Data Processing Agreement

Data controller ("Controller"): the customer per the grunden.ai account.

Processor ("Processor"): Grunden AI AB, org.nr 559341-9129, VAT SE559341912901, with registered office in Stockholm, Sweden.

The Processor processes personal data on the Controller's behalf for the purpose of delivering the AI inference service grunden.ai (chat, API). Processing continues for the duration of the agreement + 7 years thereafter solely for accounting records per the Swedish Bookkeeping Act (BFL).

Data subjects: the Controller's employees, contractors and end users, plus persons referenced in prompt content.

Data categories: identification data (email, name), prompt/response content, usage and technical logs, payment data. The Processor does not intentionally process special categories (art. 9); the Controller is responsible for not sending such data in prompts without a legal basis.

• Process data only on documented instructions from the Controller (this DPA + order confirmations).
• Ensure persons with access are bound by confidentiality obligations. If the Controller is a Swedish public authority, the Processor and its staff are bound by the duty of confidentiality under chapter 2 § 1 of the Swedish Public Access to Information and Secrecy Act (2009:400) for any information the Controller submits that would be classified at the Controller.
• Implement appropriate technical and organisational security measures (art. 32) — see section 7.
• Assist the Controller in fulfilling obligations to data subjects (art. 12–22).
• Inform the Controller that processing involves automated processing through a large language model (GLM 5.1). The model's output is generated text — the Processor does not make automated decisions with legal or similarly significant effects (art. 22). The Controller is responsible for any human review of model output before decisions are made.
• Assist with security incidents, DPIA (art. 35) and prior consultation (art. 36).
• Delete or return personal data after termination, except where law requires retention (BFL 7 years).
• Make available all information needed to demonstrate compliance and enable audits.

The Controller grants general prior approval for the following sub-processors:

The Processor notifies the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object in writing within that period; on unresolved objection, the Controller may terminate the agreement at no cost.

No routine transfers occur outside the EU/EEA for chat messages or invoice data. Proton (email) is based in Switzerland and covered by the EU Commission's adequacy decision. If a future sub-processor requires a third-country transfer, the EU Standard Contractual Clauses (SCC) will apply and the Controller will be notified per section 5.

Exception — optional tools: When a user activates web_search the search string is sent to SearXNG, which proxies to DuckDuckGo, Bing, Wikipedia and Startpage — several of which are US-hosted. When a user activates url_fetch our server opens an HTTPS connection to the URL the user requested, which may be anywhere. This is traffic that leaves the EU. We do not log that traffic linked to the user, but the customer is responsible for not sending personal or confidential data via these tools if such data should not reach a third country. A customer that does not want the tools available at all can request that the tools functionality is disabled for their org.

• TLS 1.2+ for all network traffic.
• Passwords hashed with bcrypt (cost 10); API keys stored as SHA-256 hashes.
• Encrypted provider credentials (AES-256) in the database.
• Principle of least privilege; service-role keys separated from anon keys.
• Daily database backups with 30-day retention and point-in-time recovery.
• Access logging for all admin actions.
• Incident response plan with clear escalation paths.

The Processor notifies the Controller without undue delay, at the latest 72 hours after detecting an incident. The notification covers: nature of the incident, categories and number of affected data subjects, contact point, likely consequences and measures taken.

The Controller has the right, once per year or on suspicion of a serious deficiency, to audit Processor compliance — through its own auditor or an independent third party bound by confidentiality. The audit must be announced at least 30 days in advance and is paid by the Controller if no material deficiency is found. As an alternative, the Controller may, once the Processor has produced external audit reports (ISO 27001, SOC 2 or equivalent), review those as a complement to the audit. The Processor is pre-launch and has no such reports today — external certifications are seed-round goals, not achieved.

The DPA applies for as long as the Processor processes personal data for the Controller. On termination, data is deleted within 30 days, except accounting data retained 7 years per BFL.

Swedish law. Disputes are resolved by Stockholm District Court.