Grounded

Data Processing Agreement

Effective date: 2026-05-11 · Last updated: 2026-05-11

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Agreement”) between the customer (“Customer”, “Controller”) and Łukasz Zapolski, a sole proprietor (jednoosobowa działalność gospodarcza) registered in the Polish CEIDG, trading under the business name Łukasz Zapolski, with principal place of business at Karola Łoniewskiego 9, 05-830 Kajetany, Poland, NIP 5342588163 (“Grounded”, “Processor”).

This DPA reflects the parties’ agreement on the processing of Personal Data carried out by Grounded on behalf of the Customer in connection with the Service, in accordance with Article 28 of Regulation (EU) 2016/679 (the “GDPR”) and, where applicable, the United Kingdom Data Protection Act 2018 and the Swiss Federal Act on Data Protection (“FADP”).

By accepting the Agreement, the Customer accepts this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorised Affiliates.

1. Definitions

Capitalised terms not defined here have the meaning given in the Agreement or the GDPR. For clarity:

  • Authorised Affiliate — any entity that controls, is controlled by, or is under common control with the Customer.
  • Customer Personal Data — Personal Data that Grounded processes on behalf of the Customer in providing the Service.
  • Data Protection Laws — the GDPR, the UK GDPR, the Swiss FADP, the Polish Personal Data Protection Act of 10 May 2018, and any other applicable laws on the protection of personal data.
  • Data Subject Request — a request from a Data Subject to exercise rights under Articles 15-22 GDPR.
  • SCCs — the Standard Contractual Clauses adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021.
  • Sub-processor — any third party engaged by Grounded to process Customer Personal Data.

2. Roles and scope

  1. For Customer Personal Data, the Customer is the Controller and Grounded is the Processor. Where the Customer acts as a processor for a third party, Grounded is a sub-processor.
  2. For data relating to the Customer’s own personnel (e.g. login credentials, billing contact), Grounded is an independent controller under its Privacy Policy; this DPA does not apply to that data.
  3. Annex 1 sets out the subject matter, nature, purpose, duration, categories of Data Subjects and Personal Data.

3. Processing instructions

  1. Grounded will process Customer Personal Data only on the Customer’s documented instructions, including with regard to transfers to third countries, except where required by Union or Member State law to which Grounded is subject. In that case, Grounded will inform the Customer of that legal requirement before processing, unless that law prohibits such notice on important grounds of public interest.
  2. The Customer’s use of the Service, including configuration choices, constitutes its documented instructions.
  3. Grounded will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

4. Confidentiality

Grounded ensures that any personnel authorised to process Customer Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.

5. Security of processing

  1. Grounded implements appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk, as set out in Annex 3.
  2. The Customer is responsible for assessing whether the TOMs meet the Customer’s requirements, including any obligations under Article 32 GDPR.

6. Sub-processors

  1. The Customer authorises Grounded to engage the Sub-processors listed in Annex 2, and any future Sub-processors notified in advance.
  2. Grounded will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, in accordance with Article 28(4) GDPR.
  3. Grounded will give the Customer at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor. The Customer may object in writing on reasonable data-protection grounds within 14 days of notice. The parties will work in good faith to resolve the objection; if no resolution is possible, the Customer may terminate the relevant portion of the Service for which Grounded cannot provide an alternative, with a pro-rata refund of pre-paid fees for the unused remainder of the subscription term.
  4. Grounded remains fully liable to the Customer for the performance of each Sub-processor’s obligations.

7. Data Subject Requests

Taking into account the nature of the processing, Grounded will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to Data Subject Requests. The Service includes self-service tools (e.g. conversation deletion, data export) that the Customer can use to respond to such requests. If a Data Subject contacts Grounded directly with a request, Grounded will forward it to the Customer without undue delay and will not respond except as required by law.

8. Personal data breach notification

Grounded will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer Personal Data. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. Grounded will provide updates as further information becomes available.

9. Assistance with DPIAs and consultations

Taking into account the nature of the processing and the information available, Grounded will provide reasonable assistance to the Customer for data protection impact assessments (Article 35 GDPR) and prior consultations with supervisory authorities (Article 36 GDPR).

