Trivium

Trivium—Data Processing Addendum (DPA)

Effective date: July 4, 2026 Last updated: July 4, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Trivium ("we", "us"; the "Processor") and the school or organization that subscribes to the Service (the "School", "Controller") (together, the "Agreement"). It governs Trivium's processing of personal information on the School's behalf. If there is a conflict, this DPA controls over the rest of the Agreement on the subject of data protection. Capitalized terms not defined here have the meaning given in the Terms of Use and Privacy Policy.


1. Roles of the parties

For Customer Data—the student, guardian, and staff records and other personal information a School provides to or generates in the Service—the School is the controller and Trivium is the processor / service provider, processing only on the School's documented instructions. Specifically, Trivium acts as:

  • a "school official" with a legitimate educational interest under FERPA (US), under the School's direct control;
  • a processor under UK GDPR / EU GDPR, as applicable; and
  • a service provider under PIPEDA and applicable provincial law (Canada).

Trivium processes a limited set of information (e.g. School administrator contact and billing details, account‑security data) as a controller; that processing is governed by the Privacy Policy, not this DPA.

2. Scope and instructions

Trivium will process Customer Data only to provide and support the Service, as described in the Agreement, and on the School's documented instructions (including via configuration of the Service). Trivium will not sell Customer Data, will not use it for advertising, and will not use it for any purpose other than providing the Service—including not using it to train third‑party AI models. If Trivium believes an instruction violates applicable data‑protection law, it will inform the School.

3. Confidentiality

Trivium ensures that personnel authorized to process Customer Data are bound by confidentiality obligations and access it only on a need‑to‑know basis.

4. Security measures

Trivium maintains technical and organizational measures appropriate to the risk, including at least:

AreaMeasure
Tenant isolationPer‑row, per‑school access control enforced in the database (row‑level security), so one School's data is not accessible to another
EncryptionEncryption in transit (TLS) for all connections; encryption at rest for the database and file storage
Access controlRole‑based access within the Service; least‑privilege administrative access; authentication on every request
AuditabilityLogging of sensitive changes (e.g. grade changes, assistant actions) and infrastructure access
SecretsService credentials and API keys held server‑side only; never exposed to the browser
ResilienceManaged, backed‑up database with point‑in‑time recovery via our infrastructure provider

Security is a shared responsibility: the School is responsible for managing its own users' accounts, roles, and the accuracy of consents it grants.

5. Subprocessors

The School authorizes Trivium to engage the subprocessors listed at [/subprocessors](/subprocessors) to process Customer Data. Each subprocessor is bound by written terms no less protective than this DPA. Before adding or replacing a subprocessor that processes Customer Data, Trivium will update that page and notify the School at least 30 days in advance, during which the School may object on reasonable data‑protection grounds; the parties will then work in good faith to resolve the objection. Trivium remains responsible for its subprocessors' performance.

6. Assistance to the School

Taking into account the nature of the processing, Trivium will provide reasonable assistance to the School to:

  • respond to requests from individuals to access, correct, delete, or export their records (the School directs such requests; see the Privacy Policy);
  • meet the School's own security, breach‑notification, and data‑protection‑impact‑assessment obligations.

Because the School controls Customer Data, individuals (parents, guardians, students, staff) should direct rights requests about their records to the School first; Trivium will support the School in responding.

7. Personal data breach

Trivium will notify the School without undue delay, and in any case within 72 hours of becoming aware of a personal data breach affecting Customer Data, with the information reasonably available to help the School meet its own notification duties, and will take reasonable steps to mitigate and remediate.

8. Children's data (FERPA / COPPA)

Much of the Customer Data concerns minors. Trivium handles student "education records" as a FERPA "school official" and uses them only to provide the Service. For students under 13, the School provides and manages consent on behalf of parents for the educational use of the Service, consistent with COPPA's school‑consent guidance. Trivium does not condition a student's participation on collecting more information than is reasonably necessary, and does not use children's data for behavioral advertising or to build profiles unrelated to the Service.

9. International transfers

Where Customer Data is transferred across borders, the parties will rely on a lawful transfer mechanism (e.g. UK/EU Standard Contractual Clauses / UK Addendum, or other approved safeguards) as applicable. Hosting regions for each subprocessor are stated at /subprocessors.

10. Audits

Trivium will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including by responding to a reasonable annual security questionnaire, subject to confidentiality and reasonable scheduling.

11. Return and deletion

On termination or expiry of the Agreement, the School may export its Customer Data for 30 days. Trivium will then delete or de‑identify Customer Data within 90 days of termination, except records legally required to be retained (including financial records retained as required by tax law), which Trivium will isolate and protect.

12. Liability and conflicts

The liability provisions of the Agreement apply to this DPA. To the extent of any conflict on data protection, this DPA prevails.


This DPA is executed electronically. It takes effect for a School when an authorized School administrator accepts it in the Service during onboarding (or on a later sign-in after the DPA is updated). The administrator's acceptance — including who accepted, on which school's behalf, the DPA version, and the date — is recorded and retained by Trivium, and confirms the administrator is authorized to bind the School.

A School that requires a countersigned paper copy may request one at privacy@usetrivium.com; the click-through acceptance remains effective in the meantime.

Contact for data‑protection matters: privacy@usetrivium.com