Data Processing Addendum

Last updated: 16 June 2026

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions (the "Agreement") between you ("Customer", "you") and Grobot Technologies LLC ("Handshake", "we", "us"). It governs our processing of personal data on your behalf when we provide the Services. If there is any conflict between this DPA and the rest of the Agreement on the subject of data protection, this DPA prevails.

1. Definitions

  • "Data Protection Laws" means all laws and regulations applicable to the processing of personal data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("EU GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and other US state privacy laws, in each case as applicable.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach" have the meanings given in the EU GDPR (and the equivalent terms, such as "business", "service provider", and "consumer", under the CCPA).
  • "Customer Personal Data" means Personal Data contained in Customer Data that we process on your behalf to provide the Services.
  • "Sub-processor" means any third party engaged by us to process Customer Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for transfers of Personal Data to third countries, and, for the UK, the UK International Data Transfer Addendum ("UK IDTA").

Capitalized terms not defined here have the meaning given in the Agreement.

2. Roles of the parties

For Customer Personal Data, you are the Controller and we are the Processor. Where you are yourself a Processor acting for a third party (for example, a Partner acting for its own client), you appoint us as your Sub-processor, and you warrant that you have the authority and instructions of the relevant Controller to do so. Under the CCPA, we act as your Service Provider.

We process your account, billing, and platform-usage data as a Controller for our own legitimate business purposes, as described in our Privacy Policy; that processing is not governed by this DPA.

3. Scope and instructions

We will process Customer Personal Data only:

  • (a) to provide, secure, and maintain the Services in accordance with the Agreement;
  • (b) in accordance with your documented lawful instructions, including those given through the Services and this DPA; and
  • (c) as required by applicable law, in which case we will inform you of that legal requirement before processing unless the law prohibits it.

You are responsible for the accuracy, quality, and legality of Customer Personal Data and for ensuring you have a lawful basis and all necessary consents and notices for its processing through the Services (see Section 10 of the Terms). You warrant that your instructions will not cause us to breach Data Protection Laws. If we believe an instruction breaches Data Protection Laws, we will notify you.

4. Confidentiality

We will ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and access it only as needed to provide the Services.

5. Security

We will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the nature of the processing, and the risks involved. A summary of these measures is set out in Annex B. We may update our measures from time to time provided they do not materially reduce the overall level of protection.

6. Sub-processors

You provide a general authorization for us to engage Sub-processors to process Customer Personal Data. A current list of Sub-processors is available on request and, where published, at the link referenced in Annex C.

We will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain responsible for each Sub-processor's performance as if it were our own. We will give you reasonable notice of any intended addition or replacement of a Sub-processor and a fair opportunity to object on reasonable data-protection grounds. If we cannot reasonably resolve your objection, you may terminate the affected Services as your sole remedy.

7. Data subject requests

Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as reasonably possible, to respond to requests from Data Subjects exercising their rights under Data Protection Laws. If we receive such a request directly, we will not respond except on your instructions or as legally required, and will direct the Data Subject to you where appropriate.

8. Assistance, breach notification, and DPIAs

We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to us to help you meet your notification obligations. Taking into account the nature of processing and the information available to us, we will provide reasonable assistance with your data protection impact assessments and prior consultations with supervisory authorities.

9. Deletion or return

On termination of the Services, we will, at your choice, delete or return Customer Personal Data within a reasonable period, and delete existing copies unless applicable law requires storage. Where practicable, the Services provide a window to export Customer Data before deletion. We may retain Customer Personal Data to the extent and for the period required by law, subject to the protections of this DPA.

10. Audits

We will make available to you information reasonably necessary to demonstrate compliance with this DPA. To satisfy audit rights under Data Protection Laws, we may provide up-to-date third-party certifications, audit reports, or a written response to a reasonable security questionnaire. Any on-site audit must be at your expense, on reasonable prior notice, no more than once per year (except where required by a supervisory authority or following a Personal Data Breach), during business hours, and subject to confidentiality.

11. International transfers

You authorize us to transfer Customer Personal Data outside its country of origin, including to the United States, as necessary to provide the Services. Where Customer Personal Data originating in the EEA, the UK, or Switzerland is transferred to a country without an adequacy decision, the SCCs (and the UK IDTA where applicable) are incorporated into this DPA by reference and apply to that transfer, with the relevant modules and options completed to reflect the controller-to-processor (or processor-to-sub-processor) relationship described in this DPA.

12. CCPA

When acting as your Service Provider, we will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than performing the Services or as otherwise permitted by the CCPA; or (c) combine it with personal information from other sources except as permitted by the CCPA. We certify that we understand and will comply with these restrictions.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

14. Term

This DPA takes effect when you accept the Agreement and continues until we have ceased all processing of Customer Personal Data. Provisions that by their nature should survive termination will survive.

Annex A - Details of processing

  • Subject matter: provision of the Handshake outreach-automation Services.
  • Duration: for the term of the Agreement and until deletion or return under Section 9.
  • Nature and purpose: hosting, storage, organization, retrieval, transmission, automated outreach (connection requests and messaging), AI-assisted drafting and personalization, analytics necessary to provide the Services, and related operations.
  • Categories of Data Subjects: the Customer's representatives and users; End Contacts targeted or contacted through the Services (for example, prospects and business contacts).
  • Types of Personal Data: name, job title, employer, professional and contact details (including business email and public profile data), message and conversation content, engagement and scheduling data, and other data the Customer chooses to upload or generate.
  • Special category data: not intended; the Customer must not upload special-category data except as expressly agreed.

Annex B - Technical and organizational security measures

  • Encryption of Personal Data in transit (TLS) and at rest.
  • Access controls on a least-privilege, need-to-know basis, with authentication and role-based authorization.
  • Logical separation of customer data and tenant-scoped access controls.
  • Network protections, monitoring, and logging.
  • Secure software development practices and regular review of dependencies.
  • Vetting of, and contractual data-protection obligations on, Sub-processors and service providers.
  • Personnel confidentiality obligations and security awareness.
  • Backup, resilience, and incident-response procedures, including Personal Data Breach handling.

Annex C - Sub-processors

A current list of Sub-processors (such as cloud hosting, the LinkedIn/email integration provider, AI model providers, email delivery, and payment processing) is available on request and, where published, at the Sub-processor link on our website. We will keep this list current and notify Customers of changes in accordance with Section 6.

Questions about this DPA:

Grobot Technologies LLC

30 N Gould St, Ste R, Sheridan, WY 82801, United States

Email: support@gro.bot