Data Processing Addendum for the gro.now Platform (B2B)
Version v.1.1 as of 28.11.2025
1. Introduction
1.1.
(i) “Pwron” LLP, BIN 241040012133, address: Republic of Kazakhstan, Almaty, Bostandyk district, Satpayev St., 90/54, apt. 5, index 050000; website: https://gro.now/ (hereinafter – the “Processor”),
AND
(ii) the Client, who has concluded the Customer Agreement for the gro.now Platform with the Processor, see https://www.gro.now/legal/terms (hereinafter – the “Customer Agreement” or “CA”), who is the Operator (Controller) of personal data within the meaning of applicable legislation (hereinafter collectively referred to as the “Parties”).
1.2.
1.3.
- General Personal Data Processing Policy https://www.gro.now/legal/general-privacy-policy;
- Personal Data Processing Policy for Respondents (https://www.gro.now/legal/privacy-policy) – an independent document regulating the processing of personal data of individuals participating in surveys, tests, research, and other activities organized by Clients on the platform;
- Cookie Processing Policy https://gro.now/legal/cookie-policy.
- Service Level Agreement (SLA) https://www.gro.now/legal/sla;
- Rules for Conducting Surveys and Activities for B2B Clients of the Platform (https://gro.now/legal/activity-rules) – a document regulating the procedure for conducting Surveys and other Activities by Clients on the Platform;
- Acceptable Use Policy (AUP) https://www.gro.now/legal/acceptable-use-policy.
1.4.
1.5.
2. Terms and Roles
2.1. Platform
2.2. Operator / Controller
2.3. Processor
2.4. Subprocessor
2.5. Personal Data (PD)
2.6. Processing
2.7. Data Subject
2.8. Activity
2.9. Respondent
2.10. Operator Instructions
2.11. Security Incident (PD Security Breach)
2.12. Technical and Organizational Measures (TOMs)
2.13. Cross-Border Transfer
2.14. Applicable Law
2.15. Confidential Information
2.16. Aggregated/Anonymized Data
2.17. Roles and Their Segregation.
b) In terms of PD that the Processor processes for its own purposes (e.g., accounting, infrastructure security, anti-fraud), the Processor acts as an **independent operator/controller** – such processing is governed by the Privacy Policy and is not covered by this Addendum.
c) In terms of data obtained from external sources and integrations (e.g., SSO accounts, calendar slots, trackers), the Processor's role is determined by the Operator's Instructions and the description in Appendix 1; if integration providers have their own purposes, they act as independent operators.
3. Subject Matter of DPA and Client's Instructions
3.1.
3.2.
- (i) the Customer Agreement and its appendices;
- (ii) account/project settings, configurations of Activities and forms on the gro.now platform;
- (iii) technical specifications of integrations and API;
- (iv) written/electronic Operator Instructions transmitted through the platform interface or official communication channels.
3.3. The Processor undertakes to:
- (i) process PD **only according to Operator Instructions**, except for cases of mandatory processing by law;
- (ii) **not use PD for its own purposes** unrelated to the fulfillment of the Operator's instructions;
- (iii) **not disclose/transfer PD to third parties**, except in cases explicitly provided for by the DPA, the Principal Agreement, or the law;
- (iv) apply the appropriate TOMs (see Appendix 2 or a separate agreement with the Operator).
3.4.
3.5.
(i) define the purposes and legal bases for Respondent processing;
(ii) ensure proper informing of Respondents and the content of notifications;
(iii) use consent/notification texts and mechanisms consistent with the **Personal Data Processing Policy for Respondents**.
3.6.
3.7.
3.8.
4. Categories of Data and Data Subjects
4.1.
- a) **Respondents** – natural persons participating in Activities conducted on the Platform;
- b) **Operator Employees and Representatives** – persons having access to the platform and participating in Activity management or data processing;
- c) **Integration and External Service Users** (e.g., analytics systems, CRM, mailings), if the data of such users are transferred or synchronized with gro.now;
- d) **Other Persons** whose personal data may be included in Activity results or transferred by the Operator to the Processor (e.g., clients, partners, loyalty program participants).
