GRIN Technologies Inc.
Data Processing Addendum

(Last updated April 15, 2024)

This Data Processing Addendum including all schedules and annexes (“DPA”) forms part of the GRIN Subscription Services Agreement (“Agreement”) between GRIN Technologies Inc. (“Vendor”) and Customer. Except as modified below, the terms of the Agreement shall remain in full force and effect.

Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and its Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

In the course of providing the Services to Customer pursuant to the Agreement, Vendor may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

    1. Definitions. Capitalized terms not defined shall have the meaning given in the Agreement. In this DPA, the following terms (and derivations of such terms) have the following meanings:
      1. Applicable Privacy Laws” means all international, federal, national, and state privacy and data protection laws and regulations applicable to the Processing of Personal Data that is the subject matter of the Agreement.
      2. CCPA” means the California Consumer Privacy Act of 2018 and related regulations and amendments, as further amended from time to time.
      3. Controller,” “Data Subject,” “Processor,” and “Processing” have the meanings set forth in Applicable Privacy Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions in the European Data Protection Laws shall apply.
      4. Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce, as may be amended, superseded, or replaced.
      5. Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as may be amended, superseded or replaced.
      6. Business” and “Third Party” have the definitions set forth in the CCPA.
      7. Data Subject Rights” means those rights identified in the Applicable Privacy Law.
      8. EEA” means the European Economic Area.
      9. European Data Protection Laws” means the laws of the European Union or any member state of the European Union to which the Customer or Vendor is subject, the EEA, the United Kingdom, or Switzerland which relates to the protection of Personal Data
      10. EU GDPR” means the General Data Protection Regulation ((EU) 2016/679).
      11. EU Standard Contractual Clauses” means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority.
      12. Creator” means an individual who, has accepted Vendor’s Terms of Use and has an active Creator account and login credentials for access to the Platform.
      13. Personal Data” means any data related to an identified or identifiable natural person.
      14. Public Authority” means a government agency or law enforcement authority, including judicial authorities. 
      15. Customer Data” means any Personal Data for which Customer is a Controller or Processor on behalf of another Controller, which is provided by Customer (directly or indirectly) to Vendor in connection with the Agreement and/or which may be processed by Vendor as a Processor on behalf of Customer or Customer’s Controller client, and which includes Personal Data relating to:
        1. Customer’s employees, contractors, representatives, agents and consultants (and those of Customer’s) Affiliates; and
        2. Customer’s client.
      16. Supervisory Authority” means the relevant supervisory authority in the territories where the parties to this Agreement are established or have legal representatives for the purposes of compliance with Applicable Privacy Laws.
      17. Customer Data Incident” means the accidental, unauthorized or unlawful Processing, destruction, loss, alteration, damage, corruption, disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Vendor.
      18. Sub-Processor” means an entity engaged by a Processor or any further sub-contractor to Process Personal Data on behalf of and under the instructions of a Controller, including any applicable “Service Provider” as the term is defined in the CCPA.
      19. Swiss DPA” means the Swiss Federal Data Protection Act and its Ordinance.
      20. UK Data Protection Laws” means the EU GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) Regulations 2019 (“UK GDPR”), together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the United Kingdom.
      21. UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018.
      22. Vendor Data” means any Personal Data for which Vendor is a Controller which is provided (directly or indirectly) by Vendor to Customer in connection with Vendor’s provision of the Services to Customer and which includes Personal Data relating to:
        • Vendor’s Influencer Data Subjects.
          • For clarity, an Influencer Data Subject of Vendor and an Influencer who provides the Services to Customer may be the same individual and, in such case, each party is deemed a “Controller” of the Personal Data of such Influencer.
          • the Personal Data of Creators who use the Grin Platform and were not invited by Customer.
    2. Relationship and Obligations of the Parties. 
      1. Each party will comply with all Applicable Privacy Laws regarding the Processing of Personal Data disclosed or transferred by the other party during the Term of the Agreement.
      2. Where Customer provides Vendor with Customer Data, Vendor shall process such data as a Processor and Service Provider. Vendor shall at all times: 
        • Process the Customer Data only for the purpose of providing the services to Customer under the Agreement(s) and in accordance with this DPA and Customers documented instructions. 

