GritFlow
Back to LegalLegal

Data Processing Addendum

Last updated: June 4, 2026

This Data Processing Addendum (the “DPA”) is incorporated into the Terms of Service (the “Terms”) between GritFlow AI, LLC, a Wyoming limited liability company (“GritFlow,” “we,” “us,” or “our”), and the customer that accesses or uses the Services (“Customer,” “you,” or “your”). It applies whenever GritFlow processes personal data on the Customer's behalf in connection with the Services.

1. Introduction and Definitions

In plain terms: when there is personal data inside what you submit to the Services, you (or your own customer) decide what happens to it, and GritFlow only handles it to run the Services for you. This DPA writes that down — what we may do with that data, how we protect it, who else may touch it, and what we do if something goes wrong. Capitalized terms used but not defined here have the meanings given in the Terms.

This DPA reflects the requirements of Article 28 of the GDPR (and the equivalent UK GDPR provisions) for engaging a processor, and the service-provider/contractor requirements of the CCPA/CPRA. For clarity:

  • “Controller” (and “Business” under the CCPA/CPRA) means the party that, alone or with others, determines the purposes and means of the Processing of personal data. For Customer Personal Data, the Controller is the Customer (or, where the Customer itself acts on behalf of its own customer, that underlying organization).
  • “Processor” (and “Service Provider” or “Contractor” under the CCPA/CPRA) means the party that Processes personal data on behalf of the Controller. For Customer Personal Data, the Processor is GritFlow.
  • “Customer Personal Data” means the personal data contained in Customer Data, and any other personal data, that GritFlow Processes on the Customer's behalf to provide the Services under the Terms. It includes the Layer-2 personal data of the Customer's own end users that GritFlow Processes inside a Customer Application or Deployed Application on the Customer's behalf (see Section 2). It does not include data for which GritFlow is itself the Controller — including Service Data (see Section 13) — which is governed by the Privacy Policy.
  • “Service Data” means the telemetry, logs, configuration and usage records, and the aggregated or de-identified data that GritFlow generates, derives, or maintains in the course of operating, securing, supporting, analyzing, billing for, and improving the Services and the GritFlow framework. Service Data is not Customer Personal Data, and GritFlow Processes it as an independent Controller as described in Section 13.
  • “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
  • “Processing” (and “Process”) means any operation performed on personal data — such as collection, recording, organization, storage, use, disclosure, transmission, or deletion — whether or not by automated means.
  • “Subprocessor” has the meaning given in the Terms: a third party engaged by GritFlow to Process Customer Personal Data or to host or operate the Services on GritFlow's behalf, including Third-Party AI Providers and Infrastructure Providers.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by GritFlow or a Subprocessor.
  • “Applicable Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Customer Personal Data under this DPA, including, as applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”); the UK GDPR and the UK Data Protection Act 2018 (together, “UK GDPR”); the California Consumer Privacy Act as amended by the California Privacy Rights Act and their implementing regulations (“CCPA/CPRA”); and other U.S. state privacy laws (for example, those of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana) to the extent they apply.
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in its Implementing Decision (EU) 2021/914, as amended or replaced.
  • “UK IDTA” means the UK International Data Transfer Addendum to the EU SCCs (or the UK International Data Transfer Agreement) issued by the UK Information Commissioner under the UK GDPR, as amended or replaced.

“Customer Data,” “Services,” “Application,” “Customer Application,” “Deployed Application,” “Usage Data,” “AI Output,” “Subprocessor,” “Third-Party AI Provider,” “Infrastructure Provider,” and “Order” have the meanings given in the Terms.

2. Roles, Scope, and the Two Layers

GritFlow's world has two layers of personal data, the same split described in our Privacy Policy. This DPA governs only the data GritFlow Processes on the Customer's behalf:

  • The Customer is the Controller (and, under the EU AI Act, the “deployer” of the AI system) of Customer Personal Data. GritFlow is the Processor (and Service Provider/Contractor under the CCPA/CPRA).
  • This DPA covers two categories of Customer Personal Data:
  • (a) Data the Customer submits. The personal data contained in the Customer Data that the Customer and its Authorized Users submit to the Services — including prompts, content, and files.
  • (b) Layer-2 end-user data. The personal data of the Customer's own end users that GritFlow Processes inside a Customer Application or Deployed Application on the Customer's behalf. The Customer (not GritFlow) is the Controller of that data and is responsible for its own privacy notices, lawful basis, and responses to its end users; GritFlow Processes it only as the Customer's Processor under this DPA.

