Data Processing Agreement (DPA)

Effective Date: 11/28/2025

This Data Processing Agreement ("DPA") governs the processing of personal data by getgrip.ai ("we," "our," or "us") on behalf of our customers ("you" or "Customer") in connection with our services. This DPA forms part of our Terms of Service and Privacy Policy.

1. Definitions

"Controller" means the entity which determines the purposes and means of the processing of personal data.
"Processor" means the entity which processes personal data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on personal data, including collection, storage, use, and deletion.
"Subprocessor" means any third party engaged by us to process personal data on your behalf.
"Data Subject" means the natural person to whom personal data relates.

2. Scope and Purpose

This DPA applies to all processing of personal data carried out by getgrip.ai in the course of providing our services, including but not limited to:

Hosting and infrastructure services
Database management and storage
Message queue and communication services
Vector database and search services
AI and machine learning services
Application deployment and content delivery

3. Roles and Responsibilities

Customer as Controller: You are the Controller of the personal data processed through our services. You are responsible for ensuring that you have the necessary legal basis for processing personal data and that you have obtained all required consents from Data Subjects.

getgrip.ai as Processor: We act as a Processor and will process personal data only in accordance with your documented instructions and this DPA. We will not process personal data for any purpose other than providing our services to you.

4. Data Processing Details

4.1 Categories of Data Subjects

Personal data may relate to the following categories of data subjects:

End users of your services
Your employees and contractors
Other individuals whose data you process through our services

4.2 Types of Personal Data

The types of personal data we process may include:

Contact information (names, email addresses)
Account information and credentials
Usage data and analytics
Communication data
Any other personal data you choose to process through our services

4.3 Processing Operations

We process personal data for the following operations:

Storage and hosting of data
Database operations and queries
Message routing and queuing
Vector search and retrieval
AI-powered text processing and generation
Application deployment and content delivery
Backup and disaster recovery

5. Subprocessors

We engage certain third-party service providers ("Subprocessors") to assist in providing our services. These Subprocessors process personal data on our behalf and are contractually bound to maintain appropriate security and confidentiality measures.

We maintain an up-to-date list of our Subprocessors below. We will notify you of any changes to this list by updating this page. By continuing to use our services after such updates, you consent to the engagement of new Subprocessors.

5.1 Current Subprocessors

Infrastructure & Hosting

Heroku

Service: Cloud application platform and hosting

Location: United States (with data centers globally)

Purpose: Application hosting, runtime environment, and infrastructure management

Data Processed: Application data, user data, system logs

Vercel Inc.

Service: Frontend hosting and content delivery network

Location: United States (with global CDN)

Purpose: Website hosting, static asset delivery, and edge computing

Data Processed: Website usage data, IP addresses, request logs

Database Services

MongoDB Atlas

Service: Managed MongoDB database service

Location: United States (with regional data centers)

Purpose: Primary database storage and management

Data Processed: All application data, user data, configuration data

Qdrant

Service: Vector database and similarity search

Location: Cloud-hosted (location varies by deployment)

Purpose: Vector embeddings storage and semantic search

Data Processed: Vector embeddings, metadata, search queries

Message Queue Services

CloudAMQP

Service: Managed message queue service (RabbitMQ/AMQP)

Location: Cloud-hosted (location varies by deployment)

Purpose: Asynchronous message processing and task queuing

Data Processed: Message payloads, queue metadata, processing logs

AI & Machine Learning Services

OpenAI

Service: Artificial intelligence and machine learning API services

Location: United States (with data centers globally)

Purpose: Natural language processing, text generation, and AI-powered features

Data Processed: User queries, text inputs, conversation data, generated responses

5.2 Subprocessor Obligations

All Subprocessors are contractually required to:

Process personal data only in accordance with our instructions
Implement appropriate technical and organizational security measures
Maintain confidentiality of personal data
Assist us in responding to data subject requests
Notify us of any data breaches
Comply with applicable data protection laws

6. Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:

Encryption of data in transit using TLS/SSL protocols
Encryption of data at rest where supported by our Subprocessors
Access controls and authentication mechanisms
Regular security assessments and monitoring
Backup and disaster recovery procedures
Employee training on data protection

7. Data Subject Rights

We will assist you in responding to requests from Data Subjects to exercise their rights under applicable data protection laws, including:

Right of access
Right to rectification
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing

If we receive a request directly from a Data Subject, we will forward it to you and await your instructions before responding.

8. Data Breach Notification

In the event of a personal data breach, we will:

Notify you without undue delay after becoming aware of the breach
Provide you with all relevant information about the breach
Assist you in notifying relevant supervisory authorities and Data Subjects, if required
Take reasonable steps to mitigate the effects of the breach

9. Data Transfers

Personal data may be transferred to and processed in countries outside of your jurisdiction. We ensure that such transfers comply with applicable data protection laws through:

Standard Contractual Clauses approved by relevant authorities
Other appropriate safeguards as required by law
Compliance with applicable data protection frameworks

10. Data Retention and Deletion

We will retain personal data only for as long as necessary to provide our services or as required by law. Upon termination of our services or upon your request, we will:

Delete or return all personal data to you
Delete existing copies unless storage is required by law
Ensure that Subprocessors also delete the data

11. Audits and Compliance

We will make available to you all information necessary to demonstrate compliance with this DPA. Upon reasonable notice, we will allow for and contribute to audits conducted by you or your authorized representatives, subject to appropriate confidentiality obligations.

12. Term and Termination

This DPA will remain in effect for as long as we process personal data on your behalf. Upon termination of our services, the provisions of this DPA will continue to apply until all personal data has been deleted or returned.

13. Changes to This DPA

We may update this DPA from time to time to reflect changes in our services or applicable laws. Material changes will be notified to you, and continued use of our services after such notification constitutes acceptance of the updated DPA.

14. Governing Law

This DPA is governed by the laws applicable to our Terms of Service, without regard to conflict of law principles.

15. Contact Us

If you have questions or concerns about this DPA or our data processing practices, please contact us at:

Email: [email protected]

Address: getgrip.ai, Strada Trossi 41 Verrone (BI), Italy

Last Updated: November 28, 2025