        Vendor shall not: 

        1. sell (as defined in the CPPA) assign, lease, commercially exploit (or allow to be exploited), or otherwise dispose of or make available the Customer Data to any third parties (except Sub-Processors); 
        2. retain, use, or disclose the Customer Data for a commercial purpose other than providing the Services, except where authorized by Applicable Privacy Laws (e.g., 11 CCR § 7050(a)(3)-(5)) 
      3. Where Customer processes Vendor Data pursuant to the Agreement, Vendor is a Controller and Business and Customer is an independent Controller and Third Party and such Processing may constitute a sale under Applicable Privacy Laws (e.g., the CCPA).
      4. Customer, as a Controller or Processor shall, in its use of the Services, Process Personal Data in accordance with the requirements of Applicable Privacy Laws and, including any applicable requirement to provide notice to Data Subjects of the use of Vendor as a Processor (including where the Customer is a Processor, by ensuring that the ultimate Controller does so). For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Applicable Privacy Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Personal Data to the extent applicable under Applicable Privacy Laws.
    3. Confidentiality of Processing
      1. When engaging in Processing, each party shall ensure that any person it authorizes to Process Personal Data (including staff, agents and subcontractors) shall be subject to a duty of confidentiality (whether contractual duty or statutory) and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality.
    4. Security
      1. Vendor shall implement training and appropriate technical and organizational measures intended to protect the Customer Data from (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Customer Data. At a minimum, such measures to be taken by Vendor shall include the security measures identified in Annex II. 
      2. Vendor uses an external auditor to verify the adequacy of its security measures and controls for the Services. The audit is conducted annually by an independent third-party in accordance with AICPA SOC2 standards and results in the generation of a SOC2 report (“Audit Report”) which is Vendor’s confidential information. Upon written request, Vendor shall provide Customer with a copy of the Audit Report subject to the confidentiality obligations of the Agreement or a non-disclosure agreement covering the Audit Report. 
    5. Sub-Processors 
      1. Customer authorizes Vendor to continue to use and disclose Customer Data to Sub-Processors currently engaged by Vendor in the context of providing Vendor Services as set forth in Annex III to this DPA.
      2. When acting as a Processor on behalf of Customer, Vendor shall not subcontract any Vendor’s Processing of the Customer Data to a third party Sub-Processor unless:
        • Such Sub-Processor is subject to an agreement with Vendor which contains similar data protection terms as those provided for by this DPA;
        • Vendor maintains control over all of the Customer Data it entrusts to Sub-Processor; and
        • Vendor provides to Customer at least thirty (30) days’ prior notice of the addition or replacement of such Sub-Processor (including the details of the Processing it performs or will perform, and the location of such Processing).
      3. Customer shall notify Vendor within ten (10) business days after receipt of Vendor’s notice, if it objects to the addition or replacement of a Sub-Processor. Customer’s objection should be sent to [email protected] and should explain the reasonable grounds for the objection. If Customer objects to Vendor’s appointment of a third party Sub-Processor on reasonable grounds relating to the protection of the Customer Data, and Vendor is unable to adequately address the reasonable grounds, then Vendor will either not appoint the Sub-Processor, or Customer may elect to suspend or terminate the Agreement (including this DPA) without penalty and Vendor shall promptly refund to Customer a pro-rata portion of any pre-paid fees for the remainder of the Term.
      4. Vendor shall be liable for the acts and omissions of its Sub-Processors to the same extent Vendor would be liable if performing the Services of each Sub-Processor directly under the terms of this DPA, unless otherwise set forth in the Agreement.
    6. Cooperation and Data Subject Rights
      1. Each party is responsible for responding to Data Subject requests relating to Personal Data for which they are the Controller.
      2. Where Vendor acts as a Processor on behalf of Customer: 
        • Vendor shall, to the extent legally permitted, promptly notify Customer of any complaint, dispute, or request it has received from a Data Subject. Vendor shall not respond to a Data Subject request itself, except that Customer authorizes Vendor to redirect the Data Subject request as necessary to allow Customer to respond directly.
        • Taking into account the nature of the Processing, Vendor shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject request under Applicable Privacy Laws.
        • To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject request, Vendor shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject request, to the extent Vendor is legally permitted to do so and the response to such Data Subject request is required under Applicable Privacy Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Vendor’s provision of such assistance.
    7. Liability
      1. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Affiliates and Vendor, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
      2. For the avoidance of doubt, Vendor and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Affiliate that is a contractual party to any such DPA. 
    8. Data Protection Impact Assessments and Transfer Impact Assessments
      1. Upon Customer’s request, Vendor shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under Applicable Privacy Laws to carry out a data protection impact assessment and/or transfer impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Vendor.
    9. Transfers
      1. To the extent that Vendor receives Personal Data in the United States subject the European Data Protection Laws (“European Data”):
        • If European Data Protection Laws require that appropriate safeguards are put in place (for example, if the Data Privacy Framework does not cover the transfer to Vendor and/or the Data Privacy Framework is invalidated, or an adequacy decision does not cover the territory where Personal Data will be transferred), the EU Standard Contractual Clauses will be incorporated by reference and form part of the DPA as further detailed in Schedule A.
    10. Data Security Incidents
      1. Vendor maintains security incident management policies and procedures and shall notify Customer within 48 hours after becoming aware of Customer Data Incident related to Personal Data Processed by Vendor or its Sub-processors.
      2. Vendor shall make reasonable efforts to identify the cause of such Customer Data Incident and take such steps as Vendor deems necessary and reasonable to remediate the cause of such a Customer Data Incident to the extent the remediation is within Vendor’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.
    11. Government Access Requests
      1. As a Processor, Vendor shall maintain appropriate measures to protect Customer Data in accordance with the requirements of Applicable Privacy Laws, including by implementing appropriate technical and organizational safeguards to protect Personal Data against any interference that goes beyond what is necessary in a democratic society to safeguard national security, defense, and public security. 
      2. If Vendor receives a legally binding request to access Personal Data from a Public Authority, Vendor shall, unless otherwise legally prohibited, promptly notify Customer including a summary of the nature of the request. To the extent Vendor is prohibited by law from providing such notification, Vendor shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Vendor to communicate as much information as possible, as soon as possible. Further, Vendor shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful. Vendor shall pursue possibilities of appeal. When challenging a request, Vendor shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Data requested until required to do so under the applicable procedural rules. Vendor agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. 
      3. Vendor shall promptly notify Customer if Vendor becomes aware of any direct access by a Public Authority to Personal Data and provide information available to Vendor in this respect, to the extent permitted by law. 
      4. For the avoidance of doubt, this DPA shall not require Vendor to pursue action or inaction that could result in civil or criminal penalty for Vendor, such as contempt of court.
    12. Deletion or Return of Data
      1. Upon termination or expiry of the Agreement, Vendor shall (at Customer’s election) securely delete, destroy (and certify to Customer that it has done so) or return all Customer Data, in its possession or control which it Processes on behalf of Customer. This requirement shall not apply to the extent that Vendor is required by Applicable Privacy Laws or other applicable laws to retain some or all of the Customer Data, in which event Vendor shall notify Customer of that retention requirement and isolate and protect the Customer Data concerned from any further Processing except to the extent required by such law. Until the Customer Data is deleted or returned, Vendor shall continue to ensure compliance with this DPA in relation to such Customer Data.
    13. Miscellaneous
      1. The obligations placed upon either party under this DPA shall survive so long as either party Processes Personal Data subject to this DPA.
      2. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
      3. In the case of conflict or ambiguity between:
        • any provision contained in the body of this DPA and any provision contained in the Schedules or Annexes, the provision in the body of this DPA will prevail; and
        • any of the provisions of this DPA and any incorporated EU Standard Contractual Clauses, the provisions of the EU Standard Contractual Clauses will prevail.
      4. If any provision of this DPA is deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible; or (ii) if that is not possible, then construed in a manner as if the invalid or unenforceable part had never been included herein.

