Last updated: 16 June 2026
This Data Processing Addendum ("DPA") forms part of the Terms and Conditions (the "Agreement") between you ("Customer", "you") and Grobot Technologies LLC ("Handshake", "we", "us"). It governs our processing of personal data on your behalf when we provide the Services. If there is any conflict between this DPA and the rest of the Agreement on the subject of data protection, this DPA prevails.
Capitalized terms not defined here have the meaning given in the Agreement.
For Customer Personal Data, you are the Controller and we are the Processor. Where you are yourself a Processor acting for a third party (for example, a Partner acting for its own client), you appoint us as your Sub-processor, and you warrant that you have the authority and instructions of the relevant Controller to do so. Under the CCPA, we act as your Service Provider.
We process your account, billing, and platform-usage data as a Controller for our own legitimate business purposes, as described in our Privacy Policy; that processing is not governed by this DPA.
We will process Customer Personal Data only:
You are responsible for the accuracy, quality, and legality of Customer Personal Data and for ensuring you have a lawful basis and all necessary consents and notices for its processing through the Services (see Section 10 of the Terms). You warrant that your instructions will not cause us to breach Data Protection Laws. If we believe an instruction breaches Data Protection Laws, we will notify you.
We will ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and access it only as needed to provide the Services.
We will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the nature of the processing, and the risks involved. A summary of these measures is set out in Annex B. We may update our measures from time to time provided they do not materially reduce the overall level of protection.
You provide a general authorization for us to engage Sub-processors to process Customer Personal Data. A current list of Sub-processors is available on request and, where published, at the link referenced in Annex C.
We will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain responsible for each Sub-processor's performance as if it were our own. We will give you reasonable notice of any intended addition or replacement of a Sub-processor and a fair opportunity to object on reasonable data-protection grounds. If we cannot reasonably resolve your objection, you may terminate the affected Services as your sole remedy.
Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as reasonably possible, to respond to requests from Data Subjects exercising their rights under Data Protection Laws. If we receive such a request directly, we will not respond except on your instructions or as legally required, and will direct the Data Subject to you where appropriate.
We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to us to help you meet your notification obligations. Taking into account the nature of processing and the information available to us, we will provide reasonable assistance with your data protection impact assessments and prior consultations with supervisory authorities.
On termination of the Services, we will, at your choice, delete or return Customer Personal Data within a reasonable period, and delete existing copies unless applicable law requires storage. Where practicable, the Services provide a window to export Customer Data before deletion. We may retain Customer Personal Data to the extent and for the period required by law, subject to the protections of this DPA.
We will make available to you information reasonably necessary to demonstrate compliance with this DPA. To satisfy audit rights under Data Protection Laws, we may provide up-to-date third-party certifications, audit reports, or a written response to a reasonable security questionnaire. Any on-site audit must be at your expense, on reasonable prior notice, no more than once per year (except where required by a supervisory authority or following a Personal Data Breach), during business hours, and subject to confidentiality.
You authorize us to transfer Customer Personal Data outside its country of origin, including to the United States, as necessary to provide the Services. Where Customer Personal Data originating in the EEA, the UK, or Switzerland is transferred to a country without an adequacy decision, the SCCs (and the UK IDTA where applicable) are incorporated into this DPA by reference and apply to that transfer, with the relevant modules and options completed to reflect the controller-to-processor (or processor-to-sub-processor) relationship described in this DPA.
When acting as your Service Provider, we will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than performing the Services or as otherwise permitted by the CCPA; or (c) combine it with personal information from other sources except as permitted by the CCPA. We certify that we understand and will comply with these restrictions.
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
This DPA takes effect when you accept the Agreement and continues until we have ceased all processing of Customer Personal Data. Provisions that by their nature should survive termination will survive.
A current list of Sub-processors (such as cloud hosting, the LinkedIn/email integration provider, AI model providers, email delivery, and payment processing) is available on request and, where published, at the Sub-processor link on our website. We will keep this list current and notify Customers of changes in accordance with Section 6.
Questions about this DPA:
Grobot Technologies LLC
30 N Gould St, Ste R, Sheridan, WY 82801, United States
Email: support@gro.bot