This Data Processing Agreement (“DPA”) supplements the Terms of Service between the Customer (“you”, “Controller”) and KARRD Services FZCO (“GreyScape.ai”, “Processor”). It governs how GreyScape.ai processes personal data on your behalf when you use the Service.
It is designed to satisfy the obligations of Article 28 of the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK General Data Protection Regulation, and the equivalent provisions of the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (“UAE PDPL”). Where these regimes diverge, the more protective requirement applies.
By creating a Customer account and using the Service, you accept this DPA. If you require a counter-signed copy for procurement, request one at [email protected].
1. Definitions
- Controller, Processor, Data Subject, Personal Data, Processing, Special Categories of Personal Data, and Personal Data Breach have the meanings given in the GDPR (or, where applicable, the UAE PDPL).
- Customer Personal Data means Personal Data Processed by GreyScape.ai on the Customer's behalf as part of the Service.
- Sub-processor means a third party engaged by GreyScape.ai to Process Customer Personal Data, as listed at /legal/subprocessors.
- Standard Contractual Clauses (“SCCs”) means the Module 2 (controller-to-processor) clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as supplemented by the UK Addendum issued under Section 119A of the Data Protection Act 2018 where UK-origin data is involved.
2. Scope and roles
Customer is the Controller of Customer Personal Data. GreyScape.ai is the Processor. The subject matter of the processing is the provision of the GreyScape.ai service to Customer. The duration is for as long as Customer has an active account. The nature and purpose of processing is set out in Annex 1 to this DPA. Categories of data subject and personal data are set out in Annex 2.
3. Customer instructions
GreyScape.ai Processes Customer Personal Data only on documented instructions from Customer. The Terms of Service, the operating configurations Customer establishes within the Service, and this DPA constitute Customer's complete and final documented instructions to GreyScape.ai. Any additional or alternative instructions must be agreed in writing.
GreyScape.ai will inform Customer if, in its opinion, an instruction infringes applicable data-protection law.
4. Confidentiality of personnel
GreyScape.ai will ensure that personnel authorised to Process Customer Personal Data are bound by confidentiality obligations of no less stringency than this DPA, are appropriately trained in data-protection requirements, and have access to Customer Personal Data only on a need-to-know basis.
5. Security measures
GreyScape.ai will implement and maintain the technical and organisational measures described in our Security Statement, including (at minimum): encryption of Customer Personal Data at rest and in transit; principle-of-least-privilege access controls; audit logging of administrative actions; vulnerability management; and documented incident response. Customer acknowledges that these measures are appropriate to the risks involved in providing the Service.
6. Sub-processors
Customer authorises GreyScape.ai to engage Sub-processors to Process Customer Personal Data. The current list is published at /legal/subprocessors.
Before engaging a new Sub-processor or replacing an existing one, GreyScape.ai will provide at least 30 days' prior notice (by email to account owners and an update to the Sub-processors page). Customer may object on reasonable data-protection grounds within that notice period. If Customer objects and the parties cannot resolve the objection in good faith, Customer may terminate the affected portion of the Service in accordance with the Terms.
Each Sub-processor is bound by written terms that impose data-protection obligations no less protective than those in this DPA. GreyScape.ai remains fully liable to Customer for the performance of its Sub-processors' obligations.
7. Assistance with data subject rights
Taking into account the nature of the Processing, GreyScape.ai will provide Customer with reasonable assistance, by appropriate technical and organisational measures, to enable Customer to respond to requests from Data Subjects exercising their rights under the GDPR / UAE PDPL (including rights of access, rectification, erasure, restriction, portability, and objection). Where Customer self-serves these requests through Service features (e.g., deleting a user record from the Members page), no further assistance is necessary.
8. Personal data breach notification
GreyScape.ai will notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include the categories of Personal Data and approximate number of Data Subjects affected, the likely consequences, and the measures GreyScape.ai has taken or proposes to take. Where the full picture is not yet available, GreyScape.ai will provide the information that is available and supplement it as more becomes known.
