Sign In

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement ("Agreement") between:

  • (a) the entity or individual using Grasp to collect or manage feedback ("Customer" or "Controller"), and
  • (b) Grasp ("Processor", "we", "us", or "our").

This DPA governs the processing of Personal Data that the Customer submits or makes available to Grasp when using the Services. This DPA is effective from the date the Customer first uses the Services.

1. Definitions

1.1 "Personal Data" has the meaning given in the applicable Data Protection Laws and includes any information relating to an identified or identifiable natural person.

1.2 "Customer Data" means Personal Data that the Customer submits to or collects through the Services, for which the Customer is the Data Controller.

1.3 "Data Protection Laws" means all applicable privacy and data protection laws, including the EU GDPR, the UK GDPR, and the Swiss Federal Data Protection Act.

1.4 "Subprocessor" means any third party engaged by Grasp that processes Personal Data on behalf of the Customer.

1.5 "Services" means the products and services provided by Grasp under the Agreement.

2. Roles of the Parties

2.1 Customer acts as the Data Controller with respect to Customer Data.

2.2 Grasp acts as the Data Processor and will process Customer Data solely on behalf of the Customer and in accordance with this DPA, the Agreement, and Customer's documented instructions.

3. Customer Responsibilities

3.1 Customer shall ensure that its use of the Services and its instructions to Grasp comply with Data Protection Laws.

3.2 Customer is responsible for determining the lawful basis for processing Customer Data and for providing all required notices and obtaining all necessary consents from data subjects.

3.3 Customer is responsible for responding to data subject requests relating to Customer Data.

4. Processor Obligations

4.1 Processing on Instructions

Grasp will process Customer Data only on documented instructions from the Customer, unless required to do otherwise by law.

4.2 Confidentiality

Grasp will ensure that persons authorized to process Customer Data are subject to confidentiality obligations.

4.3 Security

Grasp will implement appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as required by Article 32 GDPR.

4.4 Subprocessors

  • (a) Customer provides a general written authorization for Grasp to engage Subprocessors to process Personal Data.
  • (b) Grasp will maintain an up-to-date list of Subprocessors at https://grasp.is/subprocessors .
  • (c) Grasp will post updates to the Subprocessor list before the new Subprocessor begins processing Personal Data. Customer is responsible for monitoring such updates.
  • (d) Customer may object to a new Subprocessor on reasonable and material data protection grounds within ten (10) days of the update being posted.
  • (e) If Customer raises a reasonable objection, the parties will work in good faith to find an alternative. If no alternative is available, Customer may terminate the affected Services as its sole and exclusive remedy.

4.5 Assistance to Customer

Grasp will provide reasonable assistance to Customer in fulfilling its obligations under Data Protection Laws, including:

  • (a) responding to data subject requests;
  • (b) notifying supervisory authorities or data subjects of data breaches;
  • (c) carrying out data protection impact assessments;
  • (d) consultations with supervisory authorities.

4.6 Deletion or Return of Data

Upon termination of the Services, Grasp will delete or return all Customer Data within a reasonable period, except where retention is required by law. Aggregated or anonymized data may be retained.

5. Data Breach Notification

5.1 Grasp will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data.

5.2 Such notification will include, where possible, the nature of the breach, likely consequences, and measures taken or proposed to address it.

6. International Data Transfers

6.1 When transferring Personal Data outside the EEA, Switzerland, or the UK, Grasp will ensure appropriate safeguards are in place, such as:

  • (a) the European Commission's Standard Contractual Clauses ("SCCs");
  • (b) the UK International Data Transfer Addendum; or
  • (c) another lawful transfer mechanism.

6.2 Customer authorizes Grasp to use such safeguards for international transfers.

7. Audit Rights

7.1 Upon written request, Grasp will provide Customer with all information reasonably necessary to demonstrate compliance with this DPA, including relevant policies, summaries of audit reports, and security documentation.

7.2 Customer may conduct an audit no more than once per twelve (12) months, unless required by a competent supervisory authority. Any audit must:

  • (a) be preceded by at least thirty (30) days' written notice;
  • (b) be conducted during normal business hours;
  • (c) not unreasonably interfere with Grasp's operations; and
  • (d) be limited to information and facilities reasonably necessary to verify compliance with this DPA.

7.3 Grasp may satisfy audit requests by providing third-party certifications or reports, such as ISO 27001, SOC 2, or similar industry-standard audits, which Customer agrees shall fulfill its audit rights.

7.4 Customer is responsible for all costs and expenses arising from any audit, including Grasp's reasonable time and materials spent supporting the audit.

8. Limitation of Liability

8.1 The limitations of liability in the Agreement apply to this DPA. Nothing in this DPA limits liability that cannot be limited under applicable law.

9. Term

9.1 This DPA remains in effect for as long as Grasp processes Customer Data.

10. Order of Precedence

10.1 In the event of conflict between this DPA and the Agreement, this DPA will prevail to the extent of the conflict.

11. Governing Law

11.1 The governing law stated in the Agreement applies to this DPA.

Appendix 1: Details of Processing

A. Subject Matter
Processing of feedback collected by Customer through the Services.

B. Duration
For the duration of the Agreement and until deletion of Customer Data.

C. Nature and Purpose
Hosting, storage, transmission, analysis, and other processing necessary to provide the Services.

D. Types of Personal Data
Customer may configure the Services to collect:

  • free-text responses
  • contact information
  • marketing consent
  • any data fields chosen by Customer
  • technical metadata (IP address, device info, timestamps)

E. Categories of Data Subjects
Users submitting feedback to Customer.

F. Instructions
Processing in accordance with the Agreement and Customer's configuration of the Services.

Appendix 2: Technical and Organizational Measures

(High-level summary; expanded version available upon request.)

  1. Access control and authentication
  2. Encryption of data in transit and at rest
  3. Regular security testing and monitoring
  4. Controlled access to production systems
  5. Logging and audit trails
  6. Data minimization practices
  7. Backups and disaster recovery
  8. Vendor security assessments

Links

Admin Privacy Policy

List of subprocessors

© 2025 Grasp. All rights reserved.