Groq Circle
Groq Circle
Log In
Groq
Groq is rolling out updated terms and policies.
We encourage you to review them before they take effect on October 15, 2025.
Review Terms & Policies

DATA PROCESSING ADDENDUM FOR GROQCLOUD SERVICES

Effective: October 15, 2025


This Data Processing Addendum (“DPA”) is incorporated into and made part of the Groq Services Agreement between the Groq Contracting Party and Customer (“Services Agreement”) for use of Groq’s Cloud Services. Unless otherwise defined in this DPA, capitalized terms will have the meaning given to them in the Services Agreement. References to “Agreement” in this DPA will include both the Services Agreement and this DPA. In the event of any conflict between these documents as to the subject matter of this DPA, the following order of precedence applies (in descending order): (a) the Standard Contractual Clauses as provided in this DPA; (b) the body of the DPA; (c) any documents attached to the DPA; and (d) the Services Agreement.

1. Definitions

For purposes of this DPA:

1.1 "Controller," (which will include the term "Business", where applicable) "Business," and "Processor" (which will include the term "Service Provider", where applicable) (or equivalent terms) have the meanings set forth under Data Protection Laws.


1.2 "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.


1.3 "Data Protection Laws" means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, that apply to Groq’s Processing of Personal Data, including, without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and any associated regulations and amendments, including, the California Privacy Rights Act amendments (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Act on Data Protection (“FADP”); the United Kingdom Data Protection Act of 2018 (“UK GDPR”); and the Personal Data Protection Law in the Kingdom of Saudi Arabia promulgated by Royal Decree No. M/19 dated 9/2/1443H (corresponding to 16 September 2021 and amended pursuant to Royal Decree No. M/148 dated 5/9/1444H (corresponding to 27 March 2023) (“PDPL”).


1.4 "Data Subject" means an identified or identifiable natural person about whom Personal Data relates (or equivalent term under Data Protection Laws).


1.5 "EU SCCs" means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located http://data.europa.eu/eli/dec_impl/2021/914/oj, and completed as specified in Section 8 (International Data Transfers) below.


1.6 "KSA C2P Clauses" means the Standard Contractual Clauses for Personal Data Transfer issued by the Saudi Data & AI Authority pursuant to the PDPL, specifically including the Second Template (Controller to Processor), as amended, updated or replaced from time to time.


1.7 "Personal Data" means any “personal data,” “personal information,” “personally identifiable information,” or equivalent terms (as defined under Data Protection Laws) included within any Customer Data that is Processed by Groq in connection with providing the Cloud Services under the Services Agreement.


1.8 "Process" and “Processing” has the meaning under Data Protection Laws or, where not so defined, means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.


1.9 “Subprocessor” means any third party that Groq engages to Process Personal Data in connection with providing the Cloud Services.

2. Scope And Purposes Of Processing

2.1 Depending on the applicable Data Protection Laws, Customer is a Controller or Processor and Groq is a Processor or sub-Processor with respect to Groq's Processing of Personal Data to provide the Cloud Services under the Agreement. This DPA applies to Groq's Processing of Personal Data on Customer's or Customer Affiliate's behalf (as applicable) for the provision of the Cloud Services as specified in the Services Agreement.


2.2 The scope, nature, purposes, and duration of the processing, the types of Personal Data Processed, and the Data Subjects concerned are as described in this DPA, including its Schedule A (Details of Processing).


2.3 Groq will Process Personal Data only: (a) to provide, maintain, and support the Cloud Services and fulfill its obligations to Customer under the Agreement; (b) on Customer's behalf in compliance with Customer's documented instructions; and (c) as required by Data Protection Laws (however, Groq will inform Customer of the legal requirement before processing for that purpose unless the applicable law prohibits such notice). Groq will not "sell" or "share" (as such terms are defined in Data Protection Laws) Personal Data, or otherwise Process Personal Data for any purpose: (x) other than for the specific purposes described in this DPA, or (y) outside of the direct business relationship with Customer. Groq will not attempt to re-identify de-identified data except as permitted by Data Protection Laws.


2.4 Customer will ensure that: (a) all such notices have been given, and all such authorizations have been obtained, as required under Data Protection Laws, for Groq (and its Affiliates and Subprocessors) to Process Personal Data as contemplated by the Agreement; (b) it has complied, and will continue to comply, with all Data Protection Laws applicable to it; and (c) it has, and will continue to have, the right to transfer, or provide access to, Personal Data to Groq for Processing in accordance with the terms of the Agreement.