10. International transfers

  1. Where Grounded transfers Customer Personal Data from the EEA, UK or Switzerland to a country that has not received an adequacy decision, the transfer is governed by the SCCs, which are incorporated by reference into this DPA, with the following selections:
    • Module 2 (Controller to Processor) where the Customer is a controller.
    • Module 3 (Processor to Processor) where the Customer is a processor.
    • Clause 7 (Docking Clause) applies.
    • Clause 9: Option 2 (General authorisation) with the 30-day notice period in section 6.3 above.
    • Clause 11(a): the optional language is not included.
    • Clause 17 (Option 1): Polish law governs.
    • Clause 18(b): Polish courts have jurisdiction.
    • Annexes I, II and III correspond to Annexes 1, 3 and 2 of this DPA.
  2. For transfers from the UK, the parties incorporate the UK International Data Transfer Addendum to the SCCs (Version B1.0). For transfers from Switzerland, references to the GDPR are read as references to the Swiss FADP and references to EU supervisory authorities are read as references to the Swiss FDPIC.
  3. Where a Sub-processor is certified under the EU-US Data Privacy Framework or other valid transfer mechanism, the parties may rely on that mechanism as an alternative to the SCCs.

11. Audit rights

  1. Grounded will make available to the Customer all information necessary to demonstrate compliance with this DPA and Article 28 GDPR.
  2. On the Customer’s written request, no more than once per year and not during a Personal Data breach response, Grounded will respond to a reasonable written security questionnaire.
  3. If a written response is not sufficient to demonstrate compliance, the Customer may, at its own expense and subject to reasonable confidentiality and timing safeguards, conduct an on-site or remote audit through an independent third-party auditor mutually agreed by the parties. Audits must not unreasonably interfere with Grounded’s operations or compromise the confidentiality of other customers’ data.
  4. Grounded may charge a reasonable fee for excessive audit requests in accordance with Article 12(5) GDPR.

12. Return and deletion of Customer Personal Data

On termination of the Agreement, the Customer may request export of Customer Personal Data within 30 days. After that period, Grounded will delete or return all Customer Personal Data in accordance with the retention schedule in the Privacy Policy, except to the extent Grounded is required to retain it under Union or Member State law (e.g. tax, accounting). Such retained data remains subject to the confidentiality and security obligations in this DPA.

13. Liability

Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability in the Agreement, except where such limitation is prohibited by mandatory law.

14. Term and termination

This DPA takes effect on the Effective Date and remains in force for as long as Grounded processes Customer Personal Data under the Agreement, plus any retention period required by applicable law.

15. Governing law

This DPA is governed by the laws of Poland. The Polish common courts have exclusive jurisdiction, except as provided in the SCCs for matters within their scope.

16. Order of precedence

In the event of any conflict between this DPA, the SCCs and the Agreement, the following order of precedence applies: (i) the SCCs (for cross-border transfers); (ii) this DPA; (iii) the Agreement.

17. Contact

  • Data protection contact: privacy@grounded.sh
  • Postal: Łukasz Zapolski, Karola Łoniewskiego 9, 08-830 Kajetany, Poland

Annex 1 — Description of processing

A. List of parties

  • Data exporter: the Customer identified in the Agreement. Role: Controller (or Processor where the Customer acts on behalf of a third-party Controller).
  • Data importer: Łukasz Zapolski, trading as Łukasz Zapolski, Poland. Role: Processor (or Sub-processor as applicable).

B. Subject matter and duration

Provision of the Grounded Service to the Customer, including hosting, processing and serving chatbot conversations on the Customer’s behalf. Duration: for the term of the Agreement plus any retention period required by applicable law.

C. Nature and purpose of processing

  • Storing customer-uploaded knowledge sources (documents, URLs).
  • Generating text embeddings and indexing for retrieval.
  • Processing end-user chat messages, retrieving relevant chunks, generating grounded responses using LLM and reranking providers.
  • Storing conversation history, citations, feedback and memory facts.
  • Routing escalations to human support (handoffs).
  • Providing analytics and observability to the Customer.

