Recitals
Customer acts as Controller for personal data processed through its configured automations. GlideRun acts as Processor and processes personal data only to provide workflow automation services under the main service agreement.
This Data Processing Agreement is intended to satisfy GDPR Article 28 and applies whenever GlideRun processes personal data on behalf of Customer.
Clause 1 โ Definitions
Controller, Processor, Data Subject, Personal Data, Processing, Supervisory Authority, Sub-processor, and Standard Contractual Clauses have the meanings given in GDPR unless expressly defined otherwise in the service agreement.
Sub-processor means any third party engaged by GlideRun to process personal data on behalf of Customer.
Clause 2 โ Subject Matter and Duration
GlideRun processes personal data on behalf of Customer to deliver workflow automation services described in the main service agreement. Processing begins when onboarding starts and continues for the duration of the service agreement.
This DPA terminates automatically when the service agreement terminates, except for provisions that by nature must survive, including confidentiality, deletion, audit, and transfer obligations.
Clause 3 โ Nature and Purpose of Processing
Processing consists of automated handling of business workflow data, including routing, enrichment, classification, alerting, reporting, integration calls, and monitoring. Processing is strictly limited to documented Customer instructions.
The purpose is delivering, monitoring, maintaining, and securing AI automation workflows configured for Customer.
Clause 4 โ Type of Personal Data
Personal data may include business contact data such as names, emails, job titles, company names, CRM identifiers, support ticket identifiers, and operational metadata flowing through customer-configured automations.
Special category data is prohibited by default. Children's data is prohibited. Financial data is excluded unless Customer explicitly configures an approved workflow and additional controls are agreed.
Clause 5 โ Categories of Data Subjects
Data subjects may include Customer's employees, contractors, leads, prospects, customers, and business contacts whose data flows through configured automations.
Clause 6 โ Obligations of GlideRun (Processor)
- Process personal data only on documented instructions from Customer.
- Ensure authorised personnel are subject to confidentiality obligations.
- Implement Article 32 technical and organisational measures.
- Respect sub-processor conditions in Clause 7.
- Assist Customer with data subject rights and security obligations.
- Delete or return data on termination.
- Provide information reasonably necessary to demonstrate compliance.
Clause 7 โ Sub-processors
Approved sub-processors include CompliVibe for compliance infrastructure, AWS Frankfurt for hosting and storage, Azure Amsterdam as an alternative hosting region, Resend for transactional email, and Vercel for website hosting.
GlideRun will provide 30 days written notice before adding a new sub-processor. Customer may object on reasonable data protection grounds. GlideRun remains liable for sub-processor performance.
Clause 8 โ Technical and Organisational Measures
GlideRun applies TLS 1.3, AES-256 encryption at rest, RBAC, MFA, annual penetration testing, EU data residency controls, and 72-hour incident response procedures.
CompliVibe Evidence Vault provides tamper-evident audit trails for automation and compliance events.
Clause 9 โ International Transfers
Transfers from the EU to India are governed by the 2021 EU Commission Standard Contractual Clauses attached or incorporated as Annex III. Where possible, operational processing remains in the EU.
Clause 10 โ Audit Rights
Customer may audit GlideRun's compliance with this DPA once per year with 30 days notice, or immediately following a confirmed security incident. Audits must be conducted during normal business hours and must not compromise other customers' confidentiality or system security.
CompliVibe Evidence Vault logs are available as primary audit evidence where relevant.
Annex I โ Description of Processing
| Item | Description |
|---|---|
| Subject matter | Workflow automation services |
| Duration | Concurrent with service agreement |
| Nature | Automated processing, routing, monitoring, reporting |
| Purpose | Delivering and maintaining customer automations |
| Data types | Business contact data, workflow metadata, integration identifiers |
| Data subjects | Employees, contractors, leads, customers, business contacts |
Annex II โ Technical and Organisational Measures
| Control | Measure |
|---|---|
| Encryption | TLS 1.3 in transit, AES-256 at rest |
| Access | RBAC, MFA, least privilege, JIT privileged access |
| Monitoring | Continuous logging, alerting, anomaly detection |
| Audit | CompliVibe Evidence Vault, hash-chained logs |
| Residency | EU regions by default for EU customers |
| Incident response | Documented 72-hour notification workflow |
Annex III โ Standard Contractual Clauses
The EU Commission 2021 Standard Contractual Clauses apply as Module 2 (controller to processor) or Module 3 (processor to processor) as applicable. Full SCC text is available on request or from the European Commission website.
Last updated: June 1, 2025
Questions? Contact legal@gliderun.ai.