2.5 For Customers domiciled in the Kingdom of Saudi Arabia, to the extent Groq is also subject to Data Protection Laws in other jurisdictions, it will use commercially reasonable efforts to ensure that its compliance with such other Data Protection Laws do not prevent it from meeting its obligations under the PDPL in relation to its Processing of Customer Personal Data under the Agreement.

3. Personal Data Processing Requirements

Groq will:

3.1 Ensure that the employees, contractors, and any other persons it authorizes to Process Personal Data are subject to confidentiality obligations regarding such activity or are under an appropriate statutory obligation of confidentiality.


3.2 Promptly notify Customer of: (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government request for access to or information about Groq's Processing of Personal Data on Customer's behalf, unless prohibited by applicable laws. Groq will provide Customer with commercially reasonable cooperation and assistance in relation to any such request. If Groq is prohibited by applicable laws from disclosing the details of a government request to Customer, Groq does not require the prior consent of the Customer or any Data Subject for mandatory disclosures of Personal Data under applicable laws, but Groq will use reasonably available legal mechanisms to challenge any demands for data access through the applicable government process that it receives, as well as any attached non-disclosure provisions.


3.3 Provide commercially reasonable assistance to and cooperation with Customer for Customer's performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by Data Protection Laws.


3.4 Provide commercially reasonable assistance and cooperation to Customer for Customer's consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data where required by Data Protection Laws, including complying with any obligation applicable to Groq under Data Protection Laws to consult with a regulatory authority in relation to Groq's Processing or proposed Processing of Personal Data.


3.5 Comply with the CCPA's restrictions applicable to Processors regarding combining Personal Data with personal data received from, or on behalf of, another person or persons.


3.6 Comply with the CCPA in connection with its role as Processor, including by providing the same level of privacy protection as required by the CCPA.


3.7 Promptly notify Customer if it determines that it can no longer meet its obligations under this DPA or Data Protection Laws.

4. Data Subject Requests

4.1 If Groq receives a direct request from a Data Subject regarding rights under Data Protection Laws, Groq will direct the Data Subject to Customer for further processing of the request. Groq will provide commercially reasonable assistance to Customer in fulfilling its obligations under Data Protection Laws to respond to Data Subject requests by following the process outlined in Section 4.2.


4.2 If Customer receives a request or inquiry from a Data Subject related to Personal Data Processed by Groq, Customer will: (a) first access its Cloud Services containing Personal Data to address the request or inquiry itself; and (b) to the extent Customer is not able to fulfill the request itself through such access, contact Groq customer support for additional assistance to enable Customer to address the request or inquiry.

5. Data Security

5.1 Groq will implement appropriate administrative, technical, physical, and organizational measures designed to protect Personal Data based on the type and sensitivity of the Personal Data Processed. Details regarding the specific security measures that apply to the Cloud Services are as described in Annex II of Schedule A (Details of Processing) below. Customer acknowledges that Groq's security measures are subject to technical progress and development and that Groq may update or modify these measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Cloud Services purchased by Customer.


5.2 Customer will be responsible for properly implementing access and use controls and configuring certain features and functionalities of the Cloud Services that Customer may elect to use and agrees that it will do so in accordance with the Agreement in such manner that Customer deems adequate, including, without limitation, maintaining appropriate security, protection, deletion, and backup of its own Personal Data.

6. Data Breach

Groq will notify Customer without undue delay, but in any event within 72 hours after becoming aware of any Data Breach and will assist Customer in Customer's compliance with its Data Breach notification-related obligations under Data Protection Laws, including, without limitation, by:

6.1 Taking commercially reasonable steps to mitigate the effects of the Data Breach and reduce the risk to Data Subjects whose Personal Data was involved; and


6.2 Providing Customer with the following information, to the extent known:


6.2.a The nature of the Data Breach, including, where possible, how the Data Breach occurred, the potential categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;


6.2.b The likely consequences of the Data Breach; and


6.2.c Measures taken or proposed to be taken by Groq to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects and causes.


6.3 Groq's obligation to report a Data Breach under this DPA is not and will not be construed as an acknowledgement by Groq of any fault or liability of Groq with respect to such Data Breach. Customer is solely responsible for determining whether to notify impacted Data Subjects and for providing such notice, and for determining whether relevant supervisory authorities need to be notified of a Data Breach as may be required for Customer's own business and compliance.

7. Subprocessors

7.1 Customer provides general authorization for Groq to use Subprocessors to Process Personal Data in accordance with the provisions within this DPA and Data Protection Laws. Where Groq subcontracts any of its rights or obligations concerning Personal Data, Groq will remain liable for the performance of all its obligations under this DPA, whether or not performed by Groq, its Affiliates or Subprocessors.


