Data Protection Agreement

Data Protection Agreement

Icon

Last Updated on April 23rd, 2026

This Data Protection Agreement (DPA) forms an integral part of the Agreement entered into by Groovin and the Customer. 

Capitalized terms used but not defined in this appendix shall have the meanings provided in the Terms of Services.

  1. Definitions

For the purpose of this DPA, the capitalized terms shall have the meaning set forth below: 

1.1 " Data Protection Regulation” means any law and regulation in force applicable to the Personal Data Processing activities carried out under this Agreement, including without limitation the regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”) and the United Kingdom General Data Protection Regulation (“UK GDPR”), together with any national implementing legislation in each relevant jurisdiction, in each case as amended, replaced or supplemented from time to time.

1.2 "Data Subject" means an identified or identifiable natural person.

1.3 “Personal Data” means any information relating to a Data Subject. 

1.4 The following capitalized term shall have the meaning assigned to them in article 4 of the GDPR, “Controller”, “Data Breach”, “Personal Data”, "Processing”, “Processor”

  1. Processing

The Parties acknowledge that for the performance of the Agreement (i) the Client acts as a Controller and (ii) Groovin acts as a Processor.

  1. General obligations of Groovin as Data Processor

3.1 Groovin shall process the Personal Data in accordance with the Controller’s documented instructions and for the sole purpose set forth in Exhibit “Processing Description” attached to this DPA. 

3.2 Furthermore, Groovin undertakes to:  

  1. notify immediately the User if it considers that an instruction constitutes a violation of the Data Protection Regulation, 

  2. ensure that its personnel are committed to confidentiality and receive appropriate training regarding data protection, 

  3. take all appropriate measures, including physical security measures, to ensure the protection of the Personal Data throughout the duration of this Agreement.

  1. Assistance

Groovin undertakes to:

  1. assist the User to fulfil its obligation to handle Data Subjects’ requests. In the event that a Data Subject sends a request directly to Groovin to exercise his/her rights, Groovin shall forward it to the Controller as soon as possible.

  1. assist the Controller, within reasonable measures, to perform data privacy impact assessments of the processing activities carried out under the Agreement (if such assessment is required by Data Protection Regulation).

  1. Upon Controller’s request, provide a copy of Groovin’s data privacy documentation to demonstrate its compliance with Data Protection Regulation. 

  1. Taking into account the nature of the Processing and the information available to Groovin, assist the Controller in meeting its obligations under Articles 32 to 36 of the GDPR and the corresponding provisions of the UK GDPR, including in relation to the security of Processing, notifications of Personal Data Breaches to supervisory authorities and Data Subjects, and prior consultations with supervisory authorities where required by Data Protection Regulation.

  1. Audit & Inspections

5.1 Taking into account the nature of the Processing and the information available to Groovin, Groovin shall make available to the Controller all information necessary to demonstrate compliance with this DPA and Data Protection Regulation and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5.2. Any audit or inspection shall be subject to the following conditions:

  1. the Controller shall give Groovin reasonable prior written notice of any audit or inspection, and such audits or inspections shall not, save where required by a supervisory authority or following a confirmed Personal Data Breach, take place more than once in any twelve (12) month period;

  2. the Controller and any auditor shall comply with Groovin’s reasonable confidentiality and security requirements; and

  3. the audit or inspection shall be conducted in a manner that minimises disruption to Groovin’s business operations.

5.3.Without prejudice to the above, the Controller agrees that Groovin may satisfy its obligations under this section by providing up-to-date attestations, certifications, audit reports or excerpts from such reports (for example, SOC 2 reports) demonstrating that Groovin’s technical and organisational measures have been audited and found to be adequate.

  1. Security

6.1 Groovin shall implement and maintain appropriate technical and organizational measures in order to ensure a level of security appropriate to the risk, including the following measures: 

  1. means to ensure the confidentiality, integrity, availability and resilience of processing systems and services;

  2. means to restore the availability of, and access to, Personal Data within an appropriate timeframe in the event of a physical or technical incident;

  3. a procedure for regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

6.2 Data Breach 

6.2.1 Groovin shall notify the Controller of any Data Breach as soon as possible, and in all events no later than forty-eight (48) hours after becoming aware of it. 

6.2.2 This notification shall include all necessary information in order to enable the Controller to determine whether the incident must be notified to the supervisory authority and / or the Data Subjects.

6.2.3 This information shall include: 

  1. a description of the nature of the Data Breach including, if possible, the categories and approximate number of Data Subjects and Personal Data records concerned; 

  2. a description of the likely consequences of the Data Breach; 

  3. a description of the measures taken or proposed to be taken by Groovin to address the Data Breach, including, where appropriate, measures to mitigate any adverse consequences.