SCHEDULE A 

TRANSFERS

For transfers of Personal Data from the European Union, EEA, United Kingdom, and Switzerland, the following provisions apply.

For transfers of Personal Data from the European Union, EEA, United Kingdom, and Switzerland, the following provisions apply.The EU Standard Contractual Clauses are incorporated by reference into and form a part of the DPA, with the following specifications:For transfers of Personal Data from the European Union, EEA, United Kingdom, and Switzerland, the following provisions apply.

  • Role of parties:
    • Module 1: Vendor is the data exporter and Customer is the data importer. 
    • Module 2: Customer is the data exporter and Vendor is the data importer.
    • Module 3: Customer is the data exporter and Vendor is the data importer.
  • For Modules 2 and 3, in Clause 9, Option 2 applies and changes to “Sub-Processors will be notified in accordance with the ‘Sub-Processors’ section of this DPA”;
  • Clause 7 is excluded;
  • in Clause 11, the optional language is deleted; 
  • in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the EU Standard Contractual Clauses will be the laws and forum of the member state where the data exporter is established or where its GDPR Article 27 representative resides (without reference to conflicts of law principles); 
  • the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; 
  • the supervisory authority that will act as competent supervisory authority will be determined in accordance with EU GDPR; 
  • if and to the extent the EU Standard Contractual Clauses conflict with any provision of this DPA the EU Standard Contractual Clauses will prevail to the extent of such conflict.

Where Personal Data subject to the UK GDPR is transferred, the EU Standard Contractual Clauses will apply in accordance with the appropriate module above and the following modifications. 

    1. The EU Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the DPA;
    2. Tables 1 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA, Table 2 is completed per this Schedule A, and Table 4 will be deemed completed by selecting “neither party”; and
    3. any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

Where Personal Data subject to the Swiss DPA is transferred, the EU Standard Contractual Clauses will apply in accordance with the appropriate modules above and the following modifications. 

