Data Processing Agreement v1.0

This Data Processing Agreement ("DPA") supplements the gr0.ai Terms of Service and applies whenever gr0.ai processes personal data on behalf of you, the Customer, in connection with the Services.

Customer is the "controller" and gr0.ai is the "processor" for the personal data Customer provides or authorizes gr0.ai to access (e.g. CRM records pulled via OAuth integration, agent inputs containing end-user data).

DPA version: v1.0. Newer versions are notified to Customer at least 30 days before they take effect; continued use of the Services constitutes acceptance of the updated DPA.

• Operate the agent platform, including LLM calls + tool execution
• Provide observability, billing, audit trail
• Detect and prevent abuse (per Customer's configured policies)
• Comply with legal obligations

Depending on Customer's use of the Services, processed data may include:

• Customer end-user records (contacts, leads, accounts) pulled via integrations
• Customer employee identifiers (members of the workspace)
• Agent input/output (prompts, responses, artifacts)
• Usage telemetry (LLM tokens, tool calls, error events)

gr0.ai does notuse Customer's personal data to train public AI models.

gr0.ai engages the subprocessors listed at /subprocessors. Customer is deemed to authorize all subprocessors on the list as of the date of this DPA. New subprocessors are notified in writing 30 days in advance; Customer may object within that window per the Right of Objection section below.

• Encryption in transit (TLS 1.2+) and at rest (AES-256-GCM)
• OAuth tokens envelope-encrypted with per-organization KEK derived from a master KEK held in environment configuration
• Postgres row-level security policies enforce per-tenant isolation
• Audit log records every staff action against Customer data (read, modify, impersonation start/end)
• Annual third-party penetration test (starting 2026 Q3)
• Quarterly retention purge per documented per-table TTL

• Right of access — Customer may request a JSON + CSV export of all data we hold (GDPR Article 20). Self-serve at /dashboard/account.
• Right of erasure — Customer may request hard deletion within 30 days (GDPR Article 17). Self-serve at /dashboard/account.
• Right of objection to subprocessors — within 30 days of notification.
• Audit rights — annual SOC 2 report shared on request to existing customers under NDA; on-site audit available for enterprise tier.

gr0.ai will notify Customer of any Personal Data Breach (as defined by GDPR Article 33) without undue delay and in any event within 72 hours of becoming aware of it. Notification will include the nature of the breach, categories and approximate number of data subjects, likely consequences, and the measures taken or proposed to address it.

For transfers of personal data from the EEA, UK, or Switzerland to a third country without an adequacy decision, gr0.ai relies on the EU Standard Contractual Clauses (Decision 2021/914) incorporated by reference. UK transfers additionally rely on the UK International Data Transfer Addendum.

This DPA continues for as long as gr0.ai processes Customer personal data. Upon termination of the underlying agreement, gr0.ai will, at Customer's choice, return or delete all personal data within 90 days unless retention is required by applicable law.

By clicking "Accept DPA v1.0" inside the dashboard at /dashboard/account, Customer's authorized representative binds the Customer to this DPA. The acceptance is recorded with timestamp, IP address, user agent, and Clerk user ID in the audit log.