4.2. Categories of Personal Data,
a) **Identification Data** (name, surname, nickname, ID in the system, account, email, phone number, etc.);
b) **Contact Data** (postal address, country, time zone, interface language, etc.);
c) **Respondent Answers and Content**, provided by them within the framework of Activities (e.g., textual, numerical, audio, or visual data, attached files);
d) **Technical Data** (IP addresses, device identifiers, cookie and SDK data, log data, browser data, referral source, date and time of activity);
e) **Metadata on Platform Use**, including login history, actions, and changes in projects;
f) **Data of Operator Employees and Representatives**, transferred for the purposes of account registration, authentication, administration, and support;
g) **Other Categories of Data**, defined in Appendix 1 and Operator Instructions.
4.3.
4.4.
4.5.
4.6.
5. Legal Bases on the Client's Side
5.1. Operator's Responsibility.
5.2. Informing Data Subjects.
5.3. Consents (where applicable).
a) obtains **free, specific, informed, and unambiguous** consent;
b) documents the fact of obtaining and the possibility of withdrawal;
c) ensures that the consent text is consistent with the **Personal Data Processing Policy for Respondents** and the terms of the specific Activity.
5.4. Special Categories and “Sensitive” Data.
5.5. Minors.
5.6. Integrations and Third-Party Sources.
5.7. Cross-Border Transfer.
5.8. Minimization and Relevance.
5.9. Legality of Activity Content.
5.10. Documentation and DPIA.
5.11. Data Subject and Authority Requests.
5.12. No Delegation of Obligations.
6. Location and Regime of Processing. Cross-Border Transfer
6.1. Processing Locations.
6.2. Remote Access.
6.3. Triggers for Cross-Border Transfer.
a) hosting and backup;
b) use of cloud Subprocessors (SaaS/PaaS/IaaS);
c) incidents requiring escalation/support;
d) connection of integrations according to Operator Instructions;
e) activation of fault tolerance/DR mechanisms.
6.4. Legal Mechanisms.
6.5. Local Law Restrictions.
a) notifies the Processor before the start of the relevant processing;
b) specifies the necessary restrictions in the Instructions;
c) if necessary – chooses a processing configuration without cross-border transfer or provides additional guarantees. The Processor assists where possible, taking into account technical feasibility.
6.6. Logging and Transparency.
6.7. Failover and Disaster Recovery.
6.8. Integrations and External Recipients.
6.9. State Authority Requests.
6.10. Prohibition of Unauthorized Routing.
7. Technical and Organizational Measures (TOMs)
7.1. General Principle.
7.2. Standards and Security Management.
b) The Processor implements an information security policy, including role segregation, access control, incident management, backup, and data recovery.
c) TOMs extend to the proprietary infrastructure, as well as to all Subprocessors engaged for performing processing operations.
7.3. Access Control.
b) **Multi-factor authentication (MFA)** is used for all administrative accounts.
c) All accesses are logged, and user actions are recorded in event journals stored in a secure environment.
d) Accesses are reviewed regularly, and upon dismissal or change of role are **immediately revoked**.
7.4. Environment Separation and Change Management.
b) All changes in code, infrastructure, and configurations undergo an **internal approval and testing** procedure, including security analysis.
c) Versioning, rollback, and change logging mechanisms are used.
7.5. Monitoring and Incident Detection.
b) The automatic notification system sends alerts to responsible specialists upon detection of critical events.
c) All incidents are classified by impact level and documented in accordance with the response procedure (Section 9).
7.6. Backup and Recovery.
b) Backups are stored in an **encrypted form** on separate media/in cloud environments with an equivalent level of protection.
c) Recovery procedures are checked **at least once a year**.
7.7. Minimization and Retention Limitation.
b) Upon expiration of the retention period, data are **deleted or anonymized**, including copies in backup storage (where technically feasible), with documentation of the fact of deletion.
7.8. Physical Security.
b) Physical access is allowed only to authorized personnel.
7.9. Vulnerability Management and Security Testing.
b) Discovered vulnerabilities are **remedied within a reasonable timeframe** depending on criticality.
c) The Operator may request **generalized information** on the conduct of tests and implemented measures (without disclosing confidential architectural details).