7.2 Groq's Subprocessor list is available at https://trust.groq.com/subprocessors (the "Subprocessor List"). Groq will maintain an up-to-date Subprocessor List. If Customer subscribes to email notifications as provided on the Subprocessor List website, then Groq will notify Customer of any changes Groq intends to make to the Subprocessor List at least 15 days before the changes take effect, which may be via email, a posting on the Subprocessor List website, or notification in Console or other reasonable means. Customer may object in writing to the appointment of a new Subprocessor within 15 days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, Groq will use commercially reasonable efforts to make available to Customer a change in the Cloud Services or recommend a commercially reasonable change to Customer's use of the Cloud Services to avoid Processing of Personal Data by the objected-to Subprocessor without a material change to Customer's use of the affected Cloud Services. Customer may, in its sole discretion, suspend or terminate the affected Cloud Services in the event that Groq is not able to provide a commercially reasonable change to cure Customer's Subprocessor objection.

8. International Data Transfers

8.1 Groq may transfer and Process Personal Data to and in the United States and other countries where Groq or its Subprocessors maintain Processing operations. Where Groq engages in an onward transfer of Personal Data, Groq will ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.


8.2 To the extent legally required, by entering into the Agreement, Customer and Groq are deemed to have signed the EU SCCs, which form part of this DPA and will be deemed completed as follows:


8.2.a Module 2 of the EU SCCs applies to transfers of Personal Data from Customer (as a Controller) to Groq (as a Processor) and Module 3 applies to transfers of Personal Data from Customer (as a Processor) to Groq (as a sub-Processor);


8.2.b Clause 7 (the optional docking clause) does not apply;


8.2.c Under Clause 9 (Use of Subprocessors), the Parties select Option 2 (General written authorization);


8.2.d Under Clause 11 (Redress), the optional language will not be deemed to be included;


8.2.e Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland;


8.2.f Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;


8.2.g Annex I(A) and I(B) (List of Parties) is completed as described in Schedule A;


8.2.h Under Annex I(C) (Competent supervisory authority), the Parties will follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission;


8.2.i Annex II (Technical and organizational measures) is completed as provided in Annex II of Schedule A; and


8.2.j Annex III (List of Subprocessors) is completed by the information available at https://trust.groq.com/subprocessors.


8.3 For transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU SCCs (available as of the Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) ("UK SCCs") forms part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision will mean the definitions in the UK SCCs. The UK SCCs will be deemed complete as follows: (a) the Parties' details will be the Parties and their affiliates to the extent any of them are involved in such transfer; (b) the Key Contacts will be the contacts specified in the Services Agreement; (c) the Approved EU SCCs referenced in Table 2 will be the EU SCCs as executed by the Parties; (d) either Party may end this DPA as set out in Section 19 of the UK SCCs; and (e) by entering into the Agreement, the Parties are deemed to be signing the UK SCCs.


8.4 For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as stated in Section 8.2 of this DPA, but with the following differences, to the extent required by the FADP: (a) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (b) the term "Member State" in EU SCCs will not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (c) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).


8.5 For transfers of Personal Data that are subject to the PDPL, Groq will comply with the data importer's obligations set out in the KSA C2P Clauses, which are incorporated into and form part of this DPA, and (a) for the purposes of Appendix 1 of such KSA C2P Clauses, the details of the parties are set out in the Order Form; the data exporter is a controller and the data importer is a processor, and the signature(s) (in any form) given in connection with the execution of the Order Form by a party and the dates of such signature(s) apply as the dated signature required from that party; (b) for the purposes of Appendix 2 of such KSA C2P Clauses, the details of processing are described in Annex I (Details of Processing) of this DPA; and (c) for the purposes of Appendix 3 of such KSA C2P Clauses, the technical and organisational security measures are set out in Annex II (Technical and Organisational Measures) of this DPA. Customer will take all actions necessary to comply with its obligations under PDPL as a data exporter, including, where applicable, satisfying a permitted purpose and conditions prescribed under law, conducting a transfer risk assessment, and putting in place appropriate measures to mitigate the risks identified during the course of any such assessment.

