duration of the Agreement
  • as required for operational continuity
  • for security, legal, audit, or compliance purposes
  • according to contractual obligations

Upon termination of the Agreement and subject to applicable law and operational requirements:

  • data may be deleted, anonymised, or returned where commercially feasible
  • backup retention periods may continue for reasonable operational purposes

15. Audit and Compliance Cooperation

Where contractually agreed and subject to reasonable notice, confidentiality obligations, and operational limitations:

  • TRIKARAA may provide reasonable information regarding security and governance practices
  • the Client may request limited compliance-related documentation

The Processor is not required to disclose:

  • proprietary security architecture
  • confidential operational information
  • information that could compromise platform security

16. Limitation of Liability

To the maximum extent permitted under applicable law:

  • TRIKARAA and Hexateal shall not be liable for indirect, incidental, consequential, punitive, or speculative damages arising from data processing activities
  • organisational decision accountability remains with the Client
  • the platform is provided as a decision-support and organisational intelligence environment

Nothing in this DPA transfers organisational governance or workforce accountability to TRIKARAA or Hexateal.

17. Termination

This DPA shall remain effective for the duration of the applicable Agreement or for so long as TRIKARAA processes Client data.

TRIKARAA and Hexateal reserve the right to suspend or terminate services where:

  • unlawful use is detected
  • security risks arise
  • contractual obligations are violated
  • governance breaches occur

18. Governing Law

This DPA shall be governed in accordance with:

  • the applicable enterprise agreement
  • governing contractual terms
  • applicable privacy and data protection laws

19. Contact Information

For questions regarding this DPA, privacy, security, or governance matters, please contact:

TRIKARAA powered by Hexateal — [Insert Email] — [Insert Website] — [Insert Registered Address]