Everything procurement asks for. Before they ask.
Grasperly's commitments to data residency, no model training on customer data, Zero Data Retention from LLM sub-processors, and the contractual chassis that backs all of it — published in full, auditable before signature, kept up to date.
What we will defend in writing
- EU-only data residency. Customer Data is stored and processed only in Frankfurt (eu-central-1) and Warsaw (eu-central-2). No transfers outside the EEA in the standard tier.
- No training on Customer Data. Grasperly will not, and will not permit any sub-processor to, use Customer Data to train, fine-tune, evaluate, or improve any AI model. Reflected in both the Terms of Service and the DPA.
- Zero Data Retention from model providers. All LLM sub-processors operate under contractual ZDR: prompts and completions are processed in-flight and are not retained or logged for human review beyond the time strictly necessary to return a response.
- Encryption everywhere. TLS 1.3 in transit. AES-256 at rest. Customer-managed keys available on the Enterprise tier.
- Customer owns Customer Data. All right, title, and interest in Customer Data remains with the customer. On termination we return or delete it within 30 days at the customer's choice.
The contractual chassis
Security overview
Six commitments tied to DPA clauses, the five sub-processors that handle Customer Data, our control framework, and the EU AI Act posture.
Read the security page →Data Processing Agreement
GDPR Article 28-compliant DPA with hardened no-training clause, 30-day sub-processor notice, 36-hour breach window, and ISO 27001:2022-aligned technical and organisational measures.
Read the DPA →Sub-processors
The third parties that touch Customer Data, where they host it, what they do, and how to subscribe to changes — with 30 days' notice before any change takes effect.
See sub-processors →Privacy Policy
How we handle personal data of website visitors, prospects, candidates, and the contact persons at our customers. Customer Data submitted to the Platform is separately governed by the DPA.
Read the privacy policy →Terms of Service
Master terms governing access to the Platform: licence, customer-data ownership, AI output disclaimer, no-training commitment, liability, and Polish law / Warsaw venue.
Read the terms →Acceptable Use Policy
What you may and may not do with the Platform, including AI-specific restrictions calibrated to the EU AI Act and Polish bar-association rules.
Read the AUP →Honest about where we are.
We do not yet hold ISO 27001, SOC 2, or ISO 42001 certifications. We operate to their control frameworks today and have published the schedule against which we will be measured. Customers can request the current control matrix and audit-trail samples under NDA.
Found a vulnerability?
Email security@grasperly.com. We accept reports in English and Polish. Good-faith research conducted within the scope described in our security.txt is welcome and will not be the basis for any legal action against the researcher.
Audit before signature.
We send a packet with the executed DPA template, current control matrix, sub-processor list, network diagram, and the latest internal review notes. Available to qualified prospects under a mutual NDA.