Data Processing Addendum

Effective date: 30 April 2026

Last updated: 29 April 2026

Version: 1.0

1. Introduction and acceptance

This Data Processing Addendum (the "DPA") forms part of the agreement between Perter Technology Solutions Private Limited ("Perter", "Processor", "we", "us", or "our") and the customer identified in the relevant Order Form, click-acceptance record, or Cloud Marketplace transaction ("Customer", "Controller", or "you") for the provision of one or more of the Paid Services described in Section 3 (each a "Service", and together the "Services"). This DPA is entered into between Perter and you as a customer of one or more of the Services. Capitalised terms not defined in this DPA have the meaning given in the Grengin Terms and Conditions (the "Terms") or the Grengin Privacy Policy.

You accept this DPA by (a) clicking an "I agree" or equivalent affirmative-acceptance control presented in the customer dashboard or at sign-up for any Service; (b) signing an Order Form that incorporates this DPA by reference; or (c) continuing to use a Service after we have notified you of a new or revised version of this DPA in accordance with Section 14.

This DPA is supplemental to, and forms part of, the Terms. In the event of a conflict between this DPA and the Terms with respect to the Processing of Personal Data, this DPA prevails. In the event of a conflict between this DPA and the Standard Contractual Clauses incorporated into Annex E, the Standard Contractual Clauses prevail to the extent of the conflict.

If you do not agree to this DPA, you must not use any Service that requires a DPA.

2. Definitions

In this DPA:

"Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including:

  • In respect of the European Economic Area, Regulation (EU) 2016/679 (the "EU GDPR") and the e-Privacy Directive 2002/58/EC as transposed nationally;
  • In respect of the United Kingdom, the EU GDPR as it forms part of UK law (the "UK GDPR") and the Data Protection Act 2018;
  • In respect of Switzerland, the Swiss Federal Act on Data Protection of 1 September 2023;
  • In respect of California, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA");
  • In respect of India, the Information Technology Act 2000 with rules made thereunder, and the Digital Personal Data Protection Act 2023 with the Digital Personal Data Protection Rules 2025 (as their substantive obligations come into force);
  • The Personal Information Protection and Electronic Documents Act (Canada), Quebec Law 25, the Privacy Act 1988 (Cth) of Australia, the Privacy Act 2020 of New Zealand, the Personal Data Protection Act 2012 of Singapore; and
  • Any other data-protection or privacy law that applies to a party's Processing of Personal Data under this DPA.

"Controller" means the entity that determines the purposes and means of the Processing of Personal Data, and includes "controller", "data fiduciary", "business", or analogous term defined under Applicable Data Protection Laws.

"Customer Data" means any data, content, configurations, files, prompts, logs, metadata, or information that the Customer or its Permitted End Users input into, store on, transmit through, or generate using a Service, where such data includes Personal Data.

"Customer Personal Data" means Personal Data within Customer Data.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"EU SCCs" means the standard contractual clauses set out in Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

"Order Form" means an ordering document, online checkout, or Cloud Marketplace transaction record under which the Customer procures a Service.

"Permitted End User" means a natural person whom the Customer authorises to access or use the Service, including the Customer's employees, contractors, and (where the Service is provided to enable the Customer to provide an onward service) the Customer's own end users.

"Personal Data" has the meaning given in Applicable Data Protection Laws and includes "personal data", "personal information", and "personally identifiable information" as those terms are used in those laws.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed.

"Processing" (and "Process") has the meaning given in the EU GDPR and includes any operation or set of operations performed on Personal Data, whether or not by automated means.

"Processor" means an entity that Processes Personal Data on behalf of the Controller, and includes "processor", "data processor", "service provider", or analogous term defined under Applicable Data Protection Laws.

"Restricted Transfer" means a transfer of Personal Data from a jurisdiction whose Applicable Data Protection Laws restrict transfers to a country that has not been recognised as providing an adequate level of protection for Personal Data, including transfers from the EEA, the United Kingdom, or Switzerland to a country that is not the subject of an adequacy decision.

"Sub-processor" means any third party engaged by Perter to Process Customer Personal Data in connection with a Service.

"UK Addendum" means the International Data Transfer Addendum (Version B1.0) issued by the UK Information Commissioner's Office under section 119A of the UK Data Protection Act 2018.

