Legal DocumentEffective June 8, 20267 min read

Data Processing Addendum

This DPA forms part of the Terms of Service and governs how Gremlin Labs processes personal data on behalf of customers.

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Gremlin Labs LLC ("Gremlin Labs," "Processor," "we," "us," or "our") and the customer using the Services ("Customer" or "Controller").

This DPA applies when Gremlin Labs processes Personal Data on behalf of a Customer.

1. Purpose

This DPA governs the processing of Personal Data submitted to or processed through the Services. The parties agree that:

  • Customer acts as Data Controller.
  • Gremlin Labs acts as Data Processor.

Gremlin Labs processes Personal Data only as necessary to provide the Services and in accordance with Customer instructions, applicable law, and this DPA.

2. Definitions

For purposes of this DPA:

"Personal Data" means information relating to an identified or identifiable individual.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transmission, analysis, or deletion.

"Subprocessor" means a third party engaged by Gremlin Labs to assist in providing the Services.

Terms not defined here shall have the meaning assigned under applicable privacy laws.

3. Nature and Purpose of Processing

Gremlin Labs may process Personal Data for purposes including:

  • Account management
  • Authentication
  • AI-powered content generation
  • Document analysis
  • Storage and hosting
  • Customer support
  • Fraud prevention
  • Security monitoring
  • Service maintenance
  • Product improvement using anonymized and de-identified information

Processing occurs only to the extent necessary to provide the Services.

4. Categories of Data

Depending on Customer use of the Services, Personal Data may include:

  • Names
  • Email addresses
  • User account information
  • Uploaded documents
  • Training materials
  • SOPs
  • Business records
  • User-generated content
  • Generated outputs
  • Communications with support

Gremlin Labs does not intentionally require special categories of Personal Data. However, Customers may choose to upload such information through the Services. Customers remain responsible for ensuring they possess all required rights, permissions, notices, and legal bases necessary to process and upload such information.

5. Customer Responsibilities

Customer represents and warrants that:

  • Customer has lawful authority to process Personal Data.
  • Customer has provided any required notices.
  • Customer has obtained any required consents.
  • Customer complies with applicable privacy laws.

Customer remains solely responsible for determining whether use of the Services satisfies Customer's legal obligations.

6. Confidentiality

Gremlin Labs will ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations. Access to Personal Data is limited to personnel with a legitimate business need to access such information.

7. Security Measures

Gremlin Labs implements reasonable technical and organizational safeguards designed to protect Personal Data against:

  • Unauthorized access
  • Unauthorized disclosure
  • Loss
  • Alteration
  • Destruction

Such safeguards may include:

  • Access controls
  • Authentication systems
  • Encryption in transit
  • Vendor security reviews
  • Logging and monitoring

No security measure can guarantee absolute protection.

8. Subprocessors

Customer authorizes Gremlin Labs to engage Subprocessors as necessary to operate the Services. Current or anticipated Subprocessors may include:

  • Supabase
  • OpenAI
  • Anthropic
  • Google
  • Paddle
  • Mixpanel
  • ElevenLabs
  • Microsoft Azure
  • Amazon Web Services (AWS)
  • Other infrastructure, analytics, communications, security, AI, export, document generation, or support providers reasonably necessary to operate the Services

Gremlin Labs will require Subprocessors to maintain reasonable safeguards appropriate to the services they provide.

9. International Transfers

Customer acknowledges that Personal Data may be processed, stored, or transferred to:

  • The United States
  • Other jurisdictions where Gremlin Labs or its service providers operate

Where required, Gremlin Labs will implement reasonable contractual or legal safeguards intended to support lawful transfers.

10. Data Subject Requests

Where legally required, Gremlin Labs will provide reasonable assistance to Customer in responding to requests concerning:

  • Access
  • Correction
  • Deletion
  • Portability
  • Restriction
  • Objection

Gremlin Labs may charge reasonable fees where permitted by law for extraordinary requests.

11. Security Incidents

If Gremlin Labs becomes aware of a confirmed Security Incident affecting Personal Data processed under this DPA, Gremlin Labs will notify Customer without undue delay.

Notification may be delayed where necessary:

  • To determine scope;
  • To investigate the incident;
  • To comply with legal obligations;
  • To prevent interference with remediation efforts.

A Security Incident does not include unsuccessful attempts that do not compromise Personal Data, including:

  • Port scans
  • Firewall blocks
  • Denial-of-service attempts
  • Failed login attempts

12. Return and Deletion of Data

Upon termination of Services, Customer may request:

  • Return of Customer Data; or
  • Deletion of Customer Data.

Requests should be submitted within thirty (30) days following termination. Following the applicable retention period:

  • Data will be deleted from active systems;
  • Backup copies may remain temporarily until normal overwrite cycles occur.

Gremlin Labs may retain information where required by law or legitimate legal obligations.

13. Audits and Information Requests

Gremlin Labs does not permit direct audits of its systems by Customers unless separately agreed in writing.

Upon reasonable request, Gremlin Labs may provide information regarding:

  • Security practices
  • Privacy controls
  • Processing activities

to assist Customers with compliance obligations.

14. Limitation of Liability

The liability limitations contained within the Terms of Service apply to this DPA and are incorporated by reference. Nothing in this DPA expands Gremlin Labs' liability beyond what is provided in the Terms.

15. Governing Terms

Except as expressly modified by this DPA, the Terms of Service remain in full force and effect. If a conflict exists between this DPA and the Terms regarding Personal Data processing, this DPA shall control to the extent of that conflict.

16. Contact Information

Gremlin Labs LLC
Email: legal@gremlinlabs.ai
Website: https://gremlinlabs.ai

Questions about this document? legal@gremlinlabs.ai