DATA PROCESSING ADDENDUM (DPA)

Last Updated: January 11, 2026

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions ("Agreement") between Xreos LLC (doing business as Grain) ("Processor") and the user or entity agreeing to these terms ("Controller").

By using the Services, the Controller is deemed to have signed this DPA.

1. DEFINITIONS AND SCOPE

1.1 Roles: The parties agree that the Customer is the Data Controller and Grain (Xreos LLC) is the Data Processor.

1.2 Subject Matter: The subject matter of the processing is the provision of analytics services, identifying actionable insights from bulk data, and AI-assisted analysis as described in the Agreement.

1.3 Duration: The processing shall last for the duration of the Agreement plus the retention period specified in Annex I.

2. DATA PROCESSING TERMS

2.1 Instructions: Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Agreement and this DPA constitute such documented instructions.

2.2 Confidentiality: Processor ensures that persons authorized to process the Personal Data (including employees, contractors, and solo-founder operations) have committed themselves to confidentiality.

2.3 Security: Processor acts in accordance with Article 32 of GDPR and has implemented the technical and organizational measures ("TOMs") outlined in Annex II.

3. SUB-PROCESSORS

3.1 Authorization: Controller grants general authorization to Processor to engage the Sub-processors listed in Annex III.

3.2 Changes: Processor will update the Sub-processor list on its website. If Controller objects to a new Sub-processor, they may terminate the Agreement.

3.3 Liability: Processor remains fully liable to the Controller for the performance of the Sub-processor’s data protection obligations.

4. DATA SUBJECT RIGHTS (DSAR)

4.1 Assistance: Taking into account the nature of the processing, Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights (e.g., access, rectification, erasure).

4.2 Tools: Processor provides a "Data Subject Access Request" form and export tools to facilitate these requests.

5. INTERNATIONAL TRANSFERS

5.1 Locations: Data may be processed in Turkey, United States, Finland, Germany, and Ireland.

5.2 Safeguards: For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries which do not ensure an adequate level of data protection, Processor relies on the European Commission's Standard Contractual Clauses (SCCs).

6. GOVERNING LAW AND JURISDICTION

6.1 Governing Law: This DPA shall be governed by the laws of Turkey.

6.2 Jurisdiction: Any dispute arising from this DPA shall be resolved by arbitration in İzmir, Turkey, consistent with the Dispute Resolution clause of the main Agreement.

ANNEX I: DETAILS OF PROCESSING

A. List of Parties

• Controller: The User of the Grain services.
• Processor: Xreos LLC (Grain).

B. Description of Transfer

• Categories of Data Subjects: End-users of the Controller's websites/apps; Employees of the Controller using Grain.
• Categories of Personal Data: IP addresses (anonymized/processed), browser type, device characteristics, operating system, referring URLs, location data, and email addresses (for account management).
• Nature of Processing: Collection, storage, analysis, and AI-driven querying of event data.
• Retention Period: Personal data is retained for the duration of the user's account and deleted or anonymized no later than three (3) months after account termination.

ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

The Processor has implemented the following security measures:

1. Encryption: All data in transit is encrypted via TLS 1.2/1.3. Sensitive data at rest is encrypted where applicable.
2. Access Control: Access to production databases is restricted to authorized personnel via strong authentication (MFA).
3. Data Minimization: IP addresses are processed to derive location and then discarded or anonymized where possible; Grain does not use persistent cross-site tracking cookies.
4. Vendor Management: All Sub-processors are vetted for GDPR/CCPA compliance.

ANNEX III: APPROVED SUB-PROCESSORS

The Controller authorizes the use of the following Sub-processors: