Data Processing Agreement (DPA)

1. Parties

This Data Processing Agreement ("DPA") is entered into between GroundPound.ai(operating entity: SurfTurf.AI LLC, a Wisconsin limited liability company) ("Processor") and the customer organization identified in the corresponding Order Form or click-through Terms ("Controller").

This DPA supplements and forms part of the GroundPound.ai Terms of Service available at groundpound.ai/legal/terms.

2. Definitions

Terms not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, the CCPA/CPRA (Cal. Civ. Code §§1798.100 et seq.), or the equivalent applicable data-protection law.

3. Subject matter and duration

Processor will process personal data on behalf of Controller for the purpose of providing the GroundPound.ai platform and related services, for the duration of the underlying Order Form or service relationship, plus any retention period required by law.

4. Nature and purpose of processing

Processor will process personal data only to:

• Provide the GroundPound.ai platform (account management, agent operations, communications, integrations)
• Provide support to Controller
• Comply with applicable legal obligations
• Implement the security measures in Section 7 of this DPA

Processor will NOT:

• Sell, share, or rent personal data to any third party
• Use Controller's personal data to train or improve any AI/ML model offered to other customers
• Combine Controller's personal data with any other customer's personal data, except in aggregated, anonymized form used to operate the platform itself

5. Categories of data subjects and personal data

• Data subjects:Controller's employees, contractors, end customers, prospects, and other individuals whose information Controller submits to the platform
• Categories of personal data: Names, business contact information, employment information, communication content (email/SMS/chat where the operator routes it through the platform), customer-relationship records, financial records relevant to operations (rent rolls, invoices, ledgers — depending on integrations)
• Special categories: Processor does not require Controller to submit special categories of data. Where Controller does so (e.g., medical, biometric, criminal history via screening integrations), additional safeguards apply per Section 9.

6. Sub-processors

Controller authorizes Processor to engage the following sub-processors as of the date above:

Sub-processor entity names are as commonly used by each vendor; the legal entity of record can be obtained from each sub-processor's own DPA or trust page.

Processor will:

• Maintain an up-to-date sub-processor list on the public security page and notify Controller of changes
• Notify Controller at least 30 days in advance of adding or replacing any sub-processor, and provide a reasonable opportunity to object
• Impose data-protection obligations on each sub-processor no less protective than those in this DPA

7. Security measures

Processor will implement and maintain appropriate technical and organizational measures, including:

• Encryption in transit: TLS 1.2+ for all customer-facing endpoints
• Encryption at rest: AES-256 (Supabase managed Postgres + R2 object storage); customer OAuth tokens encrypted with per-environment keys
• Access control: Role-based access via Supabase RLS on every multi-tenant table; cross-org leak detection runs in CI
• Secrets management: Vendor API keys stored via BYOK; coordinated multi-store rotation; never logged in plaintext
• Authentication: Magic-link + 6-digit OTP (passwordless); session tokens nonce-protected; OAUTH_STATE_SECRET separated from session signing
• Network: SSRF guards on outbound fetch_url/webhook_post/pdf_extract; private and link-local IP ranges rejected on outbound destinations
• Rate limiting: Redis-backed limits on LLM-burn + email-send surfaces; per-org R2 storage quota
• Monitoring: Continuous security regression in CI; periodic internal audit iterations with remediation tracked to closure; responsible-disclosure inquiries to info@groundpound.ai
• Backup + recovery: Point-in-time recovery via Supabase managed Postgres

See the security posture summary for the full description.

8. Breach notification

Processor will notify Controller without undue delay, and in any event within 48 hours, of becoming aware of any personal-data breach affecting Controller's data. The notification will include the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed.

9. Data subject rights

Processor will assist Controller in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) by:

• Providing operator-controlled tools within the platform (org deletion with 7-day soft-delete grace period; data export on request)
• Responding to operator-routed assistance requests within 5 business days
• Not responding directly to data subjects unless legally required

10. Data transfers

Where personal data is transferred outside the EEA/UK/Switzerland, the parties agree to the European Commission's Standard Contractual Clauses (Modules 2 and 3, as applicable) (Commission Implementing Decision (EU) 2021/914), incorporated by reference. The full SCC text will be appended to the executed DPA on request, and where the UK International Data Transfer Addendum is required, the parties will incorporate the IDTA in addition to the SCCs. [LEGAL REVIEW REQUIRED]

11. Audits

Processor will, on reasonable written request from Controller (no more than once per 12-month period absent a security incident):

• Provide its most recent security posture summary (internal audit and, where available, third-party audit)
• Respond to a reasonable security questionnaire
• Permit on-site or remote audit by Controller or an independent auditor bound by NDA, at Controller's expense, on at least 30 days' notice

12. Deletion or return of personal data

Upon termination of the underlying service relationship, Processor will, at Controller's election:

• Return all personal data to Controller in a structured, machine-readable format
• Delete all personal data within 30 days of termination, except as required by law

Operators may also self-serve deletion at any time via the in-product Delete Org flow (typed-confirm, 7-day soft-delete grace period, then permanent purge).

13. Governing law and venue

This DPA is governed by the laws of the State of Wisconsin, United States, without regard to conflict-of-law principles. Venue lies in Dane County, Wisconsin. [LEGAL REVIEW REQUIRED] — operators with EU/UK presence may require alternative governing law and venue; we will negotiate in good faith.

14. Liability

Each party's liability under this DPA is subject to the limitations set forth in the underlying Order Form or Terms of Service. [LEGAL REVIEW REQUIRED]

How to execute

1. Email info@groundpound.ai with your organization name, the named individual authorized to sign on Controller's behalf, and any redlines.
2. We will return a DocuSign envelope within 2 business days.
3. Counter-signature returned within 5 business days of receipt of your signature.

If you need our DPA reviewed by your counsel before executing, we can also accept your standard DPA in lieu of this one, subject to our review.