7.10. Personnel Training.
7.11. Certificates and Audit.
b) Upon the Operator's request, the Processor provides **current certificates** and/or confirmation of independent checks within reasonable limits.
7.12. Description of Measures.
8. Subprocessors
8.1. General Rule.
8.2. Conditions for Engagement.
a) conducts an **assessment of its reliability** and compliance with security and confidentiality requirements;
b) concludes an agreement with it containing provisions **equivalent** to the Processor's obligations under this DPA;
c) ensures the inclusion of such persons in the current list of Subprocessors (**Annex III**).
8.3. Categories of Subprocessors.
a) hosting and cloud infrastructures (data centers, CDN, backup);
b) analytics, monitoring, and event logging;
c) authorization, authentication, and security systems (including SSO and MFA);
d) notification, mailing, and communication services;
e) technical support and disaster recovery (DR);
f) large language models;
g) integrations used on the Operator's instruction (e.g., CRM, analytics, marketing).
8.4. Dynamic List Update.
- 8.4.1. The list of current Subprocessors is published by the Processor on the website or in the gro.now administrative panel and is updated as changes occur. The Processor notifies the Operator **in advance, at least 5 calendar days** before engaging a new Subprocessor, except in the following situations where **immediate** (without prior) or **reduced period** notification is allowed:
a) for the prevention or localization of a Security Incident, elimination of a critical vulnerability;
b) for ensuring service continuity/DR (disaster recovery, fault tolerance) in case of sudden unavailability of the previous provider;
c) equivalent replacement of a Subprocessor with another with comparable functions without expanding the purposes, scope, or territory of processing;
d) fulfillment of mandatory requirements of law/regulator;
e) the Operator's activation of a non-mandatory function/integration in the administrative panel, if such function knowingly requires the engagement of a specific Subprocessor. - 8.4.2. In cases a-d, notification is sent **as soon as possible, but no later than 72 hours** from the moment of actual engagement. In case e, notification is considered given at the moment of activation of the function/integration by the Operator (an indication of the Subprocessor is shown in the interface).
8.5. Right to Object.
- 8.5.1. The Operator has the right to send a **justified objection** against a new Subprocessor:
(i) in the usual procedure – **within 5 calendar days** from the moment of notification;
(ii) in the cases provided for in clause 8.4 (accelerated/immediate engagement) – **within 72 hours** from the moment of notification. - 8.5.2. The Parties **in good faith strive to settle** the objection, including:
a) proposing an alternative Subprocessor;
b) temporarily disabling the affected function/integration for the Operator;
c) restricting/localizing processing by territory or data categories. - 8.5.3. If settlement is impossible, the Operator has the right to **terminate the Principal Agreement** in the part of the relevant processing or choose a plan/configuration without the disputed Subprocessor (if available).
8.6. Processor's Responsibility.
8.7. Operator's Subprocessors.
In these cases, the Operator is responsible for compliance with legislative requirements and obtaining data subject consents for data transfer to such services.
8.8. Subprocessing Outside the Jurisdiction.
8.9. Notifications and Transparency.
8.10. Current List.
9. Security Incidents and Notifications
9.1. Definition.
9.2. Notification Obligation.
(i) **immediately** begin investigation and take measures to limit the consequences;
(ii) **notify the Operator without undue delay, but no later than 72 hours** from the moment the Processor became aware of the Incident, if the Incident affects the Operator's PD;
(iii) send the Operator a **preliminary notification** with a brief description of the nature of the Incident, the affected data categories, the estimated number of data subjects, primary response measures, and a contact person for interaction.
9.3. Further Information.
a) the causes and nature of the Incident;
b) the category and volume of the affected PD;
c) a description of the undertaken and planned measures to remedy the consequences;
d) an assessment of the risk to data subjects;
e) recommendations to the Operator for actions (including informing data subjects or authorities, if required by law).
Notifications are sent through the **official communication channel** established between the Parties (email, ticket system, secure channel). The Processor has the right to use **automated notification** in case of mass or infrastructure incidents, if it ensures reliable delivery of information.