    1. References to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA. 
    2. References to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law.
    3. References to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner ” and the “relevant courts in Switzerland”.

ANNEX I TO THE STANDARD CONTRACTUAL CLAUSES

    1. LIST OF PARTIES
      1. Importer for Purposes of Module 1, Exporter for purposes of Modules 2 & 3
        Name: Customer Name
        Address: Address listed in the Agreement]
        Contact person’s name, position and contact details: Listed in the Agreement]
        Activities relevant to the data transferred under these Clauses: Use of Vendor’s Services
        Signature and date: Incorporated into Agreement
        Role (controller/processor): Controller or Processor depending on the appropriate Module of the EU Standard Contractual Clauses
    2. DESCRIPTION OF TRANSFER

MODULE ONE:
Categories of data subjects whose personal data is transferred
1.  Grin’s creator users and prospective creators

MODULE TWO: Transfer controller to processor:
Categories of data subjects whose personal data is transferred

1.  Customer’s clients under a written services agreement, who are designated by Customer to use the Services under the Agreement.
2.  Potential Influencers

Categories of personal data transferred (Module 1)

Identification and contact data (name, title, address, phone number, email address, social media handles)

No sensitive data will be processed.

Categories of personal data transferred (Modules 2 & 3)
Identification and contact data (name, title, address, phone number, email address, social media handles)

No sensitive data will be transferred.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Transfers will be continuous during the term of the Agreement

Nature of the processing

Module One: Vendor will provide access to its database of potential creators.

Modules Two & Three: Vendor will provide services to the Customer in accordance with Customer’s documented instructions, including processing.

Purpose(s) of the data transfer and further processing
To enable Vendor to provide the Services to Customer under the terms of the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Module One: Data retained until no longer needed, in accordance with Customer’s data retention and minimization policies.

Modules Two & Three: until instructed by the Customer to remove or until the Agreement or the DPA has been terminated.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Same as above

ANNEX II TO THE STANDARD CONTRACTUAL CLAUSES

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Grin is committed to maintaining the security of its Customers’ information. Grin has completed a Service Organization Controls 2 (SOC 2) audit with a 3rd-party evaluator BARR Advisory certified by The American Institute of CPAs (AICPA). Grin represents and warrants that it will continue to maintain its certified SOC 2 status.

Annual Security Review
Grin completes an annual security review.

Hosting and Physical Security
Grin servers are hosted on AWS. As such, Grin inherits the control environment which Amazon maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Web servers and databases run on servers in secure data centers. Physical access is restricted to authorized personnel. Premises are monitored and access is logged.

You can read further about AWS here:
aws.amazon.com/security/

Isolation of Services
Grin servers run in Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server Processes are restricted to a particular directory and do not have access to the local filesystem.

Network Security
Grin services are accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties.  Grin uses only strong encryption algorithms with a key length of at least 128 bits.

All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.

Grin servers are only accessible through HTTPS and deny access to other ports, except that SSH access (protected by TLS and private key authentication) is enabled for administration. Administrative access is granted only to select employees of Grin, based on role and business need.

Access to databases used in the Grin service is over an encrypted link (TLS).

Authentication
Clients login to Grin using a password which is known only to them and done only over secure (HTTPS) connections. Clients are required to have reasonably strong passwords. Passwords are not stored unencrypted; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.

Development Process
Grin developers have been trained in secure coding practices.  Grin application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. The Grin application uses industry standard, high-strength algorithms including AES and bcrypt. Periodic security tests are conducted, including using scanning and fuzzing tools to check for vulnerabilities.

Employee Screening and Policies
As a condition of employment all Grin employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.

Security Issues
At Grin, we consider the security of our systems a top priority. We have implemented a responsible disclosure policy to ensure that problems are addressed quickly and safely.

ANNEX III TO THE STANDARD CONTRACTUAL CLAUSES

Vendor publishes a list of its then-current Sub-Processors at:  https://grin.co//legalsubprocessors (“Sub-Processor List”). 


© Grin Technologies Inc. 2024. All rights reserved.

Introducing
GRIN's Discovery Suite

Discover

Supercharge Your
Influencer Discovery Efforts

GRIN favicon

GRIN's NEW
Discovery Suite

Supercharge Your Influencer Discovery Efforts

GRIN's NEW Discovery Suite

Introducing
GRIN's
Discovery Suite
Compare the Time of a Manual Process vs. GRIN
Compare the Time of a Manual Process vs. GRIN
GRIN favicon

GRIN + Uber Case Study

How did one person build Uber's robust TikTok community from scratch?

Find out here
GRIN logo

+

Uber logo

Introducing GRIN
Professional Services

Our team of experts is ready to drive the results you need.

Learn more