3. Services covered

This DPA applies to Perter's Processing of Customer Personal Data in connection with the following Services:

  • Managed Hosting — operation of a Grengin instance on infrastructure managed by Perter on the Customer's behalf. Product-specific terms are set out in Annex B.
  • Grengin Auth Proxy — single-sign-on broker between the Customer's applications and identity providers such as Google Workspace and Microsoft Entra ID. Product-specific terms are set out in Annex C.
  • Grengin LLM Proxy — large-language-model request-proxying service. Product-specific terms are set out in Annex D.

The general terms of this DPA (Sections 1 to 17) apply to all Services. Where there is a conflict between the general terms and a product-specific Annex, the product-specific Annex prevails as to the Service to which it relates.

4. Roles and scope of Processing

4.1 Roles of the parties

  • Customer is the Controller of Customer Personal Data Processed under this DPA. Where the Customer is itself a Processor for a third-party controller (for example, where the Customer's end users' data belongs to the Customer's own customer), the Customer warrants that it has the authority to enter into this DPA on behalf of that third-party controller, and Perter acts as a Sub-processor in respect of that data.
  • Perter is the Processor Processing Customer Personal Data on the Customer's documented instructions.

4.2 Subject-matter, duration, nature, purpose, types of data, categories of Data Subjects

The subject-matter, duration, nature, purpose of the Processing, the types of Customer Personal Data, and the categories of Data Subjects are set out for each Service in Annex A and in the relevant product-specific Annex (B, C, or D). The duration of Processing is the term of the relevant Order Form plus any post-termination period required by Section 11.

4.3 Customer's documented instructions

The Customer instructs Perter to Process Customer Personal Data:

  • As necessary to provide, maintain, secure, and support the Services in accordance with the Terms, the Order Form, and the relevant product-specific Annex;
  • In accordance with any further written instructions the Customer gives that are consistent with the Terms (for example, configuration choices the Customer makes within the Service); and
  • As required by Applicable Data Protection Laws or other binding legal obligations to which Perter is subject (in which case Perter will inform the Customer of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest).

If Perter is of the opinion that an instruction infringes Applicable Data Protection Laws, Perter will inform the Customer without undue delay and may suspend the relevant Processing pending resolution.

4.4 Customer's responsibilities

The Customer is solely responsible for:

  • The lawfulness, accuracy, quality, and integrity of Customer Personal Data;
  • The legal basis on which it Processes Customer Personal Data and instructs Perter to Process it;
  • Providing all required notices and obtaining all required consents from Data Subjects;
  • Handling Data Subject requests it receives directly;
  • The security of its account credentials and access controls within the Service; and
  • Ensuring that its use of the Service complies with Applicable Data Protection Laws and any sector-specific laws (such as health, financial services, or telecommunications regulations) applicable to the Customer.

The Customer must not Process, or instruct Perter to Process, special-category Personal Data (under Article 9 GDPR), criminal-conviction data (under Article 10 GDPR), or sensitive Personal Data (under the CCPA, the DPDP Act 2023, or other Applicable Data Protection Laws) through the Services unless Perter has agreed to support such Processing in writing and the additional safeguards in Annex A apply.

5. Confidentiality and personnel

Perter will:

  • Treat Customer Personal Data as confidential and Process it only as instructed by the Customer or as required by law;
  • Ensure that personnel authorised to Process Customer Personal Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality;
  • Limit access to Customer Personal Data on a need-to-know basis under the principle of least privilege; and
  • Provide regular data-protection and security training to such personnel.

6. Security

Perter will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as required by Article 32 of the EU GDPR and equivalent provisions of Applicable Data Protection Laws. The current security measures are set out in Annex F.

The Customer acknowledges that the security measures are subject to technical progress and development, and that Perter may update or modify them from time to time, provided that the updates do not materially diminish the overall security of the Services.

7. Sub-processors

7.1 General authorisation

The Customer grants Perter a general written authorisation to engage Sub-processors to Process Customer Personal Data, subject to the conditions in this Section 7. The current list of Sub-processors is published at https://grengin.com/sub-processors and is incorporated by reference. Cloudflare, Inc. is currently engaged as a principal Sub-processor as described in our Privacy Policy.