9.5. Classification and Priority.
a) are related to the leak or disclosure of Respondent PD;
b) affect the confidentiality of Activity data;
c) may entail violations of data subject rights or the Operator's obligations to supervisory authorities.
9.6. Joint Response.
9.7. Documentation.
9.8. Incidents with Subprocessors.
9.9. Operator's Violations.
9.10. Disclosure to Third Parties.
a) disclosure is required by law or an authorized body;
b) it is necessary for interaction with Subprocessors involved in remediation;
c) disclosure is made **in an aggregated form, without identification** of the Operator or its data (e.g., in vulnerability reports).
9.11. Incidents Not Affecting PD.
10. Interaction on Data Subject Rights
10.1. General Principle.
10.2. Data Subject Rights.
a) to access their personal data;
b) to rectify, update, or supplement data;
c) to restrict processing or withdraw consent;
d) to erasure (right to be forgotten);
e) to data portability;
f) to object to processing or automated decision-making;
g) to receive information about data recipients and their retention periods.
10.3. Receiving Requests.
b) If the Processor receives a request directly from a data subject, it **notifies the Operator without undue delay and does not respond independently**, except in cases where the obligation to respond is explicitly established by law.
c) The Processor has the right to confirm receipt of the appeal to the data subject and inform that it will be processed by the Operator.
10.4. Assistance to the Operator.
a) searching, extracting, rectifying, blocking, or deleting PD within technical capabilities;
b) providing information about the systems in which the data are stored;
c) ensuring an exportable data format (e.g., CSV, JSON) for portability purposes.
10.5. Execution Timeframes.
10.6. Technical Restrictions.
b) In cases where the data subject's request affects data in backups, the Processor performs deletion within the framework of **backup storage update procedures**.
10.7. State Authority Requests.
a) **immediately notifies the Operator**;
b) consults with it regarding the volume of information to be disclosed;
c) limits disclosure to the **minimally necessary volume of data** and documents the grounds for provision.
10.8. Record Keeping.
10.9. Respondent Notifications.
10.10. Limitations and Responsibility.
11. Audits and Inspections
11.1. “Information-First” Format.
a) current **certificates/confirmations** (e.g., ISO/IEC 27001/27018),
b) **reports of independent assessments and tests** (generalized conclusions without disclosing confidential details),
c) **due diligence questionnaires** and responses thereto.
The provision of items a–c satisfies the Operator's right to audit without additional interference.
11.2. Remote Document Audit.
11.3. On-Site Audit – Only on Exceptional Grounds.
a) there is a ** confirmed Incident** affecting the Operator's PD, or documented signs of a material breach of the DPA;
b) measures under clauses 11.1-11.2 are **objectively insufficient** to answer specific questions;
c) the Operator has sent a notification **30 calendar days in advance** with justification of the goals, scope, and list of requested artifacts.
The Processor has the right to propose alternatives (additional documents, managed remote access to logs, interviews with responsible persons). On-site audit is conducted **only when necessary**, in a volume minimally sufficient to confirm the conclusions.
11.4. Restriction of Scope and Access.
a) **access to the data and systems of other clients and to Respondent data in open form is prohibited**; only masked/demo data or selective fragments of logs, purged of secrets, are allowed;
b) **vulnerability scanning, stress tests, export/copying of artifacts, imaging, photo/video, connection of external media and software are prohibited**;
c) auditors **must not be competitors** of the Processor;
d) the audit is conducted **during business hours, for no more than 1 business day**, in a specially prepared area or virtual session;
e) any information discovered is considered **Confidential Information** of the Processor.
11.5. Approval of Persons and NDA.
11.6. Payment and Costs.
11.7. Results and Corrections.
11.8. Frequency and Combination.
11.9. Refusal if Risk of Harm.
11.10. No Access to Production Data.
12. Confidentiality and Processor Personnel
12.1. Confidentiality Obligation.
12.2. Access to Personal Data.
b) The Processor **maintains records** of all persons having access to PD and ensures control over their compliance with security procedures.
c) Access to the production environment is carried out through personalized accounts with mandatory use of **multi-factor authentication (MFA) and logging** of actions.
