grith.ai
Draft — pending legal review. This document describes Field-Logic Ltd's intended practices but has not yet been signed off by counsel. It is not binding until that review is complete and this banner is removed. Questions: legal@grith.ai.

Data Processing Agreement

DPA template for Team and Enterprise customers whose use of grith involves processing personal data on behalf of data subjects.

Last updated:

1. Purpose and structure

This Data Processing Agreement ("DPA") applies when Field-Logic Ltd ("Processor") processes personal data on behalf of a Customer ("Controller") as part of providing the grith Team or Enterprise service.

It supplements the Terms of Service and forms part of the agreement between Field-Logic and the Customer. Where a Customer requires a counter-signed copy on Field-Logic letterhead, email legal@grith.ai with your company details. For most customers, agreement to these Terms and an active paid subscription incorporates this DPA by reference.

2. Definitions

Capitalised terms not defined here have the meaning given to them in the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, including "personal data", "processing", "data subject", "controller", "processor", and "personal data breach".

Where the Customer is established in the EEA, references to UK GDPR are read as also covering EU GDPR (Regulation (EU) 2016/679).

3. Scope of processing

Field-Logic processes personal data only as necessary to provide the Service to the Customer and on the Customer's documented instructions, which include these Terms, the Privacy Policy, and any in-product configuration the Customer sets (for example, retention settings or sub-processor opt-outs).

The Annex below describes the nature, purpose, duration, categories of personal data, and categories of data subjects.

4. Field-Logic's obligations

Field-Logic will:

  • process personal data only on the Customer's documented instructions, including with regard to transfers outside the UK / EEA;
  • ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations;
  • implement and maintain appropriate technical and organisational measures (see section 8);
  • assist the Controller, taking into account the nature of processing, in fulfilling its obligations to respond to data-subject requests, conduct data-protection impact assessments, and consult the supervisory authority where required;
  • at the Customer's choice, delete or return all personal data after the end of the Service, subject to legal retention requirements (see section 9);
  • make available to the Customer the information necessary to demonstrate compliance with this DPA and contribute to audits as described in section 10.

5. Sub-processors

The Customer authorises Field-Logic to engage sub-processors for the processing described in the Annex. The current list is published in section 4 of the Privacy Policy.

Field-Logic will notify the Customer (by email to the primary billing contact and by updating the Privacy Policy) at least 30 days before engaging a new sub-processor that materially changes how personal data is handled. The Customer may object on reasonable data-protection grounds within that 30-day window; if the objection cannot be resolved, the Customer may terminate the affected portion of the Service for cause.

Field-Logic remains responsible for sub-processors' compliance with this DPA and imposes equivalent data-protection terms on each.

6. International transfers

Where Field-Logic transfers personal data outside the UK / EEA in the course of providing the Service (for example to GitHub's US infrastructure for OAuth, or to Polar's US sub-processors), the transfer is covered either by an adequacy decision or by the UK International Data Transfer Addendum incorporating the EU Standard Contractual Clauses (Module 2 — Controller to Processor). Field-Logic completes a transfer impact assessment before relying on supplementary measures.

7. Data-subject requests

If Field-Logic receives a request from a data subject relating to personal data processed on the Customer's behalf, Field-Logic will:

  • not respond to the request directly except to acknowledge receipt and to redirect the data subject to the Customer;
  • notify the Customer within five business days;
  • where the Customer requires assistance, provide reasonable cooperation including the supply of relevant data exports.

8. Security

Field-Logic maintains technical and organisational measures appropriate to the risk, including:

  • TLS in transit for all public endpoints;
  • encryption at rest for stored secret material (provider keys, signing keys, password vault entries);
  • logical access controls; least-privilege role-based access on production systems;
  • audit logging on production database access;
  • regular dependency scanning (Dependabot, gitleaks, cargo-audit / cargo-deny) and remediation;
  • secure development lifecycle including code review, static analysis, and security testing prior to release;
  • incident-response procedures and tested backups.

Field-Logic reviews these measures at least annually and updates them as risks evolve.

9. Personal-data breach notification

Field-Logic will notify the Customer's primary contact without undue delay, and in any event within 72 hours, of becoming aware of a personal-data breach affecting personal data processed on the Customer's behalf. The notification will include, to the extent then known, the nature of the breach, categories and approximate numbers of data subjects and records concerned, likely consequences, and measures taken or proposed.

10. Return and deletion

On termination of the Service, the Customer may within 30 days request export of all personal data processed on its behalf in a structured, commonly-used, machine-readable format. After that 30-day window (or sooner if the Customer instructs), Field-Logic will delete personal data from production systems and instruct sub-processors to do the same, save where retention is required by law.

11. Audits

Field-Logic will, on the Customer's reasonable written request and no more than once per calendar year (except where required by a supervisory authority), make available to the Customer information necessary to demonstrate compliance with this DPA. Field-Logic may satisfy this obligation by providing relevant SOC 2 / ISO 27001 reports or equivalent third-party assurance once such audits are in place; until then, Field-Logic will respond to reasonable written questionnaires.

12. Term and termination

This DPA takes effect when the Customer accepts the Terms of Service or starts using the Service, whichever is earlier, and continues for as long as Field-Logic processes personal data on the Customer's behalf. Sections 7 (data-subject rights), 9 (breach), 10 (return / deletion), and 11 (audits) survive termination for as long as is necessary to complete the relevant obligations.

13. Liability and order of precedence

The liability provisions in the Terms of Service apply to this DPA. In the event of a conflict between this DPA and the Terms of Service in relation to personal-data processing, this DPA prevails.

Annex — Description of processing

A.1 Subject-matter and duration

The subject-matter is the provision of the grith Service to the Customer. The duration is the term of the Customer's subscription, plus the export / deletion period described in section 10.

A.2 Nature and purpose

Hosting, transmission, storage, audit-pipeline aggregation, and team-level reporting of personal data submitted by the Customer or the Customer's users in the course of using the grith Service.

A.3 Categories of personal data

  • account-holder identifiers (email, name, GitHub username, avatar URL);
  • authentication tokens and session metadata;
  • encrypted LLM provider API keys (Field-Logic cannot decrypt);
  • condensed audit-pipeline records (tool-call types, decisions, scores, timestamps — not the underlying payloads);
  • billing identifiers (Polar subscription ID, status, billing email);
  • support-correspondence content when initiated by the Customer or its users.

A.4 Categories of data subjects

  • the Customer's personnel who hold grith accounts;
  • the Customer's end users who interact with AI agents supervised by grith on the Customer's systems.

A.5 Sub-processors

The current list, including processing region and purpose, is published at grith.ai/privacy#sub-processors and forms part of this Annex.

Contact

For DPA enquiries, counter-signed copies, or supervisory- authority correspondence, email legal@grith.ai.

© 2026 grith. All rights reserved.

Product names and logos are trademarks of their respective owners. Their use indicates compatibility, not endorsement.