Website Data Processing Addendum
How Grilli OÜ (private limited company, registered in Estonia) collects, processes, and protects personal data through this website — specifically through contact and lead forms and server access logs. Grilli OÜ acts as the Controller. Two subprocessors, both with EU data residency: AWS (public-facing services), Hetzner (bare metal servers). Full details on the Subprocessors page.
This addendum covers website data only. Data processing terms for service engagements (penetration testing, DFIR, SOC, compliance advisory, and other professional services) are governed by the applicable engagement agreement and negotiated directly with clients.
1. Data We Collect
Through the website we collect only what you actively provide:
- Contact & lead forms — name, work email address, and the message or enquiry you submit.
- Server access logs — IP address, user-agent, and timestamp, retained automatically by the cloud provider for security and abuse-prevention purposes.
We set no cookies, use no analytics, and deploy no tracking pixels or fingerprinting. See our Privacy Policy for full details.
2. Purpose & Legal Basis
Form data is processed to respond to your enquiry and, where applicable, to take pre-contractual steps at your request — legal basis: Article 6(1)(b) GDPR (performance of a contract / pre-contractual steps).
Server access logs are processed to ensure the security and integrity of the website — legal basis: Article 6(1)(f) GDPR (legitimate interests).
We do not use website data for marketing, profiling, or any purpose beyond responding to your enquiry and securing the site.
3. Subprocessors
Two subprocessors, both with EU data residency: Amazon Web Services (public-facing services — Frankfurt, eu-central-1) and Hetzner (bare metal servers — Germany). Each is bound by a GDPR Art. 28 Data Processing Addendum. See the subprocessors page for details.
4. Security Measures
- All data in transit encrypted with TLS 1.2+; data at rest encrypted.
- Access to form submission data restricted to named personnel on a need-to-know basis.
- MFA enforced on all systems with access to website data.
- Server access logs stored in isolated logging infrastructure with restricted access.
- Secure deletion applied when retention periods expire.
5. Retention & Deletion
Form submission data is retained for up to 12 months from receipt, or for as long as necessary to respond to your enquiry or fulfil pre-contractual obligations, whichever is shorter. If an engagement proceeds, data may be retained for the duration of the contractual relationship and as required by law thereafter.
Server access logs are retained for up to 90 days and then securely deleted.
To request early deletion of your data, contact privacy@grillisecurity.com.
6. Data Subject Rights
Under GDPR you have the right to access, rectify, erase, restrict, and object to processing based on legitimate interests. The right to portability (Art. 20) applies to form data processed under Art. 6(1)(b) but not to server access logs processed under legitimate interests. To exercise any right, contact privacy@grillisecurity.com. We will respond within 30 days.
You may also lodge a complaint with your local supervisory authority. EEA residents may contact the Estonian Data Protection Inspectorate (our lead supervisory authority) or their own national authority.
7. Breach Notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and inform affected individuals without undue delay where required by applicable law.
Notifications will describe the nature of the breach, likely consequences, and measures taken or proposed to address it.
8. International Transfers
All website and backend data is stored and processed in the EU. Both subprocessors — AWS and Hetzner — are configured with EU data residency. No personal data is routinely transferred outside the EEA.
9. Service Engagement DPAs
This document covers website data only. If you engage Grilli OÜ for professional services — penetration testing, DFIR, SOC monitoring, compliance advisory, or any other service — data processing terms for that engagement are agreed separately as part of the engagement agreement.
To request a Data Processing Addendum for a service engagement, contact privacy@grillisecurity.com.
10. Governing Law
This addendum is governed by the laws of Estonia and the applicable provisions of the GDPR. Disputes are subject to the jurisdiction of Estonian courts, without prejudice to your right to lodge a complaint with a supervisory authority.
Contact
Data protection enquiries, rights requests, or questions about this addendum: privacy@grillisecurity.com. See also our Privacy Policy and Subprocessors.