D. Categories of Data Subjects

  • End users of the Customer’s chatbot (visitors, customers).
  • The Customer’s personnel using the dashboard (administrators).

E. Categories of Personal Data

  • Identifiers: visitor_id (random), session_id, IP address (in logs), email (if provided by end users to the chatbot or in handoff forms).
  • Communications: text of chat messages and bot responses, attached metadata.
  • Memory: facts inferred from past conversations per visitor_id, where the feature is enabled by the Customer.
  • Free-form content: any Personal Data contained in documents the Customer uploads as knowledge sources, and in messages end users send to the bot.

F. Special categories of data

The Service is not designed to process special categories of Personal Data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR). The Customer should not upload such data unless it has implemented additional safeguards required by Article 9. Grounded does not warrant the suitability of the Service for such processing.

G. Frequency of transfer

Continuous, on-demand, for the duration of the Agreement.

H. Retention period

As set out in the Privacy Policy: conversations up to 1 year by default; memory facts indefinitely until deleted; backups 30 days; logs up to 90 days.

Annex 2 — Sub-processors

Grounded engages the following Sub-processors to process Customer Personal Data. References to entities below are to the current operating entities; the list will be updated as part of the notice mechanism in section 6.3.

Sub-processorPurposeLocationTransfer mechanism
Supabase Inc.Managed PostgreSQL, authentication, file storageEU (Frankfurt) primaryN/A (EU)
Vercel Inc.Application hosting and edge functionsEU primary + global edgeSCCs where applicable
OpenAI, L.L.C.LLM inference and embeddingsUSASCCs + DPF
Cohere Inc.Document rerankingUSA / CanadaSCCs + adequacy (Canada)
Stripe Payments Europe, Ltd.Payment processingIreland (EU) and USASCCs
Resend, Inc.Transactional emailEU / USASCCs
Finto Technologies GmbH (Langfuse)LLM observability and tracingEU (Germany)N/A (EU)
Firecrawl, Inc.Crawling customer-supplied URLsUSASCCs
Upstash, Inc.Redis (rate limiting, cache)EUN/A (EU)
Functional Software, Inc. (Sentry)Error monitoringEU (Germany)N/A (EU)

Annex 3 — Technical and organisational measures (TOMs)

1. Pseudonymisation and encryption

  • TLS 1.2+ in transit for all customer-facing endpoints.
  • Encryption at rest for primary databases and backups (AES-256).
  • API keys are hashed at rest; raw key material is shown to the customer only on creation.
  • Passwords are stored hashed (managed by Supabase Auth, bcrypt).

2. Ongoing confidentiality, integrity, availability, resilience

  • Role-based access control with least-privilege principles.
  • Row-level security policies in the database, scoped by organisation.
  • Rate limiting at the application and edge layer.
  • Centralised logging and error monitoring with retention limits.
  • Multi-region replication and managed failover via Supabase and Vercel.
  • Prompt-injection sanitisation and citation verification to reduce the risk of unintended data disclosure through model outputs.

3. Restoring availability after an incident

  • Automated database backups with point-in-time recovery (30 days).
  • Documented incident response procedure including triage, containment, root cause analysis and customer notification.

4. Regular testing, assessment and evaluation

  • Dependency scanning and security patching.
  • Periodic review of access controls and audit logs.
  • Review of this DPA and TOMs at least annually.

5. User access controls

  • Customer accounts are scoped to organisations; members have role-based permissions (owner, admin, member).
  • Invitations require an email-verified acceptance.
  • Sessions can be revoked centrally.

6. Data minimisation

  • The Service collects only data necessary to operate the chatbot and provide the related features.
  • The Customer controls retention windows for conversations and may delete data on demand.
  • Memory features are opt-in and can be disabled per chatbot.

7. Vendor management

  • All Sub-processors are bound by written DPAs that impose obligations no less protective than this DPA.
  • Sub-processors are reviewed on engagement and material change.