GritFlow Processes Customer Personal Data only to provide, secure, and support the Services in accordance with the Customer's documented instructions and the Terms. Where GritFlow acts as the Controller of its own data — for example, information about website visitors, account administrators, and billing, and the Service Data it generates to operate, secure, support, analyze, bill for, and improve the Services — that Processing is governed by the Privacy Policy and not by this DPA. The independent-Controller basis on which GritFlow Processes Service Data, and the limited categories of service, log, aggregated, and de-identified data involved, are described in Section 13.

3. Processing on Documented Instructions

GritFlow will Process Customer Personal Data only on the Customer's documented instructions, including with respect to international transfers, unless required to do otherwise by a law to which GritFlow is subject (in which case, where that law permits, GritFlow will inform the Customer of the legal requirement before Processing). The Customer's instructions are set out in this DPA, the Terms, any Order, and the configuration the Customer establishes within the Services. The Customer may issue additional reasonable written instructions consistent with the Terms.

The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data, for the means by which it acquired that data, and for having a valid legal basis and any required notices and consents for the Processing it instructs.

GritFlow will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws. GritFlow is not obligated to perform a legal review of the Customer's instructions and gives no assurance that an instruction does not infringe any law; this Section does not relieve the Customer of its responsibility as Controller.

4. Confidentiality

GritFlow will treat Customer Personal Data as the Customer's confidential information under the confidentiality terms of the Terms. GritFlow will ensure that the personnel it authorizes to Process Customer Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory) and are made aware of the confidential nature of the data, and will limit access to those personnel who need it to provide the Services.

5. Security Measures

GritFlow will implement and maintain appropriate administrative, technical, and physical measures designed to protect Customer Personal Data against a Personal Data Breach, appropriate to the risk and taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing. These measures are described in Annex II and summarized in our Security Overview.

Dedicated, isolated, customizable environment (the GritFlow commitment). Each Customer is provisioned a dedicated, isolated environment, and the Customer's Customer Personal Data is kept logically separated from that of other customers. GritFlow can configure and customize the security controls of that environment to meet the Customer's enterprise security requirements. This is a genuine commitment, not boilerplate: it is a core part of how GritFlow delivers the Services, and the specific controls available for a given Customer's environment can be agreed in an Order or a separate security exhibit.

Without limiting Annex II, GritFlow's measures include encryption of Customer Personal Data in transit and at rest, access controls and authentication for personnel and systems, and logging and monitoring of access to and activity within the Services.

6. Subprocessors

The Customer provides a general written authorization for GritFlow to engage Subprocessors to Process Customer Personal Data in connection with the Services. GritFlow makes the current itemized list of its Subprocessors available to the Customer on request (and provides it to customers under contract), as described at /legal/subprocessors and in Annex III. GritFlow does not publish the itemized list on a public page, for the security reasons described there.

  • Notice of changes. GritFlow will provide at least thirty (30) days' advance notice before a new or replacement Subprocessor begins Processing Customer Personal Data, by email to the Customer's account contact and/or in-product, except where urgent replacement is required for security, legal, availability, or continuity reasons.
  • Right to object. The Customer may object to a new Subprocessor on reasonable data-protection grounds by notifying GritFlow within fifteen (15) days after notice. The parties will work in good faith to address the objection; if they cannot, the Customer may, as its exclusive remedy, terminate the affected portion of the Services that cannot be provided without the Subprocessor.
  • Flow-down terms. GritFlow will engage each Subprocessor under a written contract that imposes data-protection obligations no less protective than those in this DPA, to the extent applicable to the services the Subprocessor provides.
  • GritFlow remains liable. GritFlow remains responsible for its Subprocessors' performance of their data-protection obligations and is liable to the Customer for their acts and omissions in Processing Customer Personal Data to the same extent GritFlow would be liable if performing those services itself.