7.2 Conditions for sub-processing

Before engaging a Sub-processor, Perter will:

  • Carry out reasonable due diligence on the Sub-processor's data-protection and security practices; and
  • Enter into a written contract with the Sub-processor imposing data-protection obligations no less protective than those imposed on Perter under this DPA.

Perter remains liable to the Customer for the acts and omissions of its Sub-processors as it is for its own.

7.3 Notification, objection, and termination right

Perter will notify the Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance, by:

  • Updating the published Sub-processor list at https://grengin.com/sub-processors; and
  • Providing email notification to the email address the Customer has registered for DPA notifications, or by in-product notice.

The Customer may, on reasonable data-protection grounds, object to a new or replacement Sub-processor by sending written notice to privacy@grengin.com within fifteen (15) days of Perter's notification.

If the Customer objects on reasonable data-protection grounds and the parties cannot, within thirty (30) days of the objection, agree on a resolution (which may include Perter not engaging the Sub-processor for that Customer or providing a workaround), the Customer may, as its sole and exclusive remedy, terminate the affected Service by giving thirty (30) days' written notice. In that event, Perter will refund any pre-paid fees for the unused portion of the relevant subscription term. Termination under this Section 7.3 does not give rise to any further liability or remedy in damages.

If the Customer does not raise an objection within fifteen (15) days, the new or replacement Sub-processor is deemed approved.

8. Data Subject rights

Taking into account the nature of the Processing, Perter will provide reasonable assistance to the Customer (by appropriate technical and organisational measures, in so far as practicable) to fulfil the Customer's obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws, including the rights of access, rectification, erasure, restriction, portability, objection, and the right not to be subject to solely automated decision-making.

If Perter receives a request from a Data Subject directly, Perter will not respond to the request itself except on the Customer's documented instructions or as required by law, and will, where it can identify the Customer to whom the request relates and is permitted by law to do so, promptly forward the request to the Customer.

The Customer is responsible for verifying the identity of the Data Subject making the request. The Customer will reimburse Perter for the reasonable cost of any assistance that goes beyond what would be expected under Article 28(3)(e) of the EU GDPR or its equivalent under other Applicable Data Protection Laws.

9. Personal Data Breaches

Perter will, without undue delay (and in any event within seventy-two (72) hours of becoming aware), notify the Customer of any Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known to Perter:

  • The nature of the Personal Data Breach (including, where possible, the categories and approximate number of Data Subjects and records concerned);
  • The likely consequences of the Personal Data Breach;
  • The measures taken or proposed to address the Personal Data Breach and to mitigate its possible adverse effects; and
  • The name and contact details of Perter's data-protection contact (Section 17).

Perter will, taking into account the nature of the Processing and the information available to it, provide reasonable assistance to the Customer in respect of the Customer's own notification obligations to supervisory authorities and Data Subjects under Applicable Data Protection Laws.

Perter will not make any public announcement about a Personal Data Breach without the Customer's prior written consent, unless required to do so by law.

10. Audit and information rights

10.1 Information

Perter will make available to the Customer, on reasonable written request, the information reasonably necessary to demonstrate Perter's compliance with this DPA and Applicable Data Protection Laws, in the form of:

  • This DPA, the Privacy Policy, the Sub-processor list, and the security-measures description in Annex F;
  • Summaries of, or third-party audit reports issued in respect of, Perter's information-security programme (such as ISO/IEC 27001 or SOC 2 Type II reports of Perter or its principal Sub-processors) where available;
  • Responses to a reasonable security questionnaire, no more than once in any twelve-month period, except in connection with a Personal Data Breach or a regulator-mandated audit.

10.2 Audit

Where the information made available under Section 10.1 is, in the Customer's reasonable judgment, insufficient to demonstrate compliance, the Customer may, on at least sixty (60) days' prior written notice and no more than once in any twelve-month period (except where required by a competent supervisory authority or in connection with a substantiated Personal Data Breach), conduct an audit of Perter's compliance with this DPA. The audit:

  • Will be conducted during business hours, with minimal disruption to Perter's operations;
  • Will be subject to Perter's reasonable security and confidentiality requirements;
  • May be conducted by an independent third-party auditor jointly approved by the parties (such approval not to be unreasonably withheld), and may not be conducted by a competitor of Perter; and
  • Will be at the Customer's cost, save where the audit reveals material non-compliance, in which case Perter will bear the reasonable cost.

