Subprocessors
Two subprocessors, both with EU data residency. Each is bound by a GDPR Art. 28 Data Processing Addendum. Engagement-specific subprocessors, where they exist, are disclosed in the applicable Statement of Work.
Public-facing services — static website hosting, CDN delivery, DNS.
CDN access logs (IP, user-agent, timestamp). Static website assets.
EU (Frankfurt — eu-central-1).
AWS GDPR DPA. SOC 2, ISO/IEC 27001/27017/27018, BSI C5.
Bare metal server provider — production backend and engagement infrastructure.
Form submissions in transit. Application and server logs.
EU (Germany).
ISO/IEC 27001-certified. GDPR Art. 28 DPA.
On-premises infrastructure
For engagements requiring maximum privacy — including classified research, ultra-sensitive incident response, and work under strict data-residency or air-gap requirements — Grilli OÜ (private limited company, registered in Estonia) operates dedicated on-premises servers and equipment owned and controlled exclusively by us. No third-party cloud infrastructure is involved in these engagements: data is processed and stored entirely within our own facilities, with no external subprocessors in scope.
Clients requiring an on-premises engagement model can request this explicitly in their Statement of Work. Contact privacy@grillisecurity.com for details.
Engagement-specific subprocessors
Where a specific service engagement requires additional subprocessors beyond those listed above (for example, a specialist forensic tooling provider, or a regional legal counsel), they are disclosed in the Statement of Work and require client written approval before any personal data is shared with them.
Change notification
We will update this page and notify affected Customers at least 30 days before adding or replacing a subprocessor, as required by our DPA. The effective date of any change will be noted here.
Objection process
Customers with a signed DPA may object to a new or replacement subprocessor within 30 days of notification by contacting privacy@grillisecurity.com. We will work with you in good faith to resolve the objection.
For data-protection enquiries, contact privacy@grillisecurity.com. See also our Privacy Policy and Data Processing Addendum.
