legal DPA

Greymatter.io Data Processing Addendum (DPA)

DPA pertaining to Greymatter.io Master Subscription Agreement.

Greymatter.io Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Master Subscription Agreement (“Agreement”) between Greymatter.io Inc. (“Greymatter.io”) and Customer. This DPA applies where Greymatter.io processes Personal Data on behalf of Customer as a processor (or sub-processor) in providing the Software Services.

Capitalized terms not defined herein have the meanings set forth in the Agreement.

  1. Definitions
    1. “Data Protection Laws” means all applicable data protection and privacy laws, including the GDPR, UK GDPR, Swiss FADP, and CCPA/CPRA.
  2. Roles and Scop
    1. Customer is the Controller (or a Processor acting on behalf of another Controller), and Greymatter.io is the Processor.
    2. This DPA applies to Processing of Personal Data subject to Data Protection Laws as described in Annex 1 (Details of Processing).
    3. Greymatter.io will process Personal Data only on documented instructions from Customer (including as set forth in the Agreement), unless required by law.
  3. Customer Instructions
    1. The Agreement (including this DPA) and Customer’s use of the Software Services constitute Customer’s complete instructions to Greymatter.io.
    2. Additional instructions require prior written agreement (which may include additional fees).
  4. Confidentiality and Security
    1. Greymatter.io ensures personnel authorized to process Personal Data are subject to confidentiality obligations.
    2. Greymatter.io implements appropriate technical and organizational measures to ensure security of Personal Data, as described in Annex 2 (Security Measures).
    3. Taking into account the state of the art, costs, and risks, these measures include pseudonymisation, encryption, resilience, and regular testing.
  5. Sub-processing
    1. Greymatter.io will inform Customer of new Sub-processors via update to the list (with at least 30 days’ notice where possible).
    2. Customer may reasonably object to new Sub-processors; if unresolved, Customer may terminate affected services.
    3. Greymatter.io imposes equivalent data protection obligations on Sub-processors and remains liable for their compliance.
  6. Data Subject Rights
    1. Greymatter.io assists Customer (at Customer’s cost) with responding to Data Subject requests, taking into account the nature of Processing.
    2. Greymatter.io notifies Customer if it receives a Data Subject request directly.
  7. Assistance and Audits
    1. Greymatter.io assists Customer with data protection impact assessments, prior consultations with authorities, and compliance obligations (considering the nature of Processing and available information), at Customer’s reasonable expense.
    2. Audits: Customer (or independent auditor bound by confidentiality) may audit Greymatter.io’s compliance once per year with reasonable notice and during business hours. Customer bears audit costs unless material non-compliance is found.
  8. Personal Data Breach
    1. Greymatter.io notifies Customer without undue delay (and where feasible within 72 hours) after becoming aware of a Personal Data Breach.
    2. Notification includes available details on nature, likely consequences, and measures taken.
    3. Greymatter.io assists Customer with breach notification obligations.
  9. International Transfers
    1. For transfers of Personal Data from EEA, UK, or Switzerland to countries without adequacy decisions:
    2. EU SCCs (Module 2: Controller-to-Processor) apply as set forth in Commission Implementing Decision (EU) 2021/914, completed as follows:
      1. Annex I: Parties and details from Agreement and Annex 1 hereto.
      2. Annex II: Security measures from Annex 2 hereto.
      3. Clause 7 (Docking): Applies.
      4. Clause 9(a) Option 2: 30 days’ notice for new Sub-processors.
      5. Clause 11: Redress option not required.
      6. Clause 17: Governed by Irish law.
      7. Clause 18: Courts of Ireland.
      8. UK Transfers: The EU SCCs apply with the UK International Data Transfer Addendum (Version B1.0) incorporated, with tables completed from Annexes hereto.
      9. Swiss Transfers: EU SCCs apply with modifications for Swiss FADP (references to GDPR as Swiss law; supervisory authority as FDPIC).
      10. Parties are deemed to have executed the SCCs as of the Effective Date.
  10. CCPA Obligations
    1. Greymatter.io acts as a “service provider” under CCPA.
    2. Greymatter.io will not sell/share Personal Information, retain/use/disclose it except for business purposes under the Agreement, or combine it with other data except as permitted.
    3. Greymatter.io certifies compliance with CCPA restrictions.
  11. Deletion or Return
    1. Upon termination or expiration, Greymatter.io will delete or return (at Customer’s choice and expense) all Personal Data, except where required by law to retain.
  12. Term and Termination
    1. This DPA remains in effect while Greymatter.io processes Personal Data under the Agreement.
    2. Termination rights align with the Agreement.
  13. Liability
    1. Liability for breaches of this DPA is subject to the limitations in the Agreement.
  14. Governing Law
    1. Governed by the laws specified in the Agreement.