The Customer may not audit Perter's Sub-processors directly, but Perter will use commercially reasonable efforts to obtain on the Customer's behalf the equivalent information from Sub-processors that the Customer would be entitled to under this Section 10.

11. Return and deletion of Customer Personal Data

On termination or expiry of the relevant Service, the Customer may, by written request made within thirty (30) days of termination, ask Perter to:

  • Export the Customer Personal Data in a commonly used, machine-readable format and make it available for download by the Customer; or
  • Delete the Customer Personal Data from Perter's production systems.

If the Customer does not make a request within thirty (30) days, Perter may delete the Customer Personal Data in accordance with its standard data-retention schedule. Perter will, in any event, delete or anonymise Customer Personal Data within ninety (90) days of termination, except to the extent that retention is required by law (in which case Perter will continue to protect the data in accordance with this DPA for the duration of the legally-required retention period). Backup copies will be deleted in accordance with Perter's documented backup-rotation schedule.

12. International transfers

12.1 General

Perter primarily Processes Customer Personal Data in India and in the regions where its Sub-processors operate, which may include the United States, the European Economic Area, the United Kingdom, and other jurisdictions.

12.2 Restricted Transfers from the EEA, the UK, and Switzerland

Where the transfer of Customer Personal Data from the Customer (as data exporter) to Perter (as data importer) constitutes a Restricted Transfer, the parties agree that the Standard Contractual Clauses apply as set out in Annex E:

  • For transfers subject to the EU GDPR, the EU SCCs apply, with Module Two (Controller-to-Processor) where the Customer is a Controller, and Module Three (Processor-to-Processor) where the Customer is itself a Processor acting on behalf of a third-party controller;
  • For transfers subject to the UK GDPR, the EU SCCs as completed in Annex E apply, supplemented by the UK Addendum, deemed executed between the parties; and
  • For transfers subject to the Swiss FADP, the EU SCCs as completed in Annex E apply, with the supervisory authority being the Swiss Federal Data Protection and Information Commissioner, references to "Member State(s)" interpreted as Switzerland, and references to the EU GDPR understood as references to the Swiss FADP.

12.3 Onward transfers

Perter will not make any onward Restricted Transfer of Customer Personal Data unless it does so in compliance with Applicable Data Protection Laws, including by ensuring that any Sub-processor receiving Customer Personal Data outside the EEA, the United Kingdom, or Switzerland is bound by the EU SCCs (or an analogous lawful transfer mechanism).

12.4 Other jurisdictions

For Customer Personal Data subject to Applicable Data Protection Laws of other jurisdictions (including India's DPDP Act 2023 once its cross-border-transfer provisions are notified), the parties will rely on lawful transfer mechanisms available under those laws, including any equivalent contractual safeguards.

12.5 Transfer Impact Assessments

On reasonable request, Perter will provide the Customer with information necessary to enable the Customer to carry out a Transfer Impact Assessment, including information about the legal regime to which Perter is subject, the specific Sub-processors involved, and the technical and organisational measures applied to the transferred data.

13. Liability

Each party's liability under or in connection with this DPA — including under the EU SCCs incorporated by reference — is subject to the exclusions and limitations of liability set out in the Terms (in particular, Section 15 of the Terms). Nothing in this DPA limits or excludes either party's liability:

  • To a Data Subject under Clause 12 of the EU SCCs;
  • To a competent supervisory authority; or
  • Where liability cannot be limited or excluded by Applicable Data Protection Laws.

Where the parties are jointly liable to a Data Subject or to a supervisory authority, each party will bear its share of the liability in proportion to its responsibility for the relevant event.

14. Changes to this DPA

Perter may update this DPA from time to time. The current version will always be available at https://grengin.com/data-processing-addendum with the "Last Updated" date noted at the top.

For non-material changes (typographical fixes, clarifications, contact-detail updates, additions to Sub-processor lists handled under Section 7.3), the change is effective on posting. For material changes, Perter will provide reasonable advance notice — at least thirty (30) days — by email to the address the Customer has registered for DPA notifications, or by in-product notice. The Customer's continued use of the Service after the effective date of a change constitutes acceptance.

