Data Processing Agreement
Effective: April 13, 2026
GDPR Article 28 Compliant. This Data Processing Agreement ("DPA") governs the processing of personal data by Gryffi on behalf of customers who use our platform. By accepting our Terms of Service, this DPA is automatically incorporated and applies to all personal data processed through the Gryffi platform.
No paperwork required. This DPA applies automatically to all Gryffi customers. You do not need to sign a separate document. If your organization requires a countersigned copy, contact us at info@gryffi.com.
1. Definitions
In this DPA, the following terms have the meanings set out below. Terms not defined here have the meaning given in the Terms of Service or in the GDPR.
- "Agreement" means the Terms of Service and this DPA, together forming the complete agreement between the parties.
- "Controller" means the Customer (the organization that has registered for a Gryffi account), which determines the purposes and means of the processing of personal data.
- "Data Protection Law" means Regulation (EU) 2016/679 (the GDPR) and any other applicable data protection legislation in the EU/EEA.
- "Data Subject" means a natural person whose personal data is processed (e.g., makers, end users).
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Gryffi on behalf of the Controller through the platform.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
- "Processor" means Gryffi, which processes personal data on behalf of the Controller.
- "Sub-processor" means a third party engaged by Gryffi to carry out specific processing activities on behalf of the Controller.
2. Scope and Roles
2.1 Roles of the Parties
The Customer acts as the Controller of the personal data. Gryffi acts as the Processor, processing personal data on behalf of the Controller solely for the purpose of providing the Gryffi platform as described in the Agreement.
2.2 Scope of Processing
This DPA applies to all personal data that Gryffi processes on behalf of the Controller through the Gryffi platform. The details of processing are described in Annex 1 of this DPA.
2.3 Gryffi as Controller
Gryffi acts as an independent Controller for certain limited processing activities, including:
- Account administration and authentication of makers
- Billing and subscription management
- Website analytics (anonymized, via self-hosted Umami)
- Service communications (system notifications, security alerts)
These processing activities are governed by our Privacy Policy.
3. Obligations of Gryffi as Processor
Gryffi shall:
- Process personal data only on documented instructions from the Controller, including as set out in this DPA and the Agreement, unless required to do so by applicable law. In such a case, Gryffi shall inform the Controller of that legal requirement before processing, unless prohibited by law.
- Inform the Controller immediately if, in Gryffi's opinion, an instruction from the Controller infringes Data Protection Law.
- Ensure that all persons authorized to process personal data are bound by confidentiality obligations, whether contractual or statutory.
- Implement and maintain appropriate technical and organizational security measures as described in Annex 2 and in accordance with Article 32 of the GDPR.
- Comply with the conditions for engaging Sub-processors as set out in Section 7 of this DPA.
- Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to Data Subject requests.
- Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to Gryffi.
- At the Controller's choice, delete or return all personal data after the end of the provision of services, as described in Section 10.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and the GDPR, and allow for and contribute to audits as described in Section 9.
4. Obligations of the Controller
The Controller shall:
- Ensure that all instructions to Gryffi regarding the processing of personal data comply with Data Protection Law.
- Ensure the accuracy, quality, and lawfulness of personal data provided to or collected through the Gryffi platform.
- Provide all required notices to Data Subjects and obtain all necessary consents or establish another lawful basis for the processing.
- Be responsible for responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) and for assessing the legal basis and compliance requirements of such requests.
5. Data Subject Rights
5.1 Controller Responsibility
The Controller is responsible for responding to requests from Data Subjects to exercise their rights under Data Protection Law.
5.2 Assistance by Gryffi
Gryffi shall, taking into account the nature of the processing, provide the Controller with reasonable assistance to enable the Controller to respond to Data Subject requests. This includes providing self-service tools within the platform (such as data export, user management, and account deletion features) and, upon written request, additional technical assistance where the platform tools are insufficient.
5.3 Requests Received by Gryffi
If Gryffi receives a Data Subject request directly, Gryffi will promptly redirect the request to the Controller and will not respond to the Data Subject without the Controller's prior authorization, unless required by applicable law.
6. Security
6.1 Security Measures
Gryffi shall implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are described in Annex 2 and on our Security page.
6.2 Updates to Security Measures
Gryffi may update its security measures from time to time to reflect changes in technology, threats, and best practices, provided that such updates do not materially decrease the overall level of security of the processing.
7. Sub-processors
7.1 General Authorization
The Controller provides Gryffi with general written authorization to engage Sub-processors for the purpose of providing the Gryffi platform, subject to the conditions in this Section 7.