9. Audits

To the extent required by Data Protection Laws, Groq will make available such information reasonably necessary to confirm Groq’s compliance with this DPA (e.g., SOC 2 or similar audit reports issued by a qualified third-party auditor, “Audit Report”). Except as provided otherwise in the Services Agreement regarding audits, if Customer has a reasonable basis to conclude that an Audit Report provided by Groq is not sufficient to confirm such compliance, Customer may, at Customer’s sole expense, upon 30 days’ prior written notice and subject to a mutually agreed upon date and time, request an audit during normal business hours of those Groq systems and records relevant to Groq’s Processing of Personal Data on Customer’s behalf. Customer will limit its exercise of audit rights to not more than once in any 12 calendar month period, except in the event of a Data Breach, following which Customer may exercise its audit right even if one has already been performed in the prior 12-month period. Any Audit Report or other results of audits undertaken in connection with this DPA will be deemed the Confidential Information of Groq.

10. Destruction Or Retrieval Of Personal Data

Prior to termination or at termination of the Services Agreement, Customer may request Groq to promptly delete all Personal Data in its possession or control as soon as reasonably practicable and within a maximum period of 180 days, except that this requirement will not apply to the extent that Groq is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Groq will securely isolate and protect from any further processing, except to the extent required by applicable law.

11. Miscellaneous Provisions

11.1 Notwithstanding anything else to the contrary in the Services Agreement, Groq reserves the right to make any modification to this DPA as may be required to comply with Data Protection Law so long as any such modification will not degrade any service functionalities or safeguards associated with providing the Cloud Services.


11.2 Any claims brought under this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations specified in the Services Agreement.


11.3 This DPA will remain in force and effect through the term of the Services Agreement, or for as long as Groq is Processing Personal Data subject to this DPA, whichever is longer.


Schedule A – Details of Processing

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

The exporter (Controller) is Customer and Customer’s contact details are as provided in the Services Agreement. Customer’s electronic acceptance of the Services Agreement constitutes Customer’s signature to the DPA.


Data importer(s):

The importer (Processor) is the Groq Contracting Party specified in the Services Agreement.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

Any data subjects whose Personal Data is contained in Data Exporter’s data being processed by the Cloud Services, as set out in the Services Agreement which describes the provision of Cloud Services to Customer, including Customer’s Authorized Users.


Categories of personal data transferred:

Any Personal Data incorporated within Customer Data (as determined by Customer), including such data inputted by Customer when it uses the Cloud Services, and any Personal Data in the generated output (Input and Output as defined in the Services Agreement).


Sensitive data transferred (if applicable): Any Personal Data may include sensitive personal data or special categories of personal data (as defined under applicable Data Protection Laws) as incorporated within Customer Data (as determined by Customer). The restrictions and safeguards specified in Annex II apply to these categories of Personal Data (if any).


The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

On a continuous basis as needed to provide the Cloud Services to Customer for the term of the Services Agreement.


Nature of the processing:

The nature of the Processing is set out in the Services Agreement.


Purpose(s) of the data transfer and further processing:

The purposes of the data transfer are for Groq to provide the Cloud Services to Customer under and in accordance with the Agreement.


The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.


For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

See https://trust.groq.com/subprocessors for a list of Groq’s Subprocessors and the nature of the services they provide. All transfers will last for the duration of the Agreement between the Parties.


C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:


The Data Exporter’s competent supervisory authority will be determined in accordance with Data Protection Law and, where possible, will be the Irish Data Protection Commissioner.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

INTRODUCTION

Groq maintains an information security program designed to safeguard its systems, data, and Customer Data. This Annex II describes the information security program and security standards that Groq maintains with respect to the Cloud Services and Customer Data. Capitalized terms not defined in this Annex II have the meanings given in the DPA or Services Agreement. To learn more about Groq’s technical and organizational security measures to protect Customer Data, also see Groq’s Trust Center at https://trust.groq.com. The Security Measures below include a subset of the information available on the Groq Trust Center, which applies to this DPA.

SECURITY MEASURES

Corporate Identity, Authentication, and Authorization Controls. Groq maintains the following measures designed for authenticating and authorizing internal employee and service access:

  • Groq uses single sign-on (SSO) to authenticate to third-party services used in the delivery of the Cloud Services. Role Based Access Controls (RBAC) are used when provisioning internal access to the Cloud Services;
  • Mandatory multi-factor authentication is used for authenticating to Groq’s identity provider;
  • Unique login identifiers are assigned to each user;
  • Established review and approval processes for any access requests to services storing Customer Data;
  • Quarterly access audits designed to ensure access levels are appropriate for the sensitive roles;
  • Established procedures for promptly revoking access rights upon employee separation;
  • Established procedures for reporting and revoking compromised credentials such as passwords and API keys; and
  • Established password reset procedures, including procedures designed to verify the identity of a user prior to a new, replacement, or temporary password.

