Data Processing Addendum
GDPR-compliant data processing terms for enterprise customers
If you need a countersigned or PDF copy of the DPA, contact legal@grainql.com.
DATA PROCESSING ADDENDUM (DPA)
This Data Processing Addendum ("DPA") forms part of the agreement between Cybentis Oy (Business ID 3593125-1), doing business as Grain ("Processor", "we", "us"), and the customer using the Services ("Controller", "Customer"). It applies to the extent Grain processes Personal Data on the Customer's behalf in connection with the Services.
This DPA supplements the Grain Terms of Service and Privacy Policy. If there is a conflict between this DPA and the Terms with respect to Customer Personal Data processing, this DPA controls.
1. Roles and Scope
The parties agree that, for Customer Personal Data processed through the Services on the Customer's behalf, the Customer acts as Controller (or Processor, as applicable) and Grain acts as Processor (or Subprocessor, as applicable).
Grain may separately act as an independent controller for account administration, billing, fraud prevention, security, product communications, and compliance obligations relating to the Customer's own Grain account.
2. Subject Matter and Nature of Processing
Grain provides privacy-focused analytics, reporting, heatmaps, session replay, APIs, data export tooling, support workflows, and AI-assisted analytics features. Processing may include collection, organization, storage, querying, retrieval, analysis, export, deletion, and anonymization of Customer Personal Data.
AI-assisted features involve sending aggregated analytics context, user prompts, and tool results to third-party AI inference providers via API. By default, AI conversation history (messages, tool results, and AI responses) is stored in Supabase to enable conversation continuity, digest generation, and report creation. AI inference providers receive data via API-only access and do not use Customer Personal Data for model training.
The duration of processing is the term of the parties' agreement plus any time required to complete exports, deletion workflows, backup rotation, or legally required retention.
3. Instructions and Confidentiality
Grain will process Customer Personal Data only on the Customer's documented instructions, including as set out in the agreement, the Customer's product configuration, and the Customer's use of the Services, unless otherwise required by applicable law.
Grain will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
4. Security Measures
Grain maintains technical and organizational measures designed to protect Customer Personal Data, including:
- Encryption in transit (TLS 1.3 for all communications, HTTPS enforced on all endpoints)
- Encryption at rest (AES-256 for all stored data, encrypted backups)
- Access controls and OAuth2 JWT authentication safeguards
- Multi-tenant isolation with database-level separation (UUID-based tenant partitioning, tenant_id filtering on all queries)
- Row-Level Security (RLS) on conversation and AI data stores
- Role-based access restrictions for internal personnel
- Operational logging, monitoring, and alerting
- Pseudonymization capabilities (rotating session IDs, IP anonymization options)
- Backup and disaster recovery procedures (hourly tenant database backups, daily analytics backups, cross-region replication)
- Personnel confidentiality obligations
5. Data Breach Notification
Grain will notify the Customer without undue delay, and in any event no later than 48 hours, after becoming aware of a Personal Data breach affecting Customer Personal Data. The notification will include, to the extent reasonably available:
- The nature of the breach, including the categories and approximate number of data subjects and records concerned
- The name and contact details of the point of contact for further information
- The likely consequences of the breach
- The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
Grain will cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of each such breach. Grain will provide ongoing updates as additional information becomes available.
6. Audit Rights
Grain will make available to the Customer, on request, information necessary to demonstrate compliance with this DPA and applicable data protection law.
The Customer (or a qualified third-party auditor appointed by the Customer and bound by appropriate confidentiality obligations) may conduct an audit of Grain's processing activities covered by this DPA, subject to the following conditions:
- The Customer provides at least 30 days' prior written notice of the audit
- Audits are limited to once per 12-month period, unless required by a supervisory authority or following a Personal Data breach
- The audit is conducted during normal business hours and does not unreasonably disrupt Grain's operations
- Audit findings and any Grain confidential information accessed during the audit are treated as confidential
Where Grain has obtained relevant third-party certifications or audit reports (e.g., SOC 2), Grain may provide these in lieu of a physical audit, provided they reasonably address the Customer's audit objectives.
7. Assistance with Controller Obligations
Taking into account the nature of processing and the information available to Grain, Grain will provide reasonable assistance to the Customer in:
- Ensuring compliance with security of processing obligations (GDPR Article 32)
- Data breach notification obligations (GDPR Articles 33 and 34)
- Data protection impact assessments where the Customer's use of the Services is likely to result in a high risk to data subjects (GDPR Article 35)
- Prior consultation with supervisory authorities where required (GDPR Article 36)
8. Subprocessors
The Customer grants Grain general authorization to use subprocessors and infrastructure providers to deliver the Services. Grain remains responsible for its subprocessors' processing to the extent required by applicable law. Grain will impose data protection obligations on each subprocessor that are no less protective than those in this DPA.
Grain will provide the Customer with at least 30 days' prior notice before adding or replacing a subprocessor that processes Customer Personal Data. The notice will identify the new subprocessor, its purpose, and its location.