6.3 Deletion of the Personal Data

6.3.1 Upon termination of the Agreement for any reason whatsoever, at the written choice of the Controller, Groovin shall either (i) return to the Controller all Personal Data processed on behalf of the Controller and delete all manual or computerized files storing the Personal Data and any existing copies thereof, or (ii) delete all manual or computerized files storing the Personal Data and any existing copies thereof, unless applicable law requires their retention.

6.3.2 Upon Controller’s request, Groovin will certify in writing that the chosen option has been implemented and that all Personal Data and copies thereof have been permanently erased from its systems, save for any Personal Data which Groovin is required to retain by applicable law.

  1. Subcontracting

7.1 The Controller expressly authorizes Groovin to hire subcontractors ("the Subsequent Data Processor") for the performance of the Services. The list of authorized Subsequent Data Processor is provided below:

7.2 Controller must be informed in advance of any modifications of this list, including any addition or replacement of a Subsequent Data Processor, in order to have the possibility of objecting to such modifications for a legitimate reason. 

7.3 In the absence of any written objection from the Controller within 15 business days following the notification, the modification of the list of the Subsequent Data Processors shall be deemed accepted. 

7.4 In the event of a legitimate objection by the Controller regarding the modification of this list, the Parties shall meet as soon as possible to find a reasonable solution. If no amicable solution can be found within a reasonable time, the Agreement may be terminated by either Party. 

7.5 Groovin remains liable for the performance by the Subsequent Data Processor of its obligations.

7.6 Groovin shall ensure that each Subsequent Data Processor is bound by a written contract which imposes on such Subsequent Data Processor data protection obligations that are at least equivalent to those set out in this DPA, including, where applicable, obligations in respect of international transfers of Personal Data in accordance with the section “Data transfer” below. Upon the Controller’s reasonable request, Groovin shall provide the Controller with a summary of the key data protection terms applicable to the relevant Subsequent Data Processor, which may be provided in a redacted form to protect confidential information.

  1. Data transfer

Groovin shall not transfer any Personal Data from the European Union or the United Kingdom to a third country that does not have an adequate level of protection (as defined by the European Commission or, in respect of the United Kingdom, by the UK government or Information Commissioner’s Office, as applicable) without taking appropriate safeguards required by the GDPR and, where applicable, the UK GDPR, such safeguards including, where appropriate, the European Commission’s Standard Contractual Clauses and, in respect of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to those Standard Contractual Clauses or any replacement mechanism under UK law. The Controller acknowledges that Groovin uses Supabase, Inc. as a Subsequent Data Processor for database hosting services and that any transfer of Personal Data to Supabase, Inc. will be subject to such safeguards.

  1. Obligations of the Data Controller

9.1 The User acting as Controller, shall comply with Data Protection Regulation. 

9.2 In particular, User is solely responsible for:

  1. providing the Data Subjects with accurate and complete information regarding the Processing of their Personal Data;

  1. ensuring that the Personal Data Processing activities are based on a legal basis provided by the GDPR; 

  1. using and Processing the Personal Data for its own needs and business activity in compliance with Data Protection Regulation, 

  1. carrying out all assessments and analysis that may be required by Data Protection Regulation to process the Personal Data; 

  1. managing any request from Data Subjects exercising their rights in compliance with the Data Protection Regulation, 

  1. documenting in writing any instructions given to Groovin regarding the Processing of Personal Data carried out under the Agreement.

Exhibit – Processing Description

Contact

Groovin: privacy@groovin.com

Logo Image

Keep your CRM aligned with your prospecting channels.

hello@groovin.ai

Home

Overview

For Sales

Pricing

Chrome Web Store

Company

Terms of Service

Data Protection Agreement

Follow us

Crafted with ❤️ amid the French peaks 🇫🇷 🏔️ — ©2026 Groovin. All rights reserved.
Groovin is not associated with, or endorsed by, the LinkedIn Corporation.

Logo Image

Keep your CRM aligned with your prospecting channels.

hello@groovin.ai

Home

Overview

For Sales

Pricing

Chrome Web Store

Company

Terms of Service

Data Protection Agreement

Follow us

Crafted with ❤️ amid the French peaks 🇫🇷 🏔️ — ©2026 Groovin. All rights reserved.
Groovin is not associated with, or endorsed by, the LinkedIn Corporation.

Logo Image

Keep your CRM aligned with your prospecting channels.

hello@groovin.ai

Home

Overview

For Sales

Pricing

Chrome Web Store

Company

Terms of Service

Data Protection Agreement

Follow us

Crafted with ❤️ amid the French peaks 🇫🇷 🏔️ — ©2026 Groovin. All rights reserved.
Groovin is not associated with, or endorsed by, the LinkedIn Corporation.