7.2 Current Sub-processors
The Controller acknowledges and approves the Sub-processors listed in Annex 3 of this DPA.
7.3 Notification of Changes
Gryffi shall inform the Controller of any intended additions or replacements of Sub-processors with reasonable advance notice. This notice will be provided via email to the organization's admin contact and by updating the Sub-processor list on this page.
7.4 Right to Object
The Controller may object in writing to the appointment of a new Sub-processor within thirty (30) calendar days of receiving notice, provided that such objection is based on reasonable grounds relating to Data Protection Law. If the Controller does not object within this period, the new Sub-processor is deemed approved.
If the Controller raises a reasonable objection, the parties shall consult in good faith to find a mutually acceptable resolution. If no resolution is reached, either party may terminate the affected services by providing thirty (30) days' written notice.
7.5 Sub-processor Obligations
Gryffi shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those set out in this DPA. Gryffi remains fully liable to the Controller for the performance of each Sub-processor's obligations.
8. Personal Data Breach
8.1 Notification
Gryffi shall notify the Controller of a Personal Data Breach without undue delay and in any event within 48 hours after becoming aware of the breach.
8.2 Notification Content
The notification shall include, to the extent available:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and personal data records concerned
- The name and contact details of the Gryffi contact point for further information
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects
Where not all information is available at the time of initial notification, it shall be provided in phases as it becomes available.
8.3 Assistance
Gryffi shall provide the Controller with reasonable assistance in complying with its obligations under Articles 33 and 34 of the GDPR (notification to supervisory authorities and Data Subjects), taking into account the nature of the processing and the information available to Gryffi.
8.4 No Acknowledgment of Fault
Gryffi's notification of a Personal Data Breach shall not be construed as an acknowledgment of fault or liability.
9. Audits
9.1 Information and Documentation
Upon the Controller's written request, Gryffi shall make available all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR. This includes security documentation, certifications, and audit reports (where available), provided within thirty (30) calendar days of the request.
9.2 On-site Audits
If the Controller cannot reasonably verify compliance through the documentation provided under Section 9.1, the Controller may conduct or commission an audit, subject to the following conditions:
- The Controller shall provide at least sixty (60) calendar days' prior written notice
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt Gryffi's operations
- The auditor shall be bound by confidentiality obligations and shall not be a direct competitor of Gryffi
- Audits are limited to one (1) per calendar year, unless required by a supervisory authority or triggered by a Personal Data Breach
- The costs of the audit shall be borne by the Controller, unless the audit reveals material non-compliance by Gryffi, in which case Gryffi shall bear the costs
- Audit findings shall be treated as Gryffi's confidential information
9.3 Remediation
If an audit reveals any non-compliance with this DPA, Gryffi shall remedy the deficiencies at its own expense within a reasonable period agreed upon by the parties.
10. Return and Deletion of Data
10.1 During the Agreement
The Controller may export its data at any time using the self-service data export feature available in the Gryffi platform (System Settings → Data Export).
10.2 Upon Termination
Upon termination of the Agreement, the Controller shall have thirty (30) days to export its data. After this period, Gryffi shall delete all personal data processed on behalf of the Controller from its systems, including backup systems, within a reasonable timeframe, unless retention is required by applicable law.
10.3 Certification
Upon the Controller's written request, Gryffi shall certify in writing that all personal data has been deleted in accordance with this Section 10.
11. International Data Transfers
11.1 EU Data Residency
All personal data processed by Gryffi is stored within the European Union. Our servers, databases, backups, and AI processing infrastructure are located in Germany and France.
11.2 Customer-Initiated Integrations
If the Controller chooses to enable a directory sync with Microsoft 365 or Google Workspace, read-only API requests are made to these providers' global infrastructure. The data retrieved is stored exclusively on Gryffi's EU servers. Both Microsoft and Google have adopted Standard Contractual Clauses (SCCs) for international data transfers. For further details, see our Privacy Policy, Section 6 and 12.
11.3 Controllers Outside the EU/EEA
If the Controller is established outside the EU/EEA, the parties agree that the Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision (EU) 2021/914), Module 4 (Processor to Controller), shall apply to any transfer of personal data from Gryffi to the Controller, completed as follows:
- The "data exporter" is Gryffi and the "data importer" is the Controller
- The optional docking clause in Clause 7 is implemented
- The governing law in Clause 17 is the law of the Netherlands
- The courts in Clause 18(b) are the courts of Amsterdam, the Netherlands
- Annex I corresponds to Annex 1 and Annex II corresponds to Annex 2 of this DPA
12. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that nothing in the Agreement limits either party's liability for breaches of Data Protection Law to the extent such limitation is prohibited by applicable law.
