Data Processing Addendum
Last updated: June 22, 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between GrailNest (“GrailNest,” “Processor”) and the business customer—such as a store or partner that uses GrailNest to process personal data of its own end users (“Customer,” “Controller”). It reflects the parties’ agreement on the processing of personal data in connection with the Service and applies where data protection laws (including the EU/UK GDPR and the CCPA/CPRA) require it.
1. Roles of the Parties
For personal data that Customer submits to or collects through the Service in its own right, Customer is the Controller and GrailNest is the Processor acting on Customer’s documented instructions. For personal data of GrailNest’s own account holders, GrailNest is the controller and the Privacy Policy applies.
2. Subject Matter & Details of Processing
| Element | Description |
|---|---|
| Subject matter | Processing necessary to provide the GrailNest Service to Customer. |
| Duration | For the term of the underlying agreement, plus deletion/return per Section 9. |
| Nature & purpose | Hosting, storage, display, alerting, analytics, and related processing to operate the Service. |
| Types of personal data | Identifiers (name, email), profile data, follower/interest signals, drop and waitlist sign-ups, and usage data. |
| Categories of data subjects | Customer’s end users, followers, waitlist subscribers, and store staff. |
3. Processor Obligations
GrailNest will:
- Process personal data only on Customer’s documented instructions, including this DPA, unless required by law (in which case it will notify Customer where permitted);
- Ensure persons authorized to process the data are bound by confidentiality;
- Implement the technical and organizational security measures described in Section 6;
- Assist Customer, taking into account the nature of processing, in responding to data subject requests and in meeting its obligations regarding security, breach notification, and data protection impact assessments;
- Make available information reasonably necessary to demonstrate compliance and allow for audits as set out in Section 8; and
- Not “sell” or “share” personal data, and not retain, use, or disclose it for any purpose other than performing the Service, as those terms are defined under the CCPA/CPRA.
4. Customer Obligations
Customer warrants that it has a lawful basis to collect and provide the personal data, that its instructions comply with applicable law, and that it has provided all required notices and obtained any required consents from data subjects.
5. Sub-processors
Customer provides general authorization for GrailNest to engage sub-processors to deliver the Service. GrailNest imposes data protection obligations on each sub-processor that are no less protective than this DPA and remains liable for their performance. GrailNest will give notice of intended changes to its sub-processor list and allow Customer a reasonable opportunity to object on legitimate data-protection grounds. Current sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud hosting provider | Application and database hosting | United States |
| S3-compatible object storage | Storage of uploaded images and media | United States |
| Transactional email provider (e.g., Mailgun / Postmark / SES) | Account, alert, and transactional email delivery | United States / EU |
| Payment processor (e.g., Stripe) | Subscription billing and payments | United States |
| Product analytics (e.g., Plausible / PostHog) | Usage analytics | EU / United States |
| Error monitoring (e.g., Sentry) | Application error and performance monitoring | United States |
The specific providers above reflect GrailNest’s current configuration and may be updated with notice.
6. Security Measures
- Encryption of data in transit (TLS) and of credentials at rest (hashed passwords);
- Role-based access controls and least-privilege access to production systems;
- Network and application controls, including restricted administrative endpoints;
- Logging and monitoring of access and errors;
- Regular dependency and security updates; and
- Backups with restoration procedures.
7. Personal Data Breach
GrailNest will notify Customer without undue delay—and in any event within 72 hours where feasible—after becoming aware of a personal data breach affecting Customer’s personal data, and will provide information reasonably necessary for Customer to meet its own notification obligations.
8. Audits
GrailNest will make available information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, no more than once per year (or following a breach), on reasonable prior notice and subject to confidentiality, and conducted so as to minimize disruption.
9. Return & Deletion of Data
Upon termination of the Service, and at Customer’s choice, GrailNest will delete or return Customer’s personal data and delete existing copies, unless retention is required by law. Backups are deleted in the ordinary course of GrailNest’s backup rotation.
10. International Transfers
Where the processing involves transfers of EEA/UK personal data to a country without an adequacy decision, the parties agree that the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) are incorporated into this DPA by reference and apply to such transfers.
11. Liability & Precedence
Each party’s liability under this DPA is subject to the limitations of liability in the underlying agreement. In the event of a conflict between this DPA and the agreement regarding the processing of personal data, this DPA prevails.
12. Contact
To raise a data-processing matter or request a signed copy of this DPA, contact privacy@grailnest.com.
GrailNest, [LEGAL ENTITY NAME], [REGISTERED ADDRESS].