GDPR Article 28 Transparency
GRID relies on the third parties below to deliver specific parts of the service. Each has its own Data Processing Agreement accepted by GRID; the table notes what data category each processor sees and where they're hosted. If you're in the EU/EEA and exercising a right-of-access, this is the authoritative list as of the page footer date.
| Subprocessor | Purpose |
|---|---|
Anthropic DPA → | LLM inference for Atrium and workflow stages (user BYOK for most flows) Prompts, responses, workflow inputs |
Vercel DPA → | Application hosting, edge network, build pipeline Request metadata, server logs, no direct user data stored on Vercel |
Turso / Neon / Supabase (primary database) DPA → | Primary data store (Postgres) All user data: identity, workspaces, systems, workflows, signals, tasks |
Resend DPA → | Transactional email: verification, password reset, notifications Email address, user name, email body content |
Stripe (when billing is active) DPA → | Payment processing, subscription management Name, email, billing address, payment instrument token (never raw card) |
OAuth providers (Google, GitHub, etc.) — per-user DPA → | User-initiated OAuth authentication + integration sync Access tokens (encrypted at rest), profile data returned by provider |
Upstash (when configured) DPA → | Distributed rate-limiting backend Rate-limit counters keyed on IP-hash + user-id-hash. No PII. |
Sentry (error monitoring, operator-configured) DPA → | Application error + performance monitoring; on-error client session replay Error events, stack traces, and PII-redacted session replay captured only when an error occurs |
UptimeRobot (monitoring, operator-configured) DPA → | External uptime probing on /api/health HTTP response metadata only; no user data |
When we add, remove, or replace a subprocessor in a way that could reasonably concern a user (e.g. a data-category or regional change), we update this page and bump the policy version recorded in every new user's consent log. Users are prompted to re-accept the Terms on their next sign-in. If you have a pending DPA signature with GRID, we notify you 30 days before the change takes effect.
Enterprise customers may object to a new subprocessor within 30 days of notice by emailing privacy@grid.systems. Individual users exercising Art. 21 right-to-object may either disconnect the relevant integration (where provider-specific) or delete their account.
Last updated: 2026-04-19 · See also Privacy Policy, Terms, Security.