For business customers whose use of Gravity involves processing personal data of their end-users. Aligned with GDPR Art 28, UK GDPR, DPDPA, and CCPA service-provider terms.
This Data Processing Addendum ("DPA") is entered into between XAI Technologies Pvt Ltd, operating as Gravity AI ("Gravity," "we," "us," or "our"), and the customer accepting it ("Customer," "you," or "your"). It supplements the Gravity Terms of Service ("Agreement") and applies whenever Gravity processes Customer Personal Data on Customer's behalf.
1.1. This DPA reflects the parties' agreement regarding the Processing of Customer Personal Data. It is intended to satisfy the requirements of (a) the EU General Data Protection Regulation 2016/679 ("EU GDPR"); (b) the United Kingdom GDPR and Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); (d) India's Digital Personal Data Protection Act, 2023 ("DPDPA"); (e) the California Consumer Privacy Act, as amended by the CPRA ("CCPA"); and (f) other applicable data protection laws to the extent required.
1.2. In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the Processing of Customer Personal Data.
2.1. Capitalized terms not defined here have the meanings given in the Agreement.
3.1. Roles. For Customer Personal Data Processed under the Agreement: (a) Customer is the Controller / Data Fiduciary / Business; (b) Gravity is the Processor / Data Processor / Service Provider acting on Customer's documented instructions.
3.2. Where Gravity Processes Personal Data as a Controller (for example, billing data, account administration, security telemetry, and aggregated anonymized analytics), our independent processing is governed by the Privacy Policy, not this DPA.
3.3. Compliance responsibility. Customer is responsible for the lawfulness of any Customer Personal Data submitted to the Platform, including obtaining all necessary consents, providing all required notices, and having a lawful basis for any Sensitive Personal Data Customer chooses to Process.
| Element | Description |
|---|---|
| Subject matter | Provision of the Gravity AI agent platform, including Agent execution, recurring Automations, payments, and related services. |
| Duration | The term of the Agreement plus the post-termination retention period set in Section 13. |
| Nature & purpose | Receiving Customer prompts and inputs, executing AI agents on Customer's behalf, returning outputs, storing User Content for the period needed, and producing aggregated analytics. |
| Categories of Data Subjects | Customer's authorized Users, employees, customers, suppliers, and any individuals whose Personal Data Customer submits to an Agent. |
| Categories of Personal Data | As determined by Customer. Typical categories: identifiers, contact details, employment details, communications content, transaction metadata. Sensitive Personal Data only when Customer chooses to submit it. |
| Special category data | The Platform is not designed for the routine processing of GDPR Art 9 / SPDI special categories. Customer agrees not to submit special-category data without prior written agreement. |
| Frequency | Continuous during the term of the Agreement. |
5.1. Gravity Processes Customer Personal Data only on documented instructions from Customer. The Agreement (including this DPA, the Privacy Policy, and Customer's configuration of the Platform) constitutes Customer's complete and final instructions at the time of acceptance.
5.2. Additional or alternate instructions must be agreed in writing. Gravity will inform Customer if, in our opinion, an instruction infringes Applicable Data Protection Law.
5.3. Gravity may Process Customer Personal Data outside the documented instructions only where required by law to which Gravity is subject; in such a case, Gravity will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
6.1. Gravity ensures that personnel authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and have received training appropriate to their role.
6.2. Access to Customer Personal Data is restricted to personnel with a need-to-know for the performance of the Agreement.
7.1. Gravity implements and maintains the technical and organizational measures described in our Security & Trust statement, which is incorporated into this DPA. Measures include, at minimum:
7.2. Gravity periodically reviews and updates its security measures to take account of evolving threats, technology, and regulatory requirements.
8.1. Customer authorizes Gravity to engage Sub-processors to provide the Platform, subject to this Section 8.
8.2. The current list of authorized Sub-processors is published at /sub-processors. Gravity gives at least thirty (30) days' notice before adding or replacing a Sub-processor that processes Customer Personal Data, except where shorter notice is required to address a security or legal emergency.
8.3. Customer may object to a new Sub-processor on reasonable, documented data-protection grounds within the notice period. The parties will work in good faith to resolve the concern. If unresolved, Customer may terminate the affected Services with refund of any fees prepaid for the unused portion of the term.
8.4. Gravity remains responsible for the acts and omissions of its Sub-processors as if they were Gravity's own under this DPA. Gravity imposes data protection obligations on Sub-processors that are substantively equivalent to those imposed on Gravity.
9.1. Taking into account the nature of the Processing, Gravity will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfil Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including access, rectification, erasure, restriction, portability, and objection).