GritFlow provides Subprocessor-change notices to customers under contract by email to the account contact and/or in-product.

7. Data Subject Requests

Taking into account the nature of the Processing, GritFlow will assist the Customer, by appropriate technical and organizational measures and insofar as reasonably possible, to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws (such as access, correction, deletion, restriction, objection, and portability).

If GritFlow receives a request directly from a Data Subject relating to Customer Personal Data, it will not respond to the request itself (except to confirm that the request relates to the Customer) and will, without undue delay, route the request to the Customer so that the Customer, as Controller, can respond.

8. Assistance

Taking into account the nature of the Processing and the information available to GritFlow, GritFlow will provide reasonable assistance to the Customer in meeting the Customer's obligations under Applicable Data Protection Laws with respect to:

  • the security of Processing (Section 5);
  • notification of, and communication about, Personal Data Breaches (Section 9);
  • data protection impact assessments (DPIAs); and
  • prior consultation with a supervisory authority where a DPIA indicates it is required.

GritFlow may charge a reasonable fee for assistance that exceeds the standard functionality of the Services or that requires significant effort, on notice to the Customer.

9. Personal Data Breach

GritFlow will notify the Customer without undue delay and, in any event, within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent reasonably available at the time, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures GritFlow has taken or proposes to take to address it. GritFlow will provide further information as it becomes available and will reasonably cooperate with the Customer in the Customer's investigation and response, including any notifications the Customer is required to make.

GritFlow's notification is not an acknowledgment or admission of fault or liability. This notification obligation does not apply to a Personal Data Breach caused by the Customer, its Authorized Users, or the Customer's own applications, configurations, integrations, or credentials. Unsuccessful security events — such as pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial-of-service attacks, packet sniffing, and similar events that do not result in unauthorized access to or acquisition of Customer Personal Data — are not Personal Data Breaches and do not require notification.

GritFlow sends Personal Data Breach notifications to the Customer's designated security or account contact (or, absent one, the account's primary contact) by email; the Customer may reach GritFlow about a breach at privacy@gritflowai.io.

10. Deletion or Return of Customer Personal Data

Upon expiration or termination of the Terms, GritFlow will, at the Customer's election, delete or return Customer Personal Data, consistent with the post-termination handling in the Terms. As provided in the Terms, for 30 days after termination the Customer may request export of its Customer Data in a commonly used format; after that window, GritFlow may delete Customer Personal Data in the ordinary course.

GritFlow may retain Customer Personal Data to the extent, and for as long as, required by law, and copies that reside in routine backups will be deleted or de-identified in the ordinary course of GritFlow's backup cycle. Customer Personal Data retained in backups or under a legal-retention requirement remains subject to the protections of this DPA until deleted. This Section does not apply to Service Data, which GritFlow Processes as an independent Controller under Section 13 and retains under its own retention practices.

11. Audits and Compliance

GritFlow will make available to the Customer information reasonably necessary to demonstrate compliance with its obligations under this DPA and Article 28 of the GDPR (and the equivalent UK GDPR provisions), and will allow for and contribute to audits and inspections conducted by the Customer or an auditor it mandates, subject to the following:

  • Reports satisfy the audit right. GritFlow's primary means of demonstrating compliance is documentary. Where available, GritFlow may satisfy an audit or inspection request by providing relevant third-party audit reports, penetration-test summaries, certifications, or its responses to a standard security questionnaire, in each case under an appropriate non-disclosure agreement, where these reasonably address the Customer's audit objectives. The Customer agrees that, where such materials reasonably meet its objectives, they satisfy GritFlow's obligation to allow for and contribute to an audit, and that an on-site audit is not required.
  • On-site audits only for cause. An on-site audit or inspection may be conducted only where (i) the documentary materials above do not reasonably address the Customer's audit objectives and cause exists — for example, following a Personal Data Breach affecting the Customer's Customer Personal Data, or where a supervisory authority requires it — and (ii) it is conducted on reasonable prior written notice, no more than once per twelve (12) months (except where required by a supervisory authority or following a Personal Data Breach), during normal business hours, scoped to GritFlow's systems and not those of other customers, and in a manner that does not unreasonably disrupt GritFlow's operations or compromise the security or confidentiality of other customers' data or its Subprocessors.
  • Confidentiality and cost. The auditor and the Customer must be bound by appropriate confidentiality obligations. The Customer bears its own costs and GritFlow's reasonable costs of any on-site audit it requests, except where the audit reveals GritFlow's material non-compliance with this DPA.

12. International Transfers

GritFlow is based in the United States and may Process Customer Personal Data there and in other countries. Where GritFlow Processes Customer Personal Data that is subject to the GDPR or UK GDPR and transfers it to a country that has not received an adequacy decision, the parties agree that the appropriate transfer mechanism applies and is incorporated into this DPA by reference:

  • the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914) apply to transfers subject to the GDPR, with the module(s) appropriate to the parties' roles; and
  • the UK IDTA (or UK Addendum to the EU SCCs) applies to transfers subject to the UK GDPR.

The SCCs and the UK IDTA are incorporated by reference and, where they apply, the details in Annex I and Annex II populate their corresponding annexes. The parties do not reproduce the text of the SCCs or the UK IDTA in this DPA; the official, current text issued by the European Commission and the UK Information Commissioner governs.

GritFlow currently Processes Customer Personal Data in the United States and does not rely on cross-border transfer mechanisms. If and when GritFlow Processes Customer Personal Data subject to the GDPR or UK GDPR, Module Two of the SCCs applies where Customer is a Controller and GritFlow is a Processor; for onward transfers to Subprocessors, GritFlow uses Module Three or another lawful mechanism as applicable; and for UK transfers, the UK Addendum to the EU SCCs applies. The specific options (docking clause, governing law/forum, and transfer countries) will be completed in the applicable Annex when such transfers begin. Customers may request a copy of the applicable transfer terms at privacy@gritflowai.io.

13. AI Processing, No Training, and Service Data

Consistent with the Terms and the Privacy Policy:

  • No training on Customer Personal Data. GritFlow does not use Customer Personal Data — including prompts, inputs, AI Output generated for the Customer, Customer-specific embeddings, and processing logs tied to the Customer's environment — to train, fine-tune, or develop foundation models or any general-purpose AI model, whether its own or a third party's. GritFlow requires each Third-Party AI Provider, by contract or enabled enterprise/API configuration, to Process Customer Personal Data only to provide the Services to GritFlow and not to use it to train or improve the provider's models — except where the Customer expressly enables a provider, model, or feature governed by different terms in an Order or written configuration.
  • Service improvement is limited to aggregated or de-identified data. Any use of data to improve and develop the Services is limited to aggregated or de-identified data that does not identify the Customer, any Data Subject, or any individual, and that GritFlow does not attempt to re-identify.
  • No automated decision-making by GritFlow. GritFlow does not carry out automated decision-making, including profiling, that produces legal effects concerning a Data Subject or similarly significantly affects a Data Subject, for GritFlow's own purposes. Where the Customer configures the Services in a way that involves such decision-making, the Customer is the Controller of that Processing and remains responsible for it, including for meaningful human oversight, and GritFlow assists the Customer as described in this DPA.

13.1 Service Data; Independent-Controller Processing

Separate from its role as Processor of Customer Personal Data, GritFlow generates and processes Service Data — telemetry, logs, configuration and usage records, and the data GritFlow aggregates or de-identifies from operating the Services. Service Data excludes Customer Data, Customer Personal Data, prompts, files, AI Output content, and the content of Customer Applications, except for limited operational metadata, security and diagnostic logs, and usage records GritFlow generates in operating, securing, supporting, billing for, and improving the Services. If the same data qualifies as Customer Personal Data under Applicable Data Protection Laws, GritFlow Processes it in accordance with this DPA unless and until it has been aggregated or de-identified in accordance with this DPA and applicable law. To the extent Service Data contains personal data, GritFlow Processes it as an independent Controller only for the limited purposes described in this Section and the Privacy Policy. This Section does not permit GritFlow to use Customer Personal Data to train foundation models or general-purpose AI models. GritFlow Processes Service Data solely to operate, secure, support, analyze, bill for, and improve the Services and the GritFlow framework — specifically: maintaining and securing the Services and preventing fraud and abuse; metering, billing, and account administration; capacity, performance, reliability, and support; and analytics and product improvement.