13. Term and Termination
13.1 Term
This DPA enters into force on the date the Controller accepts the Agreement and remains in effect for the duration of the Agreement. Where Gryffi processes personal data on behalf of the Controller, this DPA continues to apply until all personal data has been deleted or returned.
13.2 Survival
Provisions of this DPA that by their nature should survive termination (including Sections 8, 9, 10, 11, and 12) shall remain in effect after termination of the Agreement.
14. Miscellaneous
14.1 Governing Law
This DPA is governed by the laws of the Netherlands, without regard to conflict of law principles.
14.2 Conflict
In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data.
14.3 Amendments
Gryffi may update this DPA to reflect changes in Data Protection Law, our processing activities, or best practices. Material changes will be communicated with at least thirty (30) days' notice. Continued use of the platform after such notice constitutes acceptance of the updated DPA.
Annex 1 — Details of Processing
A. List of Parties
| Role | Party |
|---|---|
| Controller | The Customer (organization registered on the Gryffi platform) |
| Processor | Gryffi, Jhr. Van Sypesteynlaan 7, 1231XL Loosdrecht, The Netherlands. KvK: 80453783. Contact: info@gryffi.com |
B. Description of Processing
| Element | Details |
|---|---|
| Subject matter | Providing the Gryffi platform for creating and delivering interactive journeys, training, and onboarding experiences |
| Duration | For the duration of the Agreement, plus any retention period described in this DPA |
| Nature and purpose | Hosting, storing, organizing, and making available the Controller's data through the platform; sending transactional emails on behalf of the Controller; AI-powered responses to end user questions; generating analytics and reports; synchronizing user directories (if enabled by the Controller) |
| Categories of Data Subjects |
|
| Categories of personal data |
|
| Special categories of data | None intentionally processed. The Controller is responsible for ensuring that no special categories of data (Article 9 GDPR) are submitted through forms or content uploads unless the Controller has a valid legal basis. |
Annex 2 — Technical and Organizational Measures
Gryffi implements the following security measures. For full details, see our Security page.
| Category | Measures |
|---|---|
| Encryption in transit | TLS 1.2+ on all connections; HTTPS enforced; HSTS enabled |
| Encryption at rest | Database encryption; encrypted backups (stored in Germany) |
| Authentication | Passwords hashed with bcrypt; tokens hashed with SHA-256; optional two-factor authentication; magic links for end users (no passwords stored) |
| Authorization | Role-based access control (admin, manager, editor, viewer); strict organization-level data isolation |
| Session security | httpOnly, Secure, SameSite=Lax cookies; automatic session expiry; brute-force protection with temporary lockout |
| Network security | Firewall with restricted ports; no direct database access from the internet; security headers via Helmet.js (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) |
| Backup & recovery | Daily automated backups; encrypted at rest; stored separately from primary infrastructure (Frankfurt, Germany); retention per subscription tier |
| Monitoring | Application-level logging; error tracking; automated alerts |
| Data minimization | Only necessary data collected; cookieless analytics (self-hosted Umami); no payment data stored by Gryffi; automated cleanup of expired sessions and old event data |
| Access management | Least-privilege principle; separated development and production environments |
| Incident response | Documented incident response procedure; 72-hour supervisory authority notification timeline; internal breach register |
Annex 3 — Sub-processors
Gryffi uses the following Sub-processors. All core Sub-processors are based in the European Union.
| Sub-processor | Purpose | Location | DPA |
|---|---|---|---|
| Hetzner Online GmbH | Hosting, servers, storage, backups | Germany (EU) | View |
| Mistral AI | AI processing (Guides, translations, embeddings) | France (EU) | View |
| Nuntly | Transactional email delivery (invitations, magic links, notifications) | EU | View |
| Creem (Armitage Labs OÜ) | Payment processing (Merchant of Record) | Estonia (EU) | View |
Self-hosted services (running on Gryffi's own Hetzner infrastructure in Germany, no third-party data access):
- Umami — Privacy-friendly website analytics (cookieless, no personal data collected)
- Unstructured API — Document parsing for AI knowledge bases
This list was last updated on April 13, 2026.
15. Contact
For questions about this DPA, data protection inquiries, or to request a countersigned copy:
- Email: info@gryffi.com
Gryffi
Jhr. Van Sypesteynlaan 7
1231XL Loosdrecht
The Netherlands
KvK: 80453783 · VAT: NL003440983B28
Related documents: Privacy Policy · Terms of Service · Security