9.2. If Gravity receives a Data Subject request directly relating to Customer Personal Data, Gravity will (a) not respond to the request itself, except as legally required, and (b) promptly forward the request to Customer.
10.1. Gravity will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.
10.2. The notification will include, to the extent then known: (a) the nature of the breach; (b) categories and approximate number of Data Subjects and records concerned; (c) likely consequences; and (d) measures taken or proposed.
10.3. Gravity provides reasonable assistance to Customer in fulfilling Customer's own breach notification obligations to regulators and Data Subjects.
11.1. Where Gravity transfers Customer Personal Data from the EEA, UK, or Switzerland to a country not subject to an adequacy decision, the transfer is governed by the EU SCCs as completed below, and (for UK transfers) the UK International Data Transfer Addendum.
11.2. SCC Module selection: Module Two (Controller to Processor) when Customer is the Controller; Module Three (Processor to Processor) when Customer acts as a Processor for an upstream Controller.
11.3. Annex I — Data exporters and importers, descriptions of processing. Customer is the data exporter; Gravity is the data importer. Other particulars are described in Section 4 (Details of Processing).
11.4. Annex II — Technical and organizational measures. The measures listed in Section 7 of this DPA and in the Security & Trust statement.
11.5. Annex III — Sub-processors. The Sub-processor list at /sub-processors.
11.6. Where required by Applicable Data Protection Law, Gravity will conduct a Transfer Impact Assessment ("TIA") and adopt supplementary measures (e.g., encryption with keys held outside the importing jurisdiction) where necessary.
11.7. India. Cross-border transfers from India will follow the DPDPA cross-border rules and any country list notified by the Central Government.
12.1. Gravity makes available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.
12.2. Customer's audit rights are satisfied primarily through (a) Gravity's published Security & Trust statement; (b) third-party reports and certifications when available (Gravity intends to pursue SOC 2 Type II within twelve months of public launch); and (c) responses to reasonable written information requests.
12.3. Where mandatory law requires an on-site audit, Customer may, at Customer's expense and on at least sixty (60) days' written notice, conduct an audit, subject to mutually agreed scope, confidentiality, and security constraints. On-site audits do not include access to other customers' data, source code beyond what is reasonably necessary, or systems whose disclosure would compromise other customers' security.
13.1. On termination or expiry of the Agreement, Gravity will, at Customer's choice, delete or return all Customer Personal Data in Gravity's possession or control, except to the extent retention is required by applicable law or for legitimate billing, fraud-prevention, or audit purposes.
13.2. Default retention windows are set out in the Privacy Policy § 5. Customer may request earlier deletion in accordance with Section 5 of this DPA.
13.3. Backups containing Customer Personal Data are deleted on a rolling cycle of no more than ninety (90) days after termination, subject to legal-hold exceptions.
14.1. Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except where mandatory law requires otherwise.
14.2. The parties' liability for damages caused to Data Subjects under the SCCs is governed by the SCCs' liability clauses, which are not affected by Section 14.1.
For purposes of the CCPA, Gravity acts as Customer's "Service Provider" with respect to Customer Personal Data. Gravity will not (a) "sell" or "share" Customer Personal Data; (b) retain, use, or disclose Customer Personal Data outside the direct business relationship between the parties or for any purpose other than the specific business purpose of providing the Platform; (c) combine Customer Personal Data with Personal Data from other sources except as permitted under the CCPA. Gravity certifies that it understands these restrictions and will comply with them. Customer may take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data.
For purposes of the DPDPA, Customer is the Data Fiduciary and Gravity is the Data Processor. Gravity will (a) Process Customer Personal Data only in accordance with Customer's instructions and the Agreement; (b) implement the security safeguards described in Section 7; (c) assist Customer in responding to Data Principal requests; and (d) cease Processing and erase Personal Data on termination, subject to legal retention requirements.
References to GDPR provisions in this DPA include the equivalent UK GDPR or Swiss FADP provisions where applicable. The UK Addendum modifies the EU SCCs for UK transfers; the Swiss FADP modifications apply for transfers from Switzerland.
16.1. Gravity may update this DPA to reflect (a) changes in Applicable Data Protection Law; (b) updates to the SCCs or other approved transfer mechanisms; (c) changes in Gravity's product or operations. Material changes are communicated at least thirty (30) days in advance via email to the Customer's account contact.
XAI Technologies Pvt Ltd (operating as Gravity AI) — Privacy Team
Privacy / DPO: dpo@gravity.fast
Legal: legal@gravity.fast
Registered office: BSR Meghana Residency, 17th B Main Rd, KHB Colony, 6th Block, Koramangala, Bengaluru, Karnataka 560095, India.