  • Service Data is not Customer Personal Data. The Processor obligations in this DPA (including the instructions, subprocessing, data-subject-assistance, deletion-and-return, audit, and transfer provisions) do not apply to GritFlow's Processing of Service Data. GritFlow's Processing of any personal data within Service Data is governed by the Privacy Policy and by Applicable Data Protection Laws as they apply to a Controller.
  • De-identified and aggregated data stays that way. Where GritFlow maintains Service Data in de-identified or aggregated form, it maintains it in that form, takes reasonable measures to ensure the data cannot be associated with a Customer, Data Subject, or other individual, and does not attempt to re-identify it, consistent with the CCPA/CPRA de-identification standard. Any contractor or service provider GritFlow engages to handle such data is bound to the same commitments.
  • Consistent with no training. GritFlow's Processing of Service Data does not override the no-training commitment above: GritFlow does not use Customer Personal Data to train, fine-tune, or develop foundation or general-purpose models, and the only data used to improve and develop the Services is aggregated or de-identified data that GritFlow does not attempt to re-identify.

14. CCPA/CPRA Service-Provider Terms

Where the CCPA/CPRA applies, GritFlow acts as a Service Provider (or Contractor) and the Customer acts as a Business, and Customer Personal Data is disclosed to GritFlow only for the business purpose of providing the Services. GritFlow:

  • will not sell and will not share (as “sell” and “share” are defined in the CCPA/CPRA) Customer Personal Data, and the parties acknowledge that no monetary or other valuable consideration is exchanged for any such purpose;
  • will not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in this DPA and the Terms, including not retaining, using, or disclosing it for a commercial purpose other than providing the Services, except as the CCPA/CPRA permits;
  • will not retain, use, or disclose Customer Personal Data outside the direct business relationship between GritFlow and the Customer, except as the CCPA/CPRA permits;
  • will not combine Customer Personal Data with personal information it receives from, or on behalf of, another person, or collects from its own interaction with a consumer, except as the CCPA/CPRA permits a Service Provider or Contractor to do; and
  • certifies that it understands the restrictions in this Section and the CCPA/CPRA and will comply with them.

GritFlow will notify the Customer if it determines it can no longer meet its obligations under the CCPA/CPRA, and the Customer may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data. GritFlow's engagement of Subprocessors under Section 6 satisfies the CCPA/CPRA requirements for engaging another service provider or contractor. Nothing in this Section limits GritFlow's Processing of Service Data as an independent Controller under Section 13, which GritFlow handles in a manner consistent with the CCPA/CPRA's standards for de-identified and aggregated data.

15. Liability

Each party's and each party's affiliates' liability arising out of or related to this DPA — whether in contract, tort, or under any other theory of liability — is subject to the limitations and exclusions of liability in the Terms (including Section 19 (Limitation of Liability) of the Terms), and any reference in the Terms or this DPA to a party's liability means the aggregate liability of that party and its affiliates under the Terms and this DPA together.

16. Term and Order of Precedence

This DPA is coterminous with the Terms and the applicable Order(s) and remains in effect for as long as GritFlow Processes Customer Personal Data on the Customer's behalf. Obligations that by their nature should survive termination — including those relating to deletion or return, confidentiality, and audits — survive.

This DPA forms part of, and is incorporated into, the Terms. In the event of any conflict between this DPA and the Terms with respect to the Processing of personal data, this DPA controls. Where the SCCs or UK IDTA apply, they control over this DPA to the extent of any conflict regarding the transfer they govern. For all other matters, the Terms continue to apply.

17. Contact

Questions about this DPA, or requests under it, can be directed to:

GritFlow AI, LLC — Attn: GritFlow AI, LLC (Privacy) · 41 Peabody St, Nashville, TN 37210, United States

Email: privacy@gritflowai.io · Web: gritflowai.io

Annex I — Description of the Processing

This Annex describes the Processing of Customer Personal Data and, where the SCCs or UK IDTA apply, populates their corresponding annex.