12.3. Personnel Obligations.
b) Each employee **signs a non-disclosure obligation** and personal responsibility for breach of confidentiality.
c) Upon termination of employment or change of role, the employee's access to systems containing PD is **immediately blocked**.
12.4. Information Transfer within the Processor's Group of Persons.
a) such persons are under **analogous confidentiality obligations**;
b) processing is carried out for the purpose of executing this DPA;
c) the transfer **does not expand the territory or purposes** of processing established in Appendix 1
d) the Processor **retains full responsibility** for the actions of affiliates.
12.5. Restriction of Disclosure.
a) disclosure is **explicitly permitted** by this DPA or Operator Instructions;
b) disclosure is required by **law, court act, or request** of an authorized body, and the Processor, if not prohibited by law, **notifies the Operator in advance**;
c) disclosure is necessary for a Subprocessor to perform the entrusted operations and is accompanied by equivalent confidentiality obligations;
d) information is disclosed in an **anonymized, aggregated, or statistical form**, excluding the identification of the Operator or data subjects.
12.6. Confidentiality in Activities.
Any use or viewing of Activity data by the Processor's employees is allowed **solely for official purposes** related to technical support, debugging, or security.
12.7. Operator's Obligations.
12.8. Distinction between Confidentiality and Public Data.
a) it is publicly available on lawful grounds;
b) it became known to the Party from other sources prior to its disclosure;
c) it was disclosed with the written consent of the other Party;
d) it is required for the fulfillment of legal obligations, provided the other Party is notified.
12.9. Consequences of Violation.
13. Data from Open Sources and Source Restrictions
13.1. General Position.
13.2. Availability Restrictions.
a) changes in privacy policies or access settings by source owners;
b) technical restrictions, blocking, or cessation of source operation;
c) introduction of restrictions on automated data extraction or API;
d) changes in the legal regime or regulatory requirements.
13.3.
13.4. Source Replacement or Cessation.
a) replace the source with another one that provides a comparable result;
b) temporarily disable data collection until access is restored;
c) notify the Operator of the cessation of support for a specific source if its restoration is impossible or economically unfeasible.
Such changes **are not considered a deterioration of service quality** and **do not entail penalties** from the Operator.
13.5. Restrictions on the Operator's Use of Data.
a) use data obtained from open sources through the gro.now platform **exclusively within the lawful purposes of its Activities**;
b) **not disseminate or publish** such data in violation of the terms established by the source owners;
c) **comply with all current terms** of use, licenses, and prohibitions applicable to each specific source;
d) **not extract, combine, or export** data from gro.now for the purpose of creating external databases, unless provided for by the Principal Agreement or a separate agreement.
13.6. Disclaimer.
a) the **accuracy, completeness, relevance, or reliability** of data obtained from open sources;
b) **constant availability or immutability** of functionality related to such sources;
c) the **absence of errors** caused by changes in external APIs, policies, or data formats.
13.7.
13.8. Compliance with Third-Party Rights.
13.9. Responsibility.
13.10. Approval of Changes.
14. Retention Periods, Deletion, and Return of Data
14.1. General Principle.
14.2. Retention Period.
a) the Operator's Instructions or Activity settings (including the duration of the Activity and the retention period for its results);
b) legislative requirements, if they provide for a longer retention period;
c) the Processor's security and backup policy – **exclusively for disaster recovery (DR) purposes**.
14.3.
14.4. Data Deletion.
a) **deletes or reliably anonymizes** personal data in active systems;
b) ensures their **deletion from backups** within regular update and overwrite cycles (**no later than 90 calendar days** after deletion from active systems);
c) **documents the fact of deletion** (internal data deletion log).
14.5.
14.6. Data Return.
14.7.
14.8. Recovery Restrictions.
14.9. Deletion of Respondent Data.
14.10. Certificate of Deletion.
14.11. Anonymization and Statistics.
14.12. Termination of Agreement.
a) **ceases processing** the Operator's personal data;
b) at the Operator's choice — **returns or deletes** the data;
c) **revokes accesses** related to the Operator's account;
d) **retains in archives** only the data necessary for compliance with legal requirements (e.g., accounting or tax records).