If the Customer does not accept a material change, the Customer may terminate the affected Service by giving thirty (30) days' written notice before the effective date of the change, and Perter will refund any pre-paid fees for the unused portion of the relevant subscription term.

15. Term and termination

This DPA is effective on the date the Customer accepts it under Section 1, and remains in force for so long as Perter Processes Customer Personal Data in connection with any Service. Sections that by their nature should survive termination — including Sections 9, 10, 11, 12, 13, 17, and the relevant Annexes — survive accordingly.

16. General

16.1 Governing law and jurisdiction

This DPA is governed by, and construed in accordance with, the laws of India, except where Applicable Data Protection Laws or the EU SCCs (as incorporated in Annex E) require otherwise. Disputes arising out of or in connection with this DPA are subject to the dispute-resolution and jurisdiction provisions of the Terms, except as Clauses 17 and 18 of the EU SCCs provide otherwise for transfers subject to the EU GDPR.

16.2 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect.

16.3 Entire agreement

This DPA, together with the Terms, the Privacy Policy, and any Order Form, constitutes the entire agreement between the parties about its subject matter and supersedes any prior data-processing agreement, addendum, or amendment between the parties relating to the Services, except for any executed agreement that the parties have signed in writing that expressly references and survives this DPA.

16.4 Order of precedence

In the event of a conflict, the order of precedence is: (i) the EU SCCs (as incorporated in Annex E); (ii) this DPA (general terms); (iii) the relevant product-specific Annex (B, C, or D); (iv) the Terms; (v) the Privacy Policy; (vi) any Order Form.

16.5 No third-party rights

Except as expressly provided in the EU SCCs or required by Applicable Data Protection Laws, this DPA does not confer any rights on third parties.

16.6 Counterparts and electronic acceptance

This DPA may be accepted electronically (including by click-acceptance) and is enforceable as if signed in writing under the Indian Information Technology Act 2000, the U.S. Electronic Signatures in Global and National Commerce Act (E-SIGN), the EU eIDAS Regulation (910/2014), and equivalent laws.

17. Contact

For data-protection matters under this DPA, the Customer may contact:

  • Data Protection Officer: Abhijeet Dev, Director — privacy@grengin.com, +1-408-381-0030
  • Postal address: Perter Technology Solutions Private Limited, C-34, First Floor, Gali No-11, Plot No-5, Madhu Vihar, I.P Extension, East Delhi, India, 110092
  • Security incidents and breach notifications: security@grengin.com
  • Sub-processor objections and DPA queries: privacy@grengin.com

The Customer must keep its registered DPA-notification email address current. Perter is entitled to rely on notifications sent to that address.

Annex A — Description of Processing (general)

This Annex A applies to all Services and is supplemented by the relevant product-specific Annex (B, C, or D).

Data exporter The Customer, as identified in the Order Form, click-acceptance record, or Cloud Marketplace transaction. Role: Controller (or Processor on behalf of a third-party controller).
Data importer Perter Technology Solutions Private Limited, C-34, First Floor, Gali No-11, Plot No-5, Madhu Vihar, I.P Extension, East Delhi, India, 110092. Role: Processor (or Sub-processor, where the Customer is itself a Processor).
Subject-matter of the Processing Provision of the Services to the Customer in accordance with the Terms, the Order Form, this DPA, and the relevant product-specific Annex.
Duration The term of the Order Form, plus any post-termination retention period required under Section 11.
Nature and purpose of the Processing Hosting, storing, transmitting, securing, monitoring, supporting, and otherwise Processing Customer Personal Data as necessary to deliver the Service to the Customer.
Categories of Data Subjects The Customer's employees, contractors, agents, end users, and any other natural persons whose Personal Data is included in Customer Data. The specific categories are further described in the relevant product-specific Annex.
Categories of Personal Data As described in the relevant product-specific Annex (B, C, or D).
Special-category data Not Processed unless expressly agreed in writing. The Customer warrants it will not submit special-category data through the Services without prior written agreement and supplementary safeguards.
Frequency of transfer Continuous, for the duration of the Service.
Retention period As described in Section 11 of this DPA and in the relevant product-specific Annex.
Competent supervisory authority for SCC purposes As determined under Clause 13 of the EU SCCs (and the UK Information Commissioner's Office for transfers subject to the UK GDPR).

