Journey Studio legal
Data Processing
How we handle data processing for customer journeys.
Effective date: February 25, 2026
Last updated: May 1, 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between GreenRoot Analytics B.V. (“Processor”) and the customer (“Controller”) when using the GreenRoot Analytics platform (the “Service”).
Transparency. We aim to operate the Service with maximal transparency and a privacy-first mindset. This DPA is written to clearly describe the processing we perform as Processor and the safeguards we apply.
1) Subject matter and duration
1.1. Processor processes personal data to provide the Service for the duration of the customer agreement (and any transition period required to return or delete data).
2) Nature and purpose of processing
2.1. Processing may include account, workspace, project, and access administration.
2.2. Processing may include journey/survey and journey-map creation, configuration, sharing, and distribution.
2.3. Processing may include collection and storage of survey responses, participant lists, and invitation/reminder workflows initiated by the Controller.
2.4. Processing may include generating analytics, exports, PDF/report artifacts, and executive-summary outputs requested or triggered by the Controller.
2.5. Processing may include AI-assisted features (for example website-context extraction from user-supplied public website content, guided journey/question/phase/KPI generation, and executive summary generation) using an AI sub-processor.
2.6. Processing may include security, logging, abuse prevention, and deletion/cleanup workflows carried out on the Controller’s instructions.
3) Categories of data subjects and personal data
3.1. Typical data subjects include customer users (workspace users).
3.2. Typical data subjects include survey respondents (end users).
3.3. Typical personal data includes account identifiers (e.g. name, email address, preferred language, and role within the workspace).
3.4. Typical personal data includes respondent answers and free-text responses (as configured by the Controller), participant email addresses and invitation/reminder metadata, and project/map/journey context entered by the Controller.
3.5. Typical personal data includes operational metadata needed to operate the Service (e.g. timestamps, technical identifiers, limited delivery/security/diagnostic logs, and generated export/report artifacts requested by the Controller).
3.6. The Service is not intended for processing special category personal data (Article 9 GDPR). Controller should not instruct Processor to process such data and should avoid collecting it in surveys. If special category data is included by respondents (e.g., via free-text answers), Controller remains responsible as Controller; Processor will assist with deletion/anonymization where reasonably possible.
4) Controller obligations
4.1. Controller is responsible for having a lawful basis to process personal data and, where required, obtaining valid consent(s).
4.2. Controller is responsible for providing all required notices to data subjects (including respondents) and handling data subject requests as Controller.
4.3. Controller is responsible for configuring surveys/journeys in a way that is appropriate for the intended audience and does not request special category personal data.
4.4. Controller is responsible for ensuring that invitations and reminders to participants are lawful (including any applicable privacy and anti-spam requirements), and that uploaded participant lists are lawfully obtained and used.
4.5. Controller is responsible for providing documented instructions to Processor where needed, including for deletion/return requests and any use of AI-assisted features on Customer Content.
4.6. Where the Controller asks Processor to analyze public website content as part of an AI-assisted setup flow, Controller is responsible for ensuring it is entitled to provide the relevant URL/content for that purpose.
5) Sub-processors
Processor may engage sub-processors to provide parts of the Service (for example hosting, email delivery, and AI-assisted features).
5.1. Processor will maintain a list of sub-processors.
5.2. Processor remains responsible for the performance of sub-processors under this DPA.
See: Sub-processors (Section 10).
5.3. Processor will update the sub-processor list when material processor-side vendors change. Where reasonably practicable, Controller may object to a new sub-processor on reasonable data-protection grounds, and the parties will work in good faith on an appropriate solution.
5.4. This DPA and the sub-processor list in Section 10 cover services used by Processor to process Customer Content on behalf of Controller. GreenRoot may separately use vendors for its own controller-side billing, payment, invoicing, and account-administration activities (for example Stripe). Those vendors are not listed as DPA sub-processors unless they process Customer Content on behalf of Controller.
6) International transfers
6.1. If personal data is transferred outside the EEA/UK, Processor will ensure appropriate safeguards are in place (for example Standard Contractual Clauses (SCCs), as applicable).
7) Return or deletion
7.1. Upon termination of the Service and upon Controller request (where applicable), Processor will delete or return personal data in accordance with Controller instructions and applicable law, subject to limited retention required for legal, fraud-prevention, or security purposes.
7.2. Where Processor generates exports, PDFs, executive summaries, or similar artifacts for the Controller, those artifacts are treated as Customer Content and fall under the same deletion/return framework, subject to lawful retention exceptions.
8) Processor obligations (GDPR Article 28)
8.1. Processor will process personal data only on documented instructions from Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law (in which case Processor will inform Controller of that legal requirement unless that law prohibits such information).
8.2. Processor will ensure persons authorized to process personal data are committed to confidentiality.
8.3. Processor will implement appropriate technical and organizational measures to protect personal data (GDPR Article 32).
8.4. Processor will not engage another processor without meeting the requirements in Section 5.
8.5. Processor will assist Controller, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Controller’s obligation to respond to requests for exercising the data subject’s rights (GDPR Chapter III).
8.6. Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA.
8.7. Processor will assist Controller in ensuring compliance with security, breach notification, and DPIA/ consultation obligations (GDPR Articles 32–36), taking into account the nature of processing and the information available to Processor.
8.8. Processor will make available to Controller information necessary to demonstrate compliance with this DPA and allow for and contribute to audits under Section 9.
9) Audit rights
9.1. Controller may request information reasonably necessary to demonstrate Processor’s compliance with this DPA.
9.2. Controller may also conduct an audit (including inspections) no more than once per 12 months, with reasonable prior written notice, during normal business hours, and subject to Processor’s security and confidentiality requirements.
9.3. Where available, Processor may satisfy audit requests by providing third-party audit reports or security documentation instead of an on-site inspection.
9.4. Controller is responsible for audit costs.
10) Sub-processors
10.1. At GreenRoot, we build and maintain the core technology behind the platform ourselves. For additional infrastructure and specialized services (like email delivery and AI-assisted features), we rely on a small number of carefully selected sub-processors listed below.
10.2. Last updated: May 1, 2026.
| Sub-processor | Purpose | Data categories | Location/Region | Notes |
|---|---|---|---|---|
| Namecheap (VPS hosting / infrastructure) | Hosting / infrastructure | Account, workspace/project/map/journey data, responses, report/export artifacts, logs | United States (see Notes) | Current primary VPS infrastructure provider. Domain-registration / DNS services are outside the scope of this row unless they also process Customer Content |
| PrivateEmail | Transactional email delivery (SMTP) | Workspace-user email addresses, participant email addresses, message content, limited delivery metadata | United States (see Notes) | Used for processor-side invitations, reminders, access-related notifications, and export/report-ready emails |
| OpenAI | AI assistance | Journey/project/map context, survey responses used for summaries, report context, and user-supplied public website URLs/content when AI-assisted features are used | Global (multi-region) | Used for website-context extraction, guided generation, and executive-summary generation when invoked |
10.3. Processor-side export/PDF/report artifacts are currently stored on the same self-hosted infrastructure unless a separate S3-compatible object-storage provider is configured for a given environment. If a separate object- storage provider is enabled to process Customer Content, this sub-processor list should be updated accordingly.
10.4. “Location/Region” is provided at a high level and may vary by vendor configuration and routing. If you need a definitive location for a specific account or environment, confirm it with the vendor.
10.5. Vendors used by GreenRoot for its own controller-side billing, payment, invoicing, analytics/measurement, and account administration are outside the scope of this processor-side sub-processor table unless they process Customer Content on behalf of Controller.
11) Contact
11.1. Questions: contact@greenrootanalytics.com