Customer Identity, Authentication, and Authorization Controls. Groq maintains the following measures designed for authenticating and authorizing customers to the Cloud Services:

  • Use of a third-party identity access management service to manage Customer identity, meaning Groq does not store user-provided passwords on the users’ behalf; and
  • Logically separating Customer Data by organization account using unique identifiers.

Within an organization account, unique user accounts are supported.


Cloud Infrastructure and Network Security. Groq maintains the following measures designed for securing and operating its cloud infrastructure:

  • Primary backend resources are deployed behind Zero Trust Network Access (ZTNA) solutions;
  • The Cloud Services are routinely audited for security vulnerabilities;
  • Application secrets and service accounts are managed by a secrets management service;
  • Network security policies and firewalls are configured for least-privilege access against a pre-established set of permissible traffic flows. Non-permitted traffic flows are blocked; and
  • Cloud Services logs are monitored for security and availability.

System and Workstation Control. Groq maintains the following measures designed for securing its corporate systems, including laptops and on-premises infrastructure:

  • Endpoint management of corporate workstations and devices;
  • Automatic application of security configurations to workstations;
  • Mandatory patch management;
  • Malware and anti-virus detection and alerting; and
  • Maintaining appropriate security logs.

Data Access Control. Groq maintains the security measures designed for preventing Authorized Users from accessing data beyond their authorized access rights and for preventing the unauthorized input, reading, copying, removal, modification, or disclosure of data. Such measures include the following:

  • Employee access to the Cloud Services follows the principle of least privilege. Only employees whose job function involves supporting the delivery of Cloud Services are credentialed to the Cloud Services environment; and
  • Customer Data submitted to the Cloud Services is only used in accordance with the terms of the Agreement, and any other applicable contractual agreements in place with Customer.

Disclosure Control. Groq maintains the following measures designed for preventing the unauthorized access, alteration, or removal of data during transfer, and for securing and logging all transfers:

  • Encryption of data at rest in production datastores using strong encryption algorithms;
  • Encryption of data in transit;
  • Audit trail for all data access requests for production datastores;
  • Full-disk encryption required on all corporate workstations; and
  • Device management controls required on all corporate workstations.

Availability control. Groq maintains the following measures designed for maintaining Cloud Services functionality through accidental or malicious intent:

  • Ensuring that systems may be restored in the event of an interruption;
  • Ensuring that systems are functioning and faults are reported; and
  • Anti-malware and intrusion detection/prevention solutions implemented comprehensively across our environment.

Segregation control. Groq maintains the following measures designed for separate processing of data collected for different purposes:

  • Logical segregation of Customer Data;
  • Restriction of access to data stored for different purposes according to staff roles and responsibilities; and
  • Segregation of business information system functions.

Risk Management. Groq maintains the following measures designed for detecting and managing cybersecurity risks:

  • Threat modeling to document and triage sources of security risk for prioritization and remediation;
  • Penetration testing is conducted on the Cloud Services at least annually, and any remediation items identified are resolved as soon as possible on a timetable commensurate with the associated risk;
  • Annual engagements of a qualified, independent external auditor to conduct periodic reviews of Groq’s security practices against recognized audit standards, including SOC 2 Type II certification audits. Upon reasonable request, Groq will provide summary details; and
  • A vulnerability management program designed to ensure the prompt remediation of vulnerabilities affecting the Cloud Services.

Personnel. Groq maintains the following measures designed for vetting, training, and managing personnel with respect to security matters:

  • Annual security training for employees, and supplemental security training as appropriate.
  • Appropriate employee background screening, including criminal background checks.

Physical Access Control. Groq maintains the following measures designed for preventing unauthorized physical access to Groq facilities:

  • Physical barrier controls including locked doors and gates;
  • 24-hour video surveillance and alarm systems, including video surveillance of facility entrance and exit points; and
  • Logging of facility exits and entries.

Third Party Risk Management. Groq maintains the following measures designed for managing third party security risks, including with respect to any Subprocessor or subcontractor to whom Groq provides Customer Data:

  • Written contracts designed to ensure that any agent agrees to maintain reasonable and appropriate safeguards to protect Customer Data; and
  • Vendor Security Assessments: all third party subprocessors undergo a formal security assessment process by Groq’s Security team.

Security Incident Response. Groq maintains a security incident response plan designed for responding to and resolving events that compromise the confidentiality, availability, or integrity of the Cloud Services or Customer Data including the following:

  • Groq aggregates system logs for security and general observability from a range of systems to facilitate detection and response; and
  • If Groq becomes aware that a Data Breach has occurred, Groq will notify Customer in accordance with the DPA.

Security Evaluations. Groq performs regular security and vulnerability testing to assess whether key controls are implemