Data Processing Addendum

When you use the Cloud product, you are the controller of the personal data you upload or generate (account members, organization records, audit logs scoped to your organization), and GrantLock is the processor acting on your documented instructions. For marketing-site signups and Free Binary downloads, GrantLock is the controller of the data you submit directly to us; the privacy policy at /privacy applies.

We use a small set of subprocessors to operate the service. The current list, with regions and DPA links, is at /subprocessors. Customers under a counter-signed DPA are notified before a new subprocessor begins processing their data.

Personnel authorized to access customer personal data are bound by confidentiality obligations.

We implement the technical and organizational measures described on /security. Material changes that reduce the security posture are disclosed in advance.

If you receive a data-subject access, correction, deletion, portability, or objection request that requires action on data we process for you, we will assist you in fulfilling it. If a data subject contacts us directly, we will refer them back to you unless we are legally required to respond.

We will notify you without undue delay of a confirmed personal-data breach affecting your data, including a description of the nature of the breach, categories and approximate number of data subjects affected, measures taken or proposed, and contact details for follow-up.

Our subprocessors are primarily based in the United States. For transfers of EU/EEA, UK, or Swiss personal data to the U.S., we rely on the EU Standard Contractual Clauses (and the UK Addendum where applicable), or on the EU-U.S. Data Privacy Framework where the relevant subprocessor is certified. The DPA we counter-sign incorporates the SCCs by reference.

On reasonable advance written request and no more than once per year (more frequently if required by a regulator), we will provide the information necessary to demonstrate compliance with this addendum, including responses to a security questionnaire and (when available) third-party audit reports.

On termination of the service, we delete or return customer personal data within 30 days unless retention is required by law. Backups are purged on the next backup-rotation cycle (no longer than 90 days).

We do not currently sign HIPAA Business Associate Agreements or PCI-DSS service-provider attestations. If your use case requires one, mention it in the request and we'll discuss timing.

Send a note to hello@grantlock.ai (subject: “DPA request”) with your legal entity name, the GrantLock tier you intend to use (Free Binary or Cloud), and any specific addenda required (SCCs, UK Addendum, EU-U.S. DPF). Turnaround is typically 1–2 business days.