Data Processing Agreement

Last updated: June 28, 2026  ·  For business, institutional, and organisation customers

This Data Processing Agreement (“DPA”) is for businesses, colleges, institutes, and organisations that use GridShare to process personal data. It forms part of, and is incorporated into, our Terms of Service. It sets out how GridShare, acting as a data processor, handles personal data on your behalf. Individual hobbyist accounts that do not process third parties' personal data generally do not need a DPA.

1. Roles and scope

For personal data you process using GridShare, you (the customer) are the Data Fiduciary / Controller and GridShare is the Data Processor, in the sense of the Digital Personal Data Protection Act, 2023 (“DPDPA”) and, where applicable, the GDPR. GridShare processes such personal data only to provide the compute Platform to you, and only on your documented instructions (including the instructions inherent in your use of the Platform).

2. What is processed

ItemDetail
Subject matterProvision of on-demand GPU compute, storage, and the workspace autosave/restore service
DurationFor the term of your account / until the data is deleted as set out below
Nature & purposeRunning, storing, and backing up the workloads and data you choose to run on the Platform
Categories of dataWhatever you place in your /workspace or your workloads — determined and controlled by you. GridShare does not require or inspect it.
Data subjectsDetermined by you (e.g. your students, employees, or customers, if your workloads involve their data)

You are responsible for having a lawful basis to process the personal data you run on GridShare, and for not placing prohibited or special-category data on Community-tier nodes (see our Acceptable Use Policy and Section 3 of the Privacy Policy).

3. GridShare's obligations as processor

4. Sub-processors

You authorise GridShare to engage the following sub-processors. We will give you reasonable notice of any intended addition or replacement so you can object on reasonable data-protection grounds.

Sub-processorPurposeLocation
DigitalOcean (compute & database)Hosts the core Platform, database, and operational dataIndia (Bangalore)
DigitalOcean Spaces (object storage)Stores workspace autosave/restore snapshotsSingapore (SGP1)*
Independent GPU ProvidersRun your compute workloads on their hardwareIndia
RazorpayPayment processing (if you transact)India
Email provider (Zoho / transactional)Account, billing, and alert emailsAs per provider

* Object storage is not offered in an Indian DigitalOcean region; Singapore is the nearest. This cross-border transfer is permitted under the DPDPA, which allows transfer of personal data outside India except to countries specifically restricted by the Government of India (Singapore is not restricted). See Section 7 of the Privacy Policy.

5. International transfers

Other than the workspace snapshots stored in Singapore (Section 4), GridShare keeps your personal data on infrastructure located in India. Where any transfer outside India occurs, it is carried out only as permitted by the DPDPA and applicable law, with appropriate safeguards (encryption in transit and at rest, and access controls).

6. Security measures

Community-tier limitation: workloads run on independent Provider hardware that GridShare cannot fully control at the OS/hardware level. For sensitive or regulated data, encrypt client-side before upload and do not use Community-tier nodes. This limitation is part of the service you are agreeing to.

7. Deletion and return

You can delete a workspace snapshot at any time from your dashboard. On termination of your account, or on your written request, GridShare will delete your personal data within a reasonable period, except where retention is required by law (for example, financial transaction records retained for 7 years under the GST Act and Income Tax Act — see Section 8 of the Privacy Policy). Workspace snapshots are reclaimed when an instance is terminated and the workspace is no longer funded, or on request.

8. Liability and governing law

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service. This DPA is governed by the laws of India, and the courts at the seat of GridShare's registered office have exclusive jurisdiction, consistent with the Terms of Service.

9. How to put this in place

For most customers, accepting the Terms of Service (which incorporate this DPA) at signup is sufficient. If your organisation requires a counter-signed copy or a custom DPA for procurement, email enterprise@gridshare.in and we will arrange it.

Note: this is a working version provided for transparency and procurement. It is being finalised with legal counsel following GridShare's incorporation; the registered entity name and any counter-signature will be added at that time.