Annex 1: Details of Processing

  1. List of Parties
    1. Data exporter: Customer (as identified in the Agreement, acting as Controller or on behalf of a Controller).
    2. Data importer: Greymatter.io Inc., 4201 Wilson Blvd, 3rd Floor, Arlington, VA 22203, USA (acting as Processor).
  2. Description of Processing
    1. Subject Matter of Processing: The provision of the Greymatter Software Services (a zero-trust application networking and service mesh platform) as described in the Agreement and applicable Order Form(s).
    2. Duration of Processing: The Subscription Term as set forth in the Agreement, plus any period required for deletion/return of Personal Data after termination (or as required by applicable law).
    3. Nature and Purpose of Processing: Greymatter.io will process Personal Data as necessary to provide the Software Services, including hosting, storage, transmission, analysis, support, maintenance, monitoring, troubleshooting, security enforcement, and improvement of the Services in accordance with Customer’s instructions and the Agreement.
    4. Types of Personal Data: Any Personal Data uploaded, stored, transmitted, or otherwise processed by Customer or its Users via the Software Services. This may include, but is not limited to:
      1. Names, contact details (e.g., email addresses, phone numbers)
      2. User identifiers (e.g., usernames, IP addresses, device IDs)
      3. Authentication data (e.g., hashed credentials, access logs)
      4. Any other Personal Data contained in files, messages, metadata, logs, or configurations uploaded or generated through Customer’s use of the Services.
      5. Categories of Data Subjects: Individuals whose Personal Data is processed via the Software Services, which may include:
        1. Customer’s employees, contractors, and authorized Users
        2. Customer’s end-users, customers, or other third parties whose data is uploaded or processed by Customer in the Services.
  3. Competent Supervisory Authority
    1. For EU SCCs: The supervisory authority of the EU Member State in which the data exporter is established, or if not applicable, the Irish Data Protection Commission (as lead authority for Greymatter.io where required).

Annex 2: Security Measures

  1. Greymatter.io implements a comprehensive set of technical and organizational security measures to protect Personal Data processed within its Corporate IT Work Space Cloud Systems. These measures align with NIST SP 800-171 requirements for protecting information for confidentiality and include both inherited controls from certified vendors and Greymatter-specific augmentations.
  2. Technical Measures
    1. Access Controls: Enforcement of a Zero Trust security model, including multi-factor authentication (MFA) for all users, least privilege access principles, role-based access controls (RBAC), and separation of duties. Access to privileged accounts and security functions is strictly authorized and limited to defined roles. Automated provisioning and de-provisioning of user accounts via integrated identity management systems. Centralized administrative consoles (Google Admin Console and Slack Admin Console) for policy-driven access management, application whitelisting, and integration controls.
    2. Encryption: Document-level encryption for sensitive data at rest and in transit, with controlled passcodes for access. All communications use HTTPS/TLS protocols. Inherited encryption from vendors ensures data protection during storage, transmission, and processing, compliant with FIPS standards where applicable.
    3. Monitoring and Logging: Continuous monitoring of system activity, inbound/outbound communications, and audit logs to detect unauthorized access, attacks, or anomalies. Real-time alerts for security events, with quarterly reviews of logs and configurations. Malicious code protection through anti-malware tools (e.g., Sophos) with real-time scans of files from external sources and periodic system scans. Network connections are monitored and terminated after inactivity or defined conditions.
    4. Vulnerability Management: Periodic vulnerability scans and assessments (quarterly or as needed) using tools like Google Workspace Security Center. Flaws are identified, reported, and remediated in a timely manner based on risk assessments. Continuous vulnerability discovery for code, dependencies, and configurations, with updates applied upon release.
    5. Network and Communications Protection: Denial of traffic by default (deny all, permit by exception), routing of remote access through managed points (e.g., Tailscale for secure VPN-like access without split tunneling in most cases). Protection against unauthorized information transfer via shared resources. Wireless access (managed by office building IT) requires authentication and encryption; mobile device connections are controlled and logged, with CUI encryption enforced on devices.
    6. Incident Detection and Response: Monitoring for indicators of compromise, including insider threats and malicious code. System security alerts and advisories are monitored, with defined response actions. Audit records enable tracing of user actions for accountability.
  3. Organizational Measures
    1. Governance and Compliance: Inheritance of baseline controls from Google and Slack, including FedRAMP Moderate/High, ISO 27001/27017/27018, and SOC 2/3 certifications. Greymatter augments these with internal policies for data governance, retention enforcement, and audit log review. System Security Plan (SSP) is maintained and updated periodically, with record of changes.
    2. Personnel Security and Training: Annual security awareness training for all personnel on risks, policies, and procedures related to CUI/Personal Data handling, including recognition of insider threats. Screening of individuals prior to system access. Offboarding processes ensure immediate termination of access and credentials.
    3. Physical Security: Physical access to office facilities (where admin access may occur) is controlled via keycards, visitor escorts, and monitoring. No on-premise hardware in scope; all systems are cloud-based SaaS.
    4. Maintenance and Risk Management: Maintenance performed by vendors with Greymatter oversight; equipment sanitized before off-site handling. Risk assessments conducted periodically, with plans of action to address deficiencies. No use of removable media or portable storage for CUI without safeguards.
    5. Backup and Recovery: Confidentiality of backups protected at storage locations, with controls to prevent unauthorized access.

These measures are regularly assessed for effectiveness, with updates as needed to address emerging threats. Greymatter ensures ongoing compliance through internal audits, vulnerability management, and alignment with Data Protection Laws.

Annex 3: Approved Sub-Processors: As of the Effective Date, Greymatter.io engages no third-party Sub-Processors for the processing of Personal Data under this DPA. Any future Sub-Processors will be communicated to the Customer in accordance with Section 5

Annex 4: Standard Contractual Clauses: The full text of the 2021 EU SCCs can be viewed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/o