1. Our GDPR Role
GlideRun acts as Controller for website, marketing, demo booking, and direct business relationship data. GlideRun acts as Processor when processing customer automation data under customer instructions.
Customers remain Controllers for personal data they route through GlideRun automations and must ensure a lawful basis, notices, and data minimisation controls are in place.
2. Data Processing Agreement
Every customer receives a GDPR-compliant Data Processing Agreement before processing begins. The DPA covers subject matter, duration, nature and purpose, data categories, data subject categories, and the rights and obligations of each party.
GlideRun partners with CompliVibe for compliance infrastructure supporting DPA generation, obligation mapping, and audit logging.
3. Standard Contractual Clauses
India is not currently subject to an EU adequacy decision. GlideRun uses the 2021 EU Commission Standard Contractual Clauses under GDPR Article 46(2)(c) for EU-to-India transfers.
Signed SCCs are provided as part of onboarding and are incorporated into the DPA where applicable.
4. Sub-processors
| Sub-processor | Location | Purpose |
|---|---|---|
| CompliVibe | EU controls / India operations | Compliance infrastructure, documentation, audit evidence |
| AWS | Frankfurt, Germany | Cloud hosting and storage |
| Azure | Amsterdam, Netherlands | Alternative hosting region |
| Resend | United States / EU routing | Transactional email |
| Vercel | Global edge | Website hosting only |
New sub-processors are notified in accordance with the DPA.
5. Technical and Organisational Measures (TOMs)
GlideRun applies encryption in transit and at rest, role-based access controls, MFA, least-privilege access, vulnerability management, annual penetration testing, and documented incident response procedures.
CompliVibe's Evidence Vault provides tamper-evident audit logs for compliance events and automation runs.
6. Data Subject Rights
GlideRun assists customers in fulfilling access, correction, erasure, restriction, portability, objection, and automated decision-making requests. Requests relating to customer automation data should be routed through the relevant customer Controller.
Controller-side requests can be sent to privacy@gliderun.ai.
7. Breach Notification
GlideRun maintains procedures to assess, contain, and notify security incidents. Where a personal data breach is notifiable, affected customers are notified within 72 hours.
CompliVibe's Evidence Vault supports the breach timeline, affected systems analysis, and audit evidence package.
8. EU Representative
GlideRun has appointed [EU Representative placeholder] as its EU representative under GDPR Article 27. Full contact details will be provided in customer onboarding documentation and updated here once finalised.
Last updated: June 1, 2025
Questions? Contact legal@gliderun.ai.