Annex B — Managed Hosting

This Annex B applies to the Managed Hosting Service.

B.1 Service description

Perter operates a Grengin instance on infrastructure managed by Perter on the Customer's behalf, including provisioning, configuration, patching, monitoring, backup, and incident response.

B.2 Categories of Data Subjects

The Customer's employees, contractors, agents, and (if the Customer uses the Grengin instance to provide a service to its own end users) those end users, plus any other natural person whose Personal Data the Customer chooses to store or process in the Grengin instance.

B.3 Categories of Personal Data

Determined by the Customer's configuration and use of the Grengin instance. Typically includes:

  • Account identifiers and authentication credentials of users of the Grengin instance;
  • Identifiers and contact data of any natural persons whose data the Customer stores in or processes through the instance;
  • Audit and operational logs (timestamps, IP addresses, action records); and
  • Any other Personal Data the Customer chooses to input into the instance.

The Customer should not store special-category data in the Grengin instance without prior written agreement and the supplementary safeguards in Section 4.4.

B.4 Specific Processing operations

  • Provisioning, configuration, patching, scaling, and decommissioning of the underlying infrastructure;
  • Backup and disaster-recovery operations;
  • Monitoring of the instance for availability, performance, and security;
  • Responding to support tickets, including (only with the Customer's authorisation, or where required to remediate a critical issue) accessing the instance to diagnose problems;
  • Aggregating and reporting non-personal operational metrics to the Customer.

B.5 Sub-processors specific to Managed Hosting

In addition to the Sub-processors listed at https://grengin.com/sub-processors, Perter relies on the underlying Cloud Provider chosen by the Customer (AWS, Microsoft Azure, Google Cloud, or OVHcloud) for the underlying compute, storage, and networking. Where the Customer's account with that Cloud Provider is used, the Cloud Provider acts as a separate processor under the Customer's direct relationship with the Cloud Provider; where Perter operates the underlying account, the Cloud Provider is a Sub-processor of Perter for the purposes of this DPA.

B.6 Retention

Customer Personal Data is retained for the term of the Service. On termination, Section 11 applies.

Annex C — Grengin Auth Proxy

This Annex C applies to the Grengin Auth Proxy Service.

C.1 Service description

The Grengin Auth Proxy is a single-sign-on broker that enables the Customer's applications to authenticate end users via upstream identity providers, including Google Workspace and Microsoft Entra ID (Azure AD). It runs on Cloudflare Workers, Workers KV, and (where used) Cloudflare D1.

C.2 Categories of Data Subjects

Natural persons authenticating to the Customer's applications through the Auth Proxy, including the Customer's employees, contractors, and end users.

C.3 Categories of Personal Data

  • Identifiers issued by the upstream identity provider (such as the Data Subject's email address, full name, OIDC `sub` claim, profile attributes the Customer chooses to map, and group/role claims);
  • Short-lived authentication artifacts (ID tokens, access tokens, refresh tokens, session cookies);
  • Session metadata and audit data (timestamps of authentication events, IP address from which authentication was performed, user-agent, success/failure, multi-factor-authentication outcome);
  • Configuration data the Customer provides (mapping rules, allowed redirect URLs, identity-provider client IDs and secrets — secrets being stored encrypted).

C.4 Specific Processing operations

  • Forwarding authentication requests to the upstream identity provider;
  • Validating responses from the upstream identity provider;
  • Issuing session tokens for the Customer's applications;
  • Recording audit logs of authentication events;
  • Enforcing the Customer-configured access-control rules.

C.5 Sub-processors specific to Auth Proxy

Cloudflare, Inc. is a principal Sub-processor for the runtime of the Auth Proxy, providing Workers, Workers KV, and (where used) D1. The upstream identity providers (Google, Microsoft) are independent controllers for the data they hold, and are not Sub-processors of Perter; the Customer's relationship with each identity provider is governed by the Customer's separate agreement with that provider.