14.13. Legal Priority.
15. Liability and Limits
16. Term and Termination
16.1. DPA Term.
16.2. Termination.
a) simultaneously with the termination of the Customer Agreement;
b) upon written agreement of the Parties;
c) upon the Operator's withdrawal of the data processing instruction.
16.3. Actions upon Termination.
a) ceases processing the Operator's personal data, except in cases provided for by law;
b) at the Operator's choice — **returns or deletes** the data in the manner established by Section 14;
c) **revokes all accesses** granted for data processing.
16.4. Survival of Obligations.
16.5. Priority of Terms.
Version 1.0
gro.now Platform Subprocessor Register
Version 1.0 · Published May 27, 2026
This Register is Annex 3 to the Data Processing Agreement (DPA) of the gro.now platform and is published as a section of the DPA page. The Register contains the list of subprocessors engaged by Pwron LLP for the processing of personal data of Clients and Respondents of the gro.now platform in its capacity as a Processor.
1. General Provisions
1.1. This Register constitutes a list of subprocessors engaged by Pwron LLP (hereinafter the "Company") for the processing of personal data of Clients and Respondents of the gro.now platform in its capacity as a Processor, and forms Annex 3 to the Data Processing Agreement (DPA) concluded by the Company with the Clients of the platform.
1.2. The Register shall apply as the current list of subprocessors as of the date of its publication. Changes to the list of subprocessors (engagement of a new one, removal, replacement) shall be carried out in the manner prescribed by the "Subprocessors" section of the DPA, and shall be reflected in the Register by publishing a new version.
1.3. In the event of a discrepancy between this Register and the provisions of the DPA or instructions of the Clients (Controllers), the DPA and the instructions shall prevail to the relevant extent.
2. Principles of Maintaining the Register
2.1. The Company includes in the Register third-party services that:
-
store, transmit, process, or have access to the personal data of Clients or Respondents of the gro.now platform;
-
are engaged by the Company to process data on behalf of Clients in its capacity as a Processor under the DPA.
2.2. The Company does not include in the Register (see also Section 4 "Services Outside the Scope of the Register"):
-
services used by the Company as an independent Controller for its own operational activities (accounting, HR, Company's corporate marketing, hiring)—these are governed by the gro.now General Personal Data Processing Policy and a separate internal register of personal data recipients;
-
services that the Client connects independently through the platform interface ("Subprocessors" section of the DPA);
-
development and operational tools without access to production and to the data of Clients / Respondents;
-
one-time contractors without continuous access to the data of Clients / Respondents.
2.3. The categories of subprocessors correspond to the categories established by the "Subprocessors" section of the DPA:
-
hosting and cloud infrastructures;
-
analytics, monitoring, and event logging;
-
authentication and security systems;
-
notification, mailing, and communication services;
-
technical support and disaster recovery;
-
large language models (LLMs);
-
integrations used on the instruction of the Client (Controller).
Additionally included in the specified categories is a payment processor—applied regarding the billing data of Clients processed by the Company when paying for subscription plans.
