Data Processing Addendum
GDPR-compliant data processing terms for enterprise customers
If you need a countersigned or PDF copy of the DPA, contact legal@grainql.com.
DATA PROCESSING ADDENDUM (DPA)
This Data Processing Addendum ("DPA") forms part of the agreement between Cybentis Oy (Business ID 3593125-1), doing business as Grain ("Processor", "we", "us"), and the customer using the Services ("Controller", "Customer"). It applies to the extent Grain processes Personal Data on the Customer's behalf in connection with the Services.
This DPA supplements the Grain Terms of Service and Privacy Policy. If there is a conflict between this DPA and the Terms with respect to Customer Personal Data processing, this DPA controls.
1. Roles and Scope
The parties agree that, for Customer Personal Data processed through the Services on the Customer's behalf, the Customer acts as Controller (or Processor, as applicable) and Grain acts as Processor (or Subprocessor, as applicable).
Grain may separately act as an independent controller for account administration, billing, fraud prevention, security, product communications, and compliance obligations relating to the Customer's own Grain account.
2. Subject Matter and Nature of Processing
Grain provides privacy-focused analytics, reporting, heatmaps, session replay, APIs, data export tooling, support workflows, and AI-assisted analytics features. Processing may include collection, organization, storage, querying, retrieval, analysis, export, deletion, and anonymization of Customer Personal Data.
The duration of processing is the term of the parties' agreement plus any time required to complete exports, deletion workflows, backup rotation, or legally required retention.
3. Instructions and Confidentiality
Grain will process Customer Personal Data only on the Customer's documented instructions, including as set out in the agreement, the Customer's product configuration, and the Customer's use of the Services, unless otherwise required by applicable law.
Grain will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
4. Security Measures
Grain maintains technical and organizational measures designed to protect Customer Personal Data, including:
- Encryption in transit
- Access controls and authentication safeguards
- Operational logging, monitoring, and alerting
- Role-based access restrictions where applicable
- Incident handling procedures and legally required notifications
5. Subprocessors
The Customer grants Grain general authorization to use subprocessors and infrastructure providers to deliver the Services. Grain remains responsible for its subprocessors' processing to the extent required by applicable law.
Grain may update its subprocessors from time to time. Material changes will be reflected in our public legal materials or otherwise communicated to customers.
6. International Transfers
Grain's primary analytics processing is designed to occur in the European Union. Some support, billing, communications, AI, security, and infrastructure operations may involve processing outside the EEA, UK, or Switzerland.
Where Grain transfers Customer Personal Data to a jurisdiction that does not provide an adequate level of protection, Grain will use an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses, together with supplementary measures where appropriate.
7. Assistance with Data Subject Requests
Taking into account the nature of the processing, Grain will provide reasonable assistance to help the Customer respond to requests relating to access, deletion, correction, restriction, portability, or objection, using the tools and workflows available in the Services.
8. Return and Deletion
Upon termination of the Services or on the Customer's documented instruction, Grain will delete, anonymize, or return Customer Personal Data in accordance with the parties' agreement, applicable law, and the configuration of the Services.
Retention durations configured in the Customer's privacy settings are honored by scheduled deletion processes, subject to limited operational grace periods, backup rotation, and any legal hold or statutory retention requirement.
9. Annex I: Categories of Data and Data Subjects
| Category | Description |
|---|---|
| Data subjects | End users of the Customer's websites or applications, and Customer personnel using Grain |
| Personal data | Pseudonymous identifiers, event data, page URLs, referrers, browser / device / OS data, timezone, location derived from IP or request headers, consent records, support context, and account / billing contact data |
| Special cases | Heatmap, session replay, and DOM snapshot data when those features are enabled; any identifiers or custom properties the Customer chooses to send through the SDK or APIs |
10. Annex II: Current Subprocessors and Providers
| Provider | Purpose | Typical location |
|---|---|---|
| Vercel | Frontend hosting and CDN | EU and other Vercel regions |
| Auth0 (Okta) | Authentication and identity management | EU / US |
| Stripe | Payment processing and billing | EU / US |
| Customer.io | Product and transactional messaging | EU |
| Intercom | Customer support messaging | EU / US |
| Slack | Operational notifications and request handling | US / EU |
| Cloudflare | CDN, security, and request-level enrichment | Global |
| OpenAI, Groq, Google Cloud AI, Straico | AI-assisted analytics features | Configuration-dependent |
| Amazon S3-compatible object storage | Snapshot, archive, and object storage where used | Configuration-dependent |
11. Governing Law and Venue
This DPA is governed by the laws of Finland. Any dispute arising out of or in connection with this DPA will be subject to the courts of Helsinki, Finland, unless mandatory law requires otherwise.
Cybentis Oy
PL 157, 00101, Helsinki, Finland
legal@grainql.com