Legal
Data Processing Agreement
Last updated: July 1, 2026
This Data Processing Agreement (DPA) describes how Grndly handles personal data on behalf of its customers. It is provided as an informational template to help you understand our practices. Enterprise customers can request a countersigned DPA for their records.
1. Purpose and scope
This DPA applies where Grndly processes personal data on behalf of a customer in the course of providing the service. It supplements our Terms of Service and Privacy Policy.
2. Definitions
- Controller — the party that decides why and how personal data is processed.
- Processor — the party that processes personal data on behalf of the controller.
- Data subject — the individual the personal data relates to.
3. Roles of the parties
For personal data processed through the service, the customer is the controller and Grndly is the processor. Grndlyprocesses personal data only on the customer’s documented instructions, including as set out in the service and this DPA.
4. Details of processing
- Nature — hosting, storing, and processing project content to deliver Grndly, including AI-generated reports.
- Purpose — to provide, secure, and support the service.
- Categories of data — account details, contact information, project content, and usage data.
- Categories of data subjects — owners, workers, clients, and other authorized users.
5. Sub-processors
Grndly uses vetted sub-processors, such as hosting, storage, and AI providers, to deliver the service. We require each sub-processor to protect personal data to a standard consistent with this DPA, and we remain responsible for their performance.
6. Security measures
We maintain appropriate technical and organizational measures to protect personal data, including encryption in transit and at rest, access controls, logging, and regular security reviews. These measures are designed to protect against unauthorized access, loss, or disclosure.
7. Assisting with data subject requests
Where a data subject exercises their rights, such as access, correction, or deletion, Grndly provides reasonable tools and assistance to help the customer respond, taking into account the nature of the processing.
8. Breach notification
If Grndlybecomes aware of a personal data breach affecting the customer’s data, we will notify the customer without undue delay and provide the information reasonably needed to meet their obligations.
9. International transfers
Where personal data is transferred across borders, Grndly uses appropriate safeguards, such as Standard Contractual Clauses (SCCs), to ensure the data remains protected in line with applicable law.
10. Audits
On reasonable request, Grndly makes available information necessary to demonstrate compliance with this DPA and, subject to confidentiality and appropriate notice, supports audits carried out by the customer or an authorized auditor.
11. Deletion or return of data
On termination of the service, Grndlywill delete or return the customer’s personal data in line with our retention practices and applicable law, unless we are required to retain it for legal reasons.
12. Contact
For questions about this DPA or to request a signed copy, email privacy@grndly.com.
This document is provided for general information and does not constitute legal advice. Questions? Email legal@grndly.com.