Skip to content

Legal

Data Processing Agreement

Last updated: July 1, 2026

This Data Processing Agreement (DPA) describes how Grndly handles personal data on behalf of its customers. It is provided as an informational template to help you understand our practices. Enterprise customers can request a countersigned DPA for their records.

1. Purpose and scope

This DPA applies where Grndly processes personal data on behalf of a customer in the course of providing the service. It supplements our Terms of Service and Privacy Policy.

2. Definitions

  • Controller — the party that decides why and how personal data is processed.
  • Processor — the party that processes personal data on behalf of the controller.
  • Data subject — the individual the personal data relates to.

3. Roles of the parties

For personal data processed through the service, the customer is the controller and Grndly is the processor. Grndlyprocesses personal data only on the customer’s documented instructions, including as set out in the service and this DPA.

4. Details of processing

  • Nature — hosting, storing, and processing project content to deliver Grndly, including AI-generated reports.
  • Purpose — to provide, secure, and support the service.
  • Categories of data — account details, contact information, project content, and usage data.
  • Categories of data subjects — owners, workers, clients, and other authorized users.

5. Sub-processors

Grndly uses vetted sub-processors, such as hosting, storage, and AI providers, to deliver the service. We require each sub-processor to protect personal data to a standard consistent with this DPA, and we remain responsible for their performance.

6. Security measures

We maintain appropriate technical and organizational measures to protect personal data, including encryption in transit and at rest, access controls, logging, and regular security reviews. These measures are designed to protect against unauthorized access, loss, or disclosure.

7. Assisting with data subject requests

Where a data subject exercises their rights, such as access, correction, or deletion, Grndly provides reasonable tools and assistance to help the customer respond, taking into account the nature of the processing.

8. Breach notification

If Grndlybecomes aware of a personal data breach affecting the customer’s data, we will notify the customer without undue delay and provide the information reasonably needed to meet their obligations.

9. International transfers

Where personal data is transferred across borders, Grndly uses appropriate safeguards, such as Standard Contractual Clauses (SCCs), to ensure the data remains protected in line with applicable law.

10. Audits

On reasonable request, Grndly makes available information necessary to demonstrate compliance with this DPA and, subject to confidentiality and appropriate notice, supports audits carried out by the customer or an authorized auditor.

11. Deletion or return of data

On termination of the service, Grndlywill delete or return the customer’s personal data in line with our retention practices and applicable law, unless we are required to retain it for legal reasons.

12. Contact

For questions about this DPA or to request a signed copy, email privacy@grndly.com.

This document is provided for general information and does not constitute legal advice. Questions? Email legal@grndly.com.