GDPR White Paper

Grin GDPR Whitepaper

Last updated: October 2022

In light of the General Data Protection Regulation ("GDPR"), we have decided to put this document together to provide an overview of where we, Get-Grin Inc., ("Grin", "we", "us" and/or "our"),  stand with regard to GDPR.

We welcome the positive changes the GDPR brings, such as the increased harmonization and the "privacy by design and privacy by default" approach. Our view is that the GDPR is not only an obligation but also an opportunity to build privacy-friendly products while further fostering customer trust.

Should I, as a Grin customer, be concerned about the GDPR?

Our recommendation is that all our customers assess carefully whether they are subject to the GDPR and, if so, to what extent. The consequences of breaching the GDPR are very serious. Grin recommends that you consult with legal counsel regarding your obligations (if any) under the GDPR.

If I am a customer not based in the EU, should I still be concerned about the GDPR?

Given the GDPR's extraterritorial effect, our non-EU based customers are also encouraged to assess whether the GDPR applies to them or not.

The GDPR will not only apply to companies that process the personal data of European individuals and have a presence in the EU (e.g. offices or establishments) but also to companies that do not have any presence in the EU but offer goods or services to individuals in the EU and/or monitor the behavior of European individuals where their behavior takes place within the EU.

As a Grin customer, where should you start your "GDPR journey"?

If the GDPR applies to your company, we highly recommend conducting internal due diligence to map your specific data collection practices. This includes, among other matters, understanding what specific personal data (including sensitive personal data) of individuals protected by the GDPR your company is collecting (e.g., end-users, customers, employees, etc.), from whom is the data collected, where is it being stored, for what purposes is it being used, with whom is it being disclosed, and whether the personal data is transferred outside of the European Union or European Economic Area.

What is Grin doing in order to comply?

This is a high level summary of what we have done so far:

  • GDPR strategy.
    • We retained a leading outside counsel to help us understand the GDPR and prepare a GDPR compliance plan.
    • We built a taskforce with members of different departments (CFO, sales, product development, and others) to implement the GDPR compliance plan internally.
    • Top management has been personally involved in the supervision of its implementation.
    • We defined a Privacy Policy and other top-level policies as needed – e.g., Cookies Policy, Data Retention Policy, Data Breach Policy.
    • We regularly provide training and awareness among our employees about key GDPR requirements.
  • Data Processing Agreement. We drafted a Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR for signature with our customers upon request. Consider what personal data you are using on our platform (if any) and, if required, reach out to support@get-grin.com to execute our DPA.
  • Security.
  • We reviewed our security measures and created an internal policy that defines the requirements to ensure that information within the organization is protected at an appropriate level.
  • Grin implements a comprehensive industry-standard information security program with administrative, physical, and technical safeguards designed to protect the confidentiality, availability and integrity of our customers' data.
  • The following is a high level summary of various safeguards that we implemented in the context of our services:
  • Access to data is only available to select staff who have undergone security training.
  • Fully logged changes to access policies and permissions.
  • Regular Penetration Testing and Vulnerability Assessments are conducted by Third-party agencies to attest our security standing.
  • Access to systems are secured with heightened security methodologies (MFA, strong passwords, etc.).
  • Log information of company personnel accessing data.
  • System Encryption.
  • Strict and Robust development processes with quality assurance and smart environment management.
  • Response to data requests. We receive and respond to requests to grant access, correct or to information data made by our customers through our customer success or the relevant account manager.
  • Data transfers. We only share personal data that is subject to the GDPR with vendors and partners who, like Amazon Web Services, have announced that will comply with the GDPR and have undertaken to do so.
  • Record Keeping. Grin keep an updated file describing Grin’s data-collection and data-processing practices. Grin periodically review this file to make sure that it is always fully updated.
  • Ongoing compliance. We are not approaching GDPR compliance as a one-time exercise. Therefore, we are committed to periodically review our roadmap and ensure ongoing compliance.

Where can I learn more about GDPR? Additional information is available on the European Commission's website here (http://ec.europa.eu/justice/data-protection/reform/index_en.htm/).

I have more questions. Who should I contact? If you have any additional questions about the GDPR you are welcome to contact us at support@get-grin.com.


Disclaimer: The information in this document may not be construed or used as legal advice about the content, interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their processing of personal data.