C.6 Retention

Audit logs are retained for the period configured by the Customer (default: ninety (90) days). Authentication tokens are short-lived and are deleted at session expiry or revocation. Configuration data is retained for the term of the Service. On termination, Section 11 applies.

C.7 Special note on tokens and secrets

Identity-provider client secrets and similar credentials are stored encrypted and accessible only to the Customer's tenant. In the event of suspected compromise, the Customer must immediately rotate the affected credentials and notify Perter at security@grengin.com.

Annex D — Grengin LLM Proxy

This Annex D applies to the Grengin LLM Proxy Service.

D.1 Service description

The Grengin LLM Proxy is a request-proxying service that forwards large-language-model requests from the Customer's applications to one or more upstream LLM providers (which the Customer selects and configures). It runs on Cloudflare Workers, with optional use of Workers KV, D1, and R2 for configuration, rate-limiting state, and (where the Customer enables logging) request and response logs.

D.2 Categories of Data Subjects

Natural persons whose Personal Data the Customer or its end users include in prompts submitted through the LLM Proxy, plus authorised administrators of the Customer's account with the LLM Proxy.

D.3 Categories of Personal Data

  • Prompt content submitted by the Customer or its end users (which may, depending on the Customer's use case, include any category of Personal Data the Customer chooses to include);
  • Model output returned in response to prompts;
  • Request metadata (timestamps, IP addresses, model identifiers, token counts);
  • Customer-configuration data (API keys for upstream LLM providers — stored encrypted, routing rules, rate limits);
  • Administrator account data.

D.4 Specific Processing operations

  • Routing requests to the upstream LLM provider chosen by the Customer;
  • Enforcing rate limits and authorisation rules configured by the Customer;
  • Where the Customer has enabled logging — and only then — recording prompts, outputs, and metadata for retention and inspection by the Customer;
  • Providing aggregated usage analytics to the Customer.

D.5 No training, no secondary use

Perter does not use prompts, model outputs, or any other Customer Personal Data submitted through the LLM Proxy to train, fine-tune, or evaluate any machine-learning model, and does not use such data for any purpose other than providing the Service to the Customer in accordance with this DPA. The Customer is responsible for selecting upstream LLM providers and configurations that align with the Customer's own privacy and confidentiality requirements; in particular, the Customer should ensure that the upstream LLM provider's terms include a "no training" or "zero-retention" commitment where required.

D.6 Sub-processors specific to LLM Proxy

Cloudflare, Inc. is a principal Sub-processor for the runtime of the LLM Proxy. The upstream LLM providers that the Customer selects and configures (such as OpenAI, Anthropic, Google, AWS Bedrock, Azure OpenAI Service, or others) are independent controllers or processors of the Customer, and are not Sub-processors of Perter; the Customer's relationship with each upstream provider is governed by the Customer's separate agreement with that provider, and the Customer is responsible for entering into any DPA required with the upstream provider.

D.7 Retention

By default, the LLM Proxy does not log prompts or outputs. Where the Customer enables logging, log retention is configurable by the Customer, with a default of thirty (30) days and a maximum of one (1) year. Configuration data is retained for the term of the Service. On termination, Section 11 applies.

Annex E — Standard Contractual Clauses (Restricted Transfers)

For Restricted Transfers from the Customer (as data exporter) to Perter (as data importer), the EU SCCs are incorporated into this DPA and deemed executed by the parties as set out below. The UK Addendum and Swiss-specific modifications apply where relevant under Section 12.2.

E.1 EU SCCs — module selection and options

Modules Module Two (Controller-to-Processor) where the Customer is a Controller; Module Three (Processor-to-Processor) where the Customer is itself a Processor acting on behalf of a third-party controller.
Clause 7 (Docking clause) Applies.
Clause 9 (Sub-processors) Option 2 (general written authorisation). The minimum advance-notice period for changes to Sub-processors is thirty (30) days, as set out in Section 7.3 of this DPA.
Clause 11(a) (Independent dispute resolution) The optional language is not used.
Clause 17 (Governing law) The EU SCCs are governed by the law of Ireland.
Clause 18 (Choice of forum and jurisdiction) Disputes are resolved in the courts of Ireland.
Annex I.A — List of parties Data exporter: the Customer (as identified in the Order Form / click-acceptance record). Data importer: Perter Technology Solutions Private Limited (Section 17).
Annex I.B — Description of transfer As set out in Annex A and the relevant product-specific Annex.
Annex I.C — Competent supervisory authority Determined under Clause 13 of the EU SCCs. For UK GDPR transfers, the Information Commissioner's Office.
Annex II — Technical and organisational measures As set out in Annex F.
Annex III — List of Sub-processors (Module Three only) The list at https://grengin.com/sub-processors.