3. Register of Subprocessors
3.1. Google Cloud Platform (GCP)
| Field | Value |
|---|---|
| Legal Entity | Google LLC (US) / Google Ireland Limited |
| Category | Hosting and cloud infrastructure |
| Purpose | Compute (hosting the backend part of the application and database), persistent disks, IAM, networking, cloud storage |
| Data Region | Frankfurt, Germany (europe-west3) |
| Categories of processed data | All categories of platform data (identification, contact, Activity responses and content, technical, metadata, data of Client's representatives) |
| Contractual Basis | Google Cloud Terms of Service + Google Cloud Data Processing and Security Terms |
| DPA / Privacy / Certifications | DPA: cloud.google.com/terms/data-processing-addendum · Privacy: cloud.google.com/terms/cloud-privacy-notice · Certifications: ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1/2/3, PCI DSS, HIPAA-aligned |
3.2. Vercel
| Field | Value |
|---|---|
| Legal Entity | Vercel Inc. (US) |
| Category | Hosting and cloud infrastructure (application hosting, file storage, CDN, deployment) |
| Purpose | Hosting of the gro.now application (frontend / backend functions), edge network, deployment |
| Data Region | Frankfurt, Germany + Washington DC, USA (multi-region edge). The persistent database of Clients is not stored in Vercel |
| Categories of processed data | Technical data, metadata, temporary application data; content passes through edge functions / serverless |
| Contractual Basis | Vercel Terms of Service + Vercel Data Processing Addendum |
| DPA / Privacy / Certifications | DPA: vercel.com/legal/dpa · Privacy: vercel.com/legal/privacy-policy · Certifications: SOC 2 Type II, ISO/IEC 27001 |
3.3. Firebase Authentication
| Field | Value |
|---|---|
| Legal Entity | Google LLC (US) — as part of Google Cloud / Firebase |
| Category | Authentication and security systems |
| Purpose | Platform user authentication (including password hashing by the provider); JWT tokens; support for login via Google OAuth |
| Data Region | Google Cloud global infrastructure (Firebase Auth is not region-bound in the standard configuration) |
| Categories of processed data | Identification data (email, phone, hashed password, account ID), technical session data |
| Contractual Basis | Google Cloud Platform Terms + Firebase Terms of Service + Google Cloud DPA |
| DPA / Privacy / Certifications | Same as Google Cloud Platform |
3.4. Google Gemini API
| Field | Value |
|---|---|
| Legal Entity | Google LLC (US) |
| Category | Large language models (LLMs) |
| Purpose | AI processing for platform features: generation, translations, sentiment analysis, aggregation of insights |
| Usage Channel | Paid Gemini API via a Google Cloud project with an active billing account (not Unpaid Services / not the free Google AI Studio quota) |
| Data Region | Google Gemini Developer API does not guarantee regional data localization. In accordance with the Gemini API (Paid Services) terms, Google may store and cache data transitively or temporarily in any country where Google or its agents maintain facilities. Regional data residency guarantees are available for the separate Google Cloud Vertex AI / Gemini Enterprise lineup, which the Company does not use as of the date of approval of this Register |
| Categories of processed data | Activity content (briefs, questions, responses); limited context for analytics; identification data is transmitted only if it is present in the actual content of the responses |
| Contractual Basis | Gemini API Additional Terms of Service (Paid Services) + Google Cloud Data Processing Addendum (business.safety.google/processorterms) |
| Use of data for model training | Not used. In accordance with the Gemini API terms regarding Paid Services, Google does not use Company prompts and responses to improve its products or train models; processing is governed by the Google Cloud DPA |
| DPA / Privacy / Certifications | DPA: business.safety.google/processorterms · Privacy: cloud.google.com/terms/cloud-privacy-notice · Certifications: Same as Google Cloud Platform (ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 1/2/3) |
3.5. Brevo
| Field | Value |
|---|---|
| Legal Entity | Sendinblue SAS (France) |
| Category | Notification, mailing, and communication services |
| Purpose | Sending transactional emails to Clients and Respondents |
| Data Region | St. Ghislain, Belgium |
| Categories of processed data | Identification and contact data of recipients (email, name), content of transactional notifications |
| Contractual Basis | Brevo Terms of Use |
| DPA / Privacy / Certifications | DPA: brevo.com/legal/termsofuse · Privacy: brevo.com/legal/privacypolicy · Certifications: ISO/IEC 27001:2022 |
3.6. Rollbar
| Field | Value |
|---|---|
| Legal Entity | Rollbar, Inc. (USA) |
| Category | Analytics, monitoring, and event logging |
| Purpose | Collection and monitoring of errors in the backend and frontend of the gro.now application |
| Data Region | USA (primary infrastructure — AWS) |
| Categories of processed data | Technical data (logs, stack traces), limited personal data (if it appears in logs as part of a debugged event) |
| Contractual Basis | Rollbar Terms of Service |
| DPA / Privacy / Certifications | DPA: docs.rollbar.com/docs/data-processing-agreement · Privacy: docs.rollbar.com/docs/privacy-policy |
3.7. Stripe
| Field | Value |
|---|---|
| Legal Entity | Stripe, Inc. (USA) / Stripe Payments Europe, Ltd. (Ireland) |
| Category | Payment processor |
| Purpose | Processing of online payments by Clients, billing, subscriptions |
| Data Region | USA |
| Categories of processed data | Identification and contact data of payers (name, email); payment data (including card details) — processed by Stripe; Pwron does not store, transmit, or process card data directly; transactional links and references |
| Contractual Basis | Stripe Services Agreement |
| DPA / Privacy / Certifications | DPA: stripe.com/legal/dpa · Privacy: stripe.com/privacy · Certifications: PCI DSS Level 1, SOC 1 Type II, SOC 2 Type II, ISO/IEC 27001 |
| Note (PCI DSS) | The processing of payment card data is fully outsourced to Stripe (PCI DSS Level 1). The PCI DSS scope for Pwron is limited to integration controls (transmitting non-sensitive data via a secure channel, storing transaction references without card data). |
3.8. Google Workspace
| Field | Value |
|---|---|
| Legal Entity | Google LLC (US) / Google Ireland Limited |
| Category | Corporate communications of the Company; regarding the processing of personal data of Clients and Respondents — used for receiving inquiries at functional addresses legal@gro.now, privacy@gro.now, security@gro.now, abuse@gro.now |
| Purpose | Corporate email, video conferencing, calendar, documents for internal work; receiving inquiries from external parties via the Company's functional channels |
| Data Region | Google Cloud global infrastructure |
| Categories of processed data | Inquiries from external parties via functional addresses (may contain personal data of the sender and third parties); internal corporate correspondence |
| Contractual Basis | Google Workspace Agreement + Google Cloud DPA |
| DPA / Privacy / Certifications | Same as Google Cloud Platform |
4. Services Outside the Scope of the Register
The following categories of services and contractors are not included in this Register. This does not indicate their absence from the Company's infrastructure, but rather reflects their legal model.
4.1. Development tools without access to data of Clients / Respondents
GitHub (GitHub, Inc., part of Microsoft Corporation) — used by the Company to store the source code of the gro.now platform, dependency scanning, and security advisories. It contains source code, not Client data or the personal data of Respondents. Under the DPA model, it is not classified as a subprocessor of Clients' personal data; it is mentioned in this section for transparency purposes.
4.2. Services used by the Company as an independent Controller
Services engaged by the Company for its own operational activities (and not on the instruction of the Client)—including accounting and HR services, the Company's corporate marketing, and applicant tracking services during hiring—are not subprocessors within the meaning of the DPA. They process the personal data of the Company's employees, contractors, and counterparties, are governed by the gro.now General Personal Data Processing Policy, and are subject to a separate internal register of personal data recipients, which the Company maintains separately from this Register.
4.3. Services connected independently by the Client
Services that the Client connects independently via the platform interface ("Subprocessors" section of the DPA) are not included among the Company's subprocessors; the responsibility for their compliance with applicable requirements is borne by the Client as a Controller.
4.4. One-time contractors without continuous access
One-time contractors and consultants engaged by the Company without continuous access to the data of Clients / Respondents are not included in the Register. Their interaction with data (if necessary as part of a one-time assignment) is formalized through a separate NDA / contractor agreement with applicable processing requirements.
5. Changes to the Subprocessor List
5.1. The engagement of a new subprocessor, the removal of an existing one, or a replacement shall be carried out in the manner prescribed by the "Subprocessors" section of the DPA. Notifications to Clients regarding such changes shall be sent by the Company in the manner and within the timeframes stipulated by the DPA.
5.2. This Register shall be updated upon any change in the list of subprocessors. The version and date of the update are indicated in the header of the document; previous versions are retained in the Company's archive.
5.3. The Director of the Company is responsible for maintaining the Register up to date. The physical inventory of subprocessors is conducted with the assistance of the Company's development team.
6. Validity and Revision
6.1. The Register enters into force on the publication date indicated in the header of this document.
6.2. The Register shall be revised:
-
upon changes to the list of subprocessors;
-
upon material changes to the Company's DPA requiring an update to Annex 3;
-
based on the results of an internal review of the data's relevance.
6.3. The version and publication date of the current edition of the Register are specified in the header of this document. Previous editions are retained in the Company's archive and, if necessary, provided to Clients upon request.