9. Data protection impact assessments
GreyScape.ai will provide Customer with reasonable assistance, on request, in carrying out data protection impact assessments and prior consultations with supervisory authorities, where required by Articles 35 and 36 of the GDPR or the equivalent UAE PDPL provisions.
10. Audits and inspections
GreyScape.ai will make available to Customer, on reasonable request and subject to confidentiality undertakings, the information necessary to demonstrate compliance with this DPA and to allow audits or inspections by Customer or a mandated auditor. In practice, audits will be conducted by reviewing the Security Statement, sub-processor terms, completed third-party certifications (when available), and answering specific written questions. On-site audits will be limited to once per twelve-month period, scheduled at least 30 days in advance, conducted during business hours, and subject to non-disclosure terms acceptable to GreyScape.ai. The Customer bears its own costs for audits requested under this section.
11. International transfers
Where GreyScape.ai processes EU/EEA or UK origin Customer Personal Data outside the EU/EEA or UK, that processing is subject to the Standard Contractual Clauses (Module 2: Controller to Processor), with the UK International Data Transfer Addendum applied to UK-origin data, both of which are incorporated into this DPA by reference and deemed signed and dated at the effective date of this DPA. Annex 3 lists the parties' details required by the SCCs.
Where Customer Personal Data originates from the UAE, transfers outside the UAE are made in reliance on the mechanisms permitted under Articles 22-23 of the UAE PDPL and its Executive Regulations, including transfers to jurisdictions with adequate protection and transfers subject to appropriate safeguards.
12. Return and deletion of Customer Personal Data
Within 90 days of the termination of the Customer's account (or earlier on Customer's written request), GreyScape.ai will, at Customer's choice, return or delete all Customer Personal Data in its possession, including ensuring that Sub-processors do the same. GreyScape.ai may retain Customer Personal Data for longer to the extent required by applicable law (for example, audit and tax records), in which case it will continue to protect such Personal Data in accordance with this DPA.
13. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except to the extent prohibited by applicable law.
14. Governing law
This DPA is governed by, and construed in accordance with, the laws of the United Arab Emirates as applicable in the Emirate of Dubai. The courts of Dubai have exclusive jurisdiction over any dispute arising from or in connection with this DPA.
15. Order of precedence
In the event of any conflict between this DPA and the Terms of Service, the DPA prevails on data-protection matters. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.
Annex 1 — Description of processing
- Subject matter: provision of the GreyScape.ai service.
- Duration: for the duration of the Customer's account, plus the wind-down period set out in Section 12.
- Nature and purpose: hosting, processing, and analysing AI usage metadata and Customer-supplied workflow data so the Customer can observe and govern AI spending and tool use across its organisation.
- Frequency: continuous, on demand, in response to Customer-triggered actions and scheduled sync jobs.
Annex 2 — Categories of data subject and personal data
- Data subjects: Customer's employees, contractors, and other authorised users of Customer's GreyScape.ai workspace.
- Personal data: name, work email address, work department or team, role, AI usage metadata (provider, model, token counts, cost in cents, timestamps) attributed to the data subject, approval-flow conversation text, IP address and user-agent of the data subject's browser session, audit log entries reflecting actions taken by the data subject in the Service.
- Special categories of personal data: none, by design. Customer agrees not to upload special-category data into the Service.
Annex 3 — SCC party details
Data exporter (Controller): the Customer, with the contact details supplied during account registration.
Data importer (Processor): KARRD Services FZCO, IFZA Business Park, Dubai Silicon Oasis, Dubai, United Arab Emirates. Contact for data-protection matters: [email protected].
Competent supervisory authority: where the Customer is established in the EU, the supervisory authority of the Customer's lead establishment. Where the Customer is established in the UK, the Information Commissioner's Office. Otherwise, the UAE Data Office.