E.2 UK Addendum

For transfers subject to the UK GDPR, the UK Addendum (Version B1.0) is deemed executed between the Customer and Perter. Tables 1 to 3 of the UK Addendum are completed using the information in this DPA. In Table 4, the parties select "neither party" as having the right to terminate on changes to the UK Addendum.

E.3 Swiss FADP

For transfers subject to the Swiss FADP, the EU SCCs as completed above apply, with the modifications set out in Section 12.2.

E.4 Conflict

In the event of a conflict between this DPA and the EU SCCs (as supplemented by the UK Addendum or Swiss modifications), the EU SCCs prevail.

Annex F — Technical and Organisational Measures

This Annex F describes Perter's technical and organisational measures in place to protect Customer Personal Data, in accordance with Article 32 of the EU GDPR. The measures may be updated from time to time without materially diminishing overall security.

F.1 Pseudonymisation and encryption

  • Encryption in transit: TLS 1.2 or later for all external network communications; modern cipher suites; HSTS on the Website.
  • Encryption at rest: industry-standard encryption (such as AES-256) for data at rest in production storage, including object storage, database storage, and backups.
  • Key management: encryption keys managed via the relevant Cloud Provider's or Sub-processor's key-management service; secrets stored in dedicated secret-management systems with access logging.

F.2 Confidentiality, integrity, availability, and resilience

  • Principle of least privilege for all access to production systems;
  • Multi-factor authentication for all administrative access;
  • Separation of production and non-production environments;
  • Code review and automated testing prior to deployment;
  • Continuous monitoring, logging, and alerting on security events;
  • Redundant infrastructure across multiple availability zones; documented business-continuity and disaster-recovery procedures, periodically tested.

F.3 Restoration after an incident

  • Regular backups of production data, retention and frequency aligned with the Service;
  • Documented and periodically tested restore procedures;
  • Documented incident-response plan with defined roles, escalation paths, and post-incident review.

F.4 Testing and assessment

  • Regular vulnerability scanning of production systems;
  • Third-party penetration testing of the Services;
  • Ongoing review and update of policies and procedures.

F.5 Identification, authorisation, and access

  • Unique authenticated accounts for all personnel with access to Customer Personal Data;
  • Role-based access control with periodic access reviews;
  • Automatic session timeout after a period of inactivity.

F.6 Physical security

  • Production infrastructure hosted in cloud data centres with industry-standard physical security (24×7 monitoring, restricted access, environmental controls);
  • Perter offices: door access controls; clean-desk policy for materials containing Customer Personal Data.

F.7 Logging and monitoring

  • Centralised logging of access to production systems and to Customer Personal Data;
  • Monitoring of authentication events, configuration changes, and anomalous activity;
  • Log retention sufficient for security investigation and as required by law.

F.8 Configuration and change management

  • Documented configuration baselines for all production systems;
  • Automated enforcement of baselines where feasible;
  • Change-management process with peer review and rollback capability.

F.9 Internal governance

  • Written information-security and data-protection policies;
  • Mandatory training for personnel handling Customer Personal Data;
  • Designated Data Protection Officer (Section 17);
  • Regular review of the security programme.

F.10 Sub-processor measures

Sub-processors are contractually required to apply technical and organisational measures no less protective than those described above. Cloudflare, Inc. — Perter's principal Sub-processor — is certified to ISO/IEC 27001, SOC 2 Type II, PCI DSS Level 1, and ISO/IEC 27701, with detailed measures described in Annex 2 of the Cloudflare Data Processing Addendum at https://www.cloudflare.com/cloudflare-customer-dpa/.

Version history

  • Version 1.0 — 30 April 2026: initial publication.
  • Last Updated: 29 April 2026

Questions about data processing?

Our data protection team is here to answer any questions about how we process and protect your data.

Contact privacy team View privacy policy