  • Parties. Data exporter: the Customer (Controller). Data importer: GritFlow AI, LLC (Processor). Contact details are in Section 17 and the Order.
  • Subject matter of the Processing. GritFlow's provision of the Services to the Customer under the Terms.
  • Duration of the Processing. The term of the applicable Order plus any post-termination export, deletion, backup, and legal-retention period.
  • Nature and purpose of the Processing. Hosting, storage, transmission, retrieval, analysis, AI Output generation, support, security, troubleshooting, backup, deletion, and related processing to provide, secure, and support the Services.
  • Types of personal data. Business contact details, account identifiers, authentication and usage information, Customer-submitted content/prompts/files/records, end-user data processed inside Customer Applications, and any other personal data the Customer submits or configures the Services to process.
  • Special categories of personal data (if any). None, unless expressly authorized in an Order and DPA/security exhibit.
  • Categories of Data Subjects. Customer personnel, Authorized Users, Customer clients, Customer end users, vendors, prospects, and others whose data the Customer submits or processes.
  • Frequency of the transfer. Continuous, for the duration of the Services.

Competent supervisory authority. Not applicable while Processing is US-only; to be identified if GritFlow begins Processing Customer Personal Data subject to the GDPR or UK GDPR.

Annex II — Technical and Organizational Measures

GritFlow implements technical and organizational measures, appropriate to the risk, to protect Customer Personal Data, as described below and summarized in the Security Overview. GritFlow implements these measures where applicable to the relevant environment and as configured for the Customer under the applicable Order or security exhibit; measures described as “available,” “configurable,” or “planned” are not commitments unless included in an Order, this Annex, or a security exhibit. GritFlow may update these measures from time to time so long as the protection of Customer Personal Data is not materially reduced. Where the SCCs or UK IDTA apply, this Annex populates their corresponding annex of technical and organizational measures.

  • Dedicated, isolated, customizable per-customer environment (lead measure). Each Customer is provisioned its own dedicated, isolated environment, with the Customer's Customer Personal Data logically separated from that of other customers. GritFlow can configure and customize that environment's security controls to meet the Customer's enterprise security requirements, and the specific controls for a given environment may be agreed in an Order or a separate security exhibit. This is the foundation of GritFlow's security model, not boilerplate.
  • Encryption of Customer Personal Data in transit and at rest, with managed key handling.
  • Access control and authentication on a least-privilege, need-to-know basis, with role-based authorization, credential and session management, and periodic access reviews.
  • Logging and monitoring of access to, and activity within, the Services, with retention sufficient to support investigation and response.
  • Vulnerability and patch management, with remediation according to risk.
  • Secure software-development lifecycle with code review, testing, and documented change-management governing changes to production.
  • Resilience — backups and disaster-recovery processes designed to support restoration and continuity of the Services.
  • Network and infrastructure security, including the controls of GritFlow's Infrastructure Providers.
  • Personnel with access to Customer Personal Data are subject to confidentiality obligations and security awareness, appropriate to GritFlow's size and operations.
  • Subprocessor governance — Subprocessors are engaged only under written contracts with data-protection and security obligations no less protective than this DPA (Section 6 and Annex III).

Detailed measures available under NDA. GritFlow does not publish its detailed control configurations, network design, or architecture. On request and under an appropriate non-disclosure agreement, GritFlow makes available its detailed technical and organizational measures, an architecture summary, and its responses to standard security questionnaires, to support the Customer's due-diligence and vendor-review process.

Annex III — Subprocessors

GritFlow engages Subprocessors to host, operate, and support the Services, including Third-Party AI Providers and Infrastructure Providers, under the general written authorization in Section 6. The current itemized list of Subprocessors — including the name, role, processing activity, and location of each — is available to the Customer on request (and provided to customers under contract), as described at /legal/subprocessors. That list is the authoritative list for purposes of this DPA. GritFlow keeps it current and notifies customers of changes as described in Section 6.

Data Processing Addendum | GritFlow