← Back to Home

Grumbleo – Data Processing Addendum (DPA)

Effective Date: December 3, 2025
Last Updated: December 3, 2025

This Data Processing Addendum ("DPA") forms part of the Terms of Service, Subscription Agreement, or other written or electronic agreement between Grumbleo, Inc. ("Grumbleo," "Processor," "we," or "us") and the business customer ("Customer," "Controller," or "you") that governs Customer's access to and use of the Grumbleo Service ("Agreement").

This DPA applies to Grumbleo's processing of Personal Data on behalf of Customer in connection with the Service.

1. Definitions

For purposes of this DPA:

  • Personal Data means any information relating to an identified or identifiable natural person processed through the Service.
  • Complaint Data means Customer-submitted information involving customer complaints, employee interactions, incident records, customer-service communications, or related data.
  • Controller (Customer) determines the purposes and means of processing Personal Data.
  • Processor (Grumbleo) processes Personal Data on behalf of the Controller.
  • Subprocessor means any third party engaged by Grumbleo to process Personal Data.
  • Applicable Data Protection Laws means U.S. state privacy laws (including CCPA/CPRA, Colorado, Virginia, etc.), GDPR-like frameworks, and global data protection regulations as applicable.

2. Roles of the Parties

2.1 Customer as Controller

Customer is the Data Controller and is responsible for:

  • The lawfulness of Personal Data collection and submission
  • Providing required notices to individuals
  • Ensuring data accuracy
  • Securing any required consent
  • Handling all consumer privacy requests

2.2 Grumbleo as Processor

Grumbleo acts solely as a Data Processor and processes Personal Data only on documented instructions from Customer, except where required by law.

Grumbleo does not:

  • Determine the purposes of Complaint Data
  • Validate the accuracy of Complaint Data
  • Assume responsibility for Controller's compliance obligations

3. Subject Matter, Duration, and Purpose of Processing

3.1 Subject Matter

The processing involves Complaint Data submitted by Customer into the Grumbleo platform.

3.2 Duration

Processing continues for as long as Customer uses the Service or until deletion of data under Section 11.

3.3 Purpose

Processing is performed for:

  • Operation of the Grumbleo Service
  • Analysis and workflow automation
  • Generation of AI-assisted insights
  • Customer support
  • Security, logging, and monitoring
  • Compliance with applicable law

3.4 Types of Data

May include:

  • Customer names
  • Complaint descriptions
  • Service history
  • Transaction data
  • Internal business notes
  • Uploaded attachments

Customer must not submit highly sensitive data (payment card numbers, government IDs, minors' data, PHI, etc.) unless expressly authorized.

3.5 Data Subjects

May include:

  • Customer's customers
  • Customer's employees or staff
  • Business representatives
  • Individuals mentioned within Complaint Data

4. Processor Obligations

Grumbleo shall:

4.1 Process only as instructed

Process Personal Data strictly per Customer instructions unless required by law.

4.2 Confidentiality

Ensure personnel authorized to process data are bound to confidentiality.

4.3 Security Measures

Maintain industry-standard administrative, technical, and physical safeguards, including:

  • Encryption in transit and at rest
  • Access controls and authentication
  • Logging, monitoring, and audit trails
  • Network security measures
  • Regular vulnerability assessments
  • Employee training

Detailed description available upon request.

4.4 No Sale of Personal Data

Grumbleo does not sell or share Personal Data for cross-context behavioral advertising.

4.5 Assistance with Requests

To the extent legally required, Grumbleo shall assist Customer in responding to:

  • Access requests
  • Deletion requests
  • Correction requests
  • Opt-out requests

Customer is responsible for verifying requestor identities.

5. Customer Obligations

Customer shall:

  • Ensure Complaint Data is collected lawfully
  • Provide required notices and obtain consent where necessary
  • Not upload prohibited types of personal data
  • Maintain administrative controls on access to the Grumbleo Service
  • Respond directly to privacy rights requests from data subjects

Customer must not use Grumbleo to process unlawful or discriminatory data.

6. Subprocessors

Customer authorizes Grumbleo to engage Subprocessors necessary for operation of the Service, including providers of:

  • Cloud hosting
  • Analytics
  • Database storage
  • Email delivery
  • System monitoring
  • Support tools

6.1 Subprocessor Obligations

Grumbleo ensures Subprocessors are bound by written agreements requiring:

  • Data protection obligations no less protective than those of this DPA
  • Security measures appropriate to the risk

A current list of Subprocessors is available upon request.

7. International Transfers

Where required, Grumbleo uses lawful mechanisms for cross-border data transfers, including:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Binding contractual measures
  • Data minimization and encryption

All data is primarily hosted in the United States unless otherwise disclosed.

8. Security Incidents

If Grumbleo becomes aware of a Security Incident involving Personal Data, Grumbleo shall:

  • Notify Customer without undue delay
  • Provide available information about the breach
  • Assist Customer with required notifications

A "Security Incident" does not include unsuccessful attempts such as blocked malware or denied login attempts.

9. Audits and Certifications

Upon reasonable request, Customer may:

  • Review Grumbleo's security documentation
  • Request summaries of third-party audits (SOC 2, penetration tests, etc.)

Formal on-site audits are permitted only if:

  • Required by law OR
  • Customer pays costs AND
  • Performed during business hours with minimal disruption

10. Data Protection Impact Assessments

Grumbleo will assist Customer in fulfilling DPIA or privacy assessment obligations only to the extent required by law and limited to Grumbleo's processing activities.

11. Return or Deletion of Data

Upon termination or expiration of the Service:

  1. Customer may request export of data within the time window specified in the Agreement.
  2. After that period, Grumbleo will delete Personal Data from active systems.
  3. Grumbleo may retain:
    • Audit logs
    • Backup copies (for limited retention cycles)
    • Anonymized or aggregated data

Grumbleo has no obligation to retain data indefinitely.

12. Liability

Any liability arising from processing under this DPA is subject to the limitation of liability in the Agreement.

Grumbleo is not liable for:

  • Controller's unlawful use of data
  • Incorrect or unauthorized Complaint Data
  • Errors arising from Customer systems
  • Misinterpretation of AI-assisted outputs

13. Conflict of Terms

If there is a conflict between this DPA and the Agreement:

  • The DPA controls with respect to data protection matters.
  • The Agreement controls on all other matters.

14. Governing Law

This DPA is governed by the laws specified in the Agreement (Florida law unless otherwise contracted).

15. Duration

This DPA remains in effect for the duration of the Agreement and thereafter as required for retention, deletion, or legal compliance.

Accepted and Agreed

Use of the Grumbleo Service constitutes acceptance of this DPA by Customer.