The Customer may object to a new subprocessor by notifying Grain in writing within the 30-day notice period, providing reasonable grounds related to data protection. Grain will make commercially reasonable efforts to address the objection, which may include offering an alternative configuration. If Grain cannot reasonably accommodate the objection, either party may terminate the affected Services upon written notice without penalty.
9. International Transfers
Grain's primary analytics processing occurs in the European Union. Analytics data is stored on Hetzner infrastructure in Helsinki, Finland (HEL1), with backups on Azure in Frankfurt, Germany and Cloudflare EU storage. AI conversation data is stored in Supabase (EU region).
Some AI inference, support, billing, communications, and security operations may involve processing outside the EEA, UK, or Switzerland (e.g., Groq and Browserbase in the US).
Where Grain transfers Customer Personal Data to a jurisdiction that does not provide an adequate level of protection, Grain will use the European Commission's Standard Contractual Clauses (2021 version):
- Module 2 (Controller-to-Processor) for transfers from the Customer to Grain
- Module 3 (Processor-to-Sub-processor) for onward transfers from Grain to its subprocessors
Supplementary measures include:
- Encryption in transit (TLS 1.3) and at rest (AES-256) for all Customer Personal Data
- API-only access for AI inference providers, with no model training on Customer Personal Data
- Access controls limiting data exposure to the minimum necessary for processing
- Pseudonymization of analytics data where technically feasible
- Data processing agreements with all subprocessors restricting processing to documented instructions
10. Assistance with Data Subject Requests
Taking into account the nature of the processing, Grain will provide reasonable assistance to help the Customer respond to requests relating to access, deletion, correction, restriction, portability, or objection, using the tools and workflows available in the Services.
11. Return and Deletion
Upon termination of the Services or on the Customer's documented instruction, Grain will delete, anonymize, or return Customer Personal Data in accordance with the parties' agreement, applicable law, and the configuration of the Services.
Retention durations configured in the Customer's privacy settings are honored by scheduled deletion processes, subject to limited operational grace periods, backup rotation, and any legal hold or statutory retention requirement. Following account termination:
- Primary analytics data will be deleted within 30 days
- AI conversation data (Supabase) will be deleted within 90 days
- Backups will be rotated and purged within 90 days
12. Annex I: Categories of Data and Data Subjects
| Category | Description |
|---|---|
| Data subjects | End users of the Customer's websites or applications, and Customer personnel using Grain |
| Personal data | Pseudonymous identifiers, event data, page URLs, referrers, browser / device / OS data, timezone, location derived from IP or request headers, consent records, support context, and account / billing contact data |
| AI conversation data | User prompts, AI responses, aggregated analytics context, tool call results, digests, memories, findings, and reports generated through Kai AI features |
| Special cases | Heatmap, session replay, and DOM snapshot data when those features are enabled (may inadvertently capture PII visible on screen — Grain provides masking and exclusion tools); any identifiers or custom properties the Customer chooses to send through the SDK or APIs |
13. Annex II: Current Subprocessors and Providers
Infrastructure Providers
| Provider | Purpose | Location |
|---|---|---|
| Hetzner | Primary analytics infrastructure, event storage (ClickHouse), and tenant database | Finland (Helsinki, HEL1) |
| Azure (Microsoft) | Secondary backup, replication, and workloads | Germany (Frankfurt) |
| Cloudflare | CDN, DDoS protection, SSL, backup storage, and request-level enrichment (geo headers) | Global (EU-preferred) |
| Supabase | AI conversation history, digests, memories, reports, findings, and operational data | EU |
| Vercel | Frontend hosting, serverless functions, and CDN | EU and other Vercel regions |
Service Providers
| Provider | Purpose | Location |
|---|---|---|
| Auth0 (Okta) | Authentication and identity management | EU / US |
| Stripe | Payment processing and billing | EU / US |
| Customer.io | Product and transactional messaging | EU |
| Intercom | Customer support messaging | EU / US |
| Slack | Operational notifications and request handling | US / EU |
AI Inference Providers
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Groq | Primary AI inference (hosts OpenAI-compatible models). API-only, no training on customer data | US | SCCs (Module 3) + supplementary measures |
| Google Cloud AI | AI inference for advanced features (Gemini models). API-only, no training on customer data | EU / US | SCCs (Module 3) + supplementary measures |
| Straico | Optional AI model routing. API-only, no training on customer data | Provider-dependent | SCCs (Module 3) where applicable |
| Browserbase | Automated website analysis during onboarding (via Stagehand browser automation) | US | SCCs (Module 3) + supplementary measures |
14. Governing Law and Venue
This DPA is governed by the laws of Finland. Any dispute arising out of or in connection with this DPA will be subject to the courts of Helsinki, Finland, unless mandatory law requires otherwise.
Cybentis Oy
PL 157, 00101, Helsinki, Finland
legal@grainql.com