Legal
Data Processing Agreement
Last updated: March 15, 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Griot Data Technologies Ltd (“Processor” or “Griot”) and the entity that has executed a service agreement for the Griot platform (“Controller” or “Customer”). This DPA sets out the terms under which Griot processes Personal Data on behalf of the Customer in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and the Kenya Data Protection Act, 2019.
1. Definitions
- “Controller” means the entity that determines the purposes and means of the Processing of Personal Data and has entered into a service agreement with Griot.
- “Processor” means Griot Data Technologies Ltd, which processes Personal Data on behalf of the Controller.
- “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
- “Personal Data” means any information relating to a Data Subject that is processed by Griot in connection with the provision of the platform services.
- “Processing” means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
- “Sub-processor” means any third party engaged by Griot to process Personal Data on behalf of the Controller.
- “Data Protection Laws” means all applicable laws relating to the Processing of Personal Data, including the GDPR, the UK GDPR, the Kenya Data Protection Act 2019, and any applicable national implementing legislation.
- “Standard Contractual Clauses” (“SCCs”) means the contractual clauses approved by the European Commission for international transfers of Personal Data.
2. Scope and Purpose
This DPA applies to all Processing of Personal Data by Griot in connection with the provision of the Griot platform and related services to the Controller.
Griot processes Personal Data solely on documented instructions from the Controller for the following purposes:
- Operating and maintaining the Griot data contract platform
- Providing user authentication and access management
- Processing data contract validation runs and generating reports
- Delivering platform notifications and communications
- Providing technical support and troubleshooting
3. Processing Details
Categories of Data Subjects
- Customer employees and authorized users of the platform
- Customer's end users whose data may be referenced in data contracts or schemas
- Individuals whose contact information is stored in platform configurations
Types of Personal Data
- Account information: names, email addresses, job titles, organization names
- Authentication data: OAuth tokens, session identifiers
- Usage data: platform activity logs, feature usage, timestamps
- Data contract metadata: schema definitions, validation configurations, quality scores
- Communication data: support requests, feedback, and notifications
Nature of Processing
Processing includes collection, storage, organization, retrieval, consultation, use, disclosure by transmission, and erasure of Personal Data as necessary to provide the platform services described in the service agreement.
4. Controller Obligations
The Controller warrants and undertakes that:
- It has a lawful basis for the Processing of Personal Data and has obtained all necessary consents or authorizations from Data Subjects
- Its instructions to Griot comply with all applicable Data Protection Laws
- It has implemented appropriate data minimization practices and only provides Personal Data that is necessary for the platform services
- It will promptly notify Griot of any changes to its Processing instructions or applicable legal requirements
5. Processor Obligations
Griot shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law (in which case Griot will inform the Controller before Processing, unless prohibited by law)
- Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
- Implement and maintain appropriate technical and organizational security measures as described in Section 6
- Assist the Controller in responding to Data Subject requests as described in Section 9
- Assist the Controller in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
- Immediately inform the Controller if, in Griot's opinion, an instruction from the Controller infringes applicable Data Protection Laws
6. Security Measures
Griot implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. These measures include:
Encryption
- Data in transit is encrypted using TLS 1.2 or higher
- Data at rest is encrypted using AES-256 encryption
- Encryption keys are managed through Google Cloud Platform Key Management Service (KMS)
Access Controls
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication for all internal systems
- Regular access reviews and prompt deprovisioning
Infrastructure
- Hosted on Google Cloud Platform with SOC 2 Type II certified infrastructure
- Logical tenant isolation — each customer's data is logically separated
- Automated monitoring and alerting for security events
- Regular vulnerability scanning and penetration testing
7. Sub-processors
The Controller provides general authorization for Griot to engage Sub-processors for the provision of the platform services. Griot currently uses the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure, hosting, and calendar services | United States / EU |
| Resend | Transactional email delivery | United States |
| Odoo | Customer relationship management | Belgium / EU |
Griot will notify the Controller of any intended changes to Sub-processors at least 30 days before the change takes effect. The Controller may object to any new Sub-processor by providing written notice within 14 days of receiving notification. If the Controller objects and the parties cannot reach a resolution, the Controller may terminate the affected services.
Griot ensures that all Sub-processors are bound by data processing agreements that provide at least the same level of data protection as this DPA.
8. International Data Transfers
Personal Data may be transferred to and processed in countries outside the Controller's jurisdiction, including Kenya (where Griot is headquartered) and the United States (where certain Sub-processors operate).
For transfers of Personal Data outside the European Economic Area (EEA) or the United Kingdom, Griot relies on the following safeguards:
- Standard Contractual Clauses (SCCs): As approved by the European Commission (Module 2: Controller to Processor), incorporated into this DPA by reference
- Transfer Impact Assessments: Griot conducts transfer impact assessments for international data transfers and implements supplementary measures where required
- Kenya Data Protection Act: Griot complies with the Kenya Data Protection Act 2019 and regulations issued by the Office of the Data Protection Commissioner
9. Data Subject Rights
Griot will assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws, including:
- Right of access to Personal Data
- Right to rectification of inaccurate data
- Right to erasure (“right to be forgotten”)
- Right to restriction of Processing
- Right to data portability
- Right to object to Processing
Upon receiving a Data Subject request directly, Griot will promptly redirect the request to the Controller, unless legally required to respond directly. Griot will provide reasonable assistance to the Controller in responding to such requests within 10 business days of the Controller's request for assistance.
10. Data Breach Notification
In the event of a Personal Data breach, Griot will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of a confirmed breach
- Provide the Controller with sufficient information to enable the Controller to meet its obligations to report the breach to the relevant supervisory authority and affected Data Subjects
- Take immediate steps to contain, investigate, and remediate the breach
The breach notification will include, to the extent available:
- The nature of the breach, including categories and approximate number of Data Subjects and records concerned
- The likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
- Contact details of Griot's designated point of contact for further information
11. Audits
Griot will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws.
The Controller (or its appointed third-party auditor, subject to reasonable confidentiality obligations) may conduct audits of Griot's Processing activities, subject to the following conditions:
- The Controller provides at least 30 days' prior written notice
- Audits are conducted during normal business hours and do not unreasonably disrupt Griot's operations
- The Controller bears the cost of the audit unless the audit reveals material non-compliance by Griot
- Audit frequency is limited to once per year, unless required by a supervisory authority or following a data breach
Where applicable, Griot may satisfy audit requests by providing relevant compliance certifications, audit reports (e.g., SOC 2), or other documentation that demonstrates adherence to this DPA.
12. Data Retention and Deletion
Griot will retain Personal Data only for as long as necessary to provide the platform services or as required by applicable law.
Upon termination or expiry of the service agreement, or upon the Controller's written request, Griot will:
- Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format, or
- Delete all Personal Data (including copies) within 30 days, unless retention is required by applicable law
Griot will provide written certification of deletion upon the Controller's request. Anonymized and aggregated data that cannot be used to identify any Data Subject may be retained after termination.
13. Term and Termination
This DPA takes effect on the date the Controller enters into a service agreement with Griot and remains in effect for the duration of that agreement.
Sections relating to confidentiality, data retention and deletion, audits, and liability survive termination of this DPA for as long as Griot retains any Personal Data on behalf of the Controller.
14. Contact Information
For questions regarding this DPA or to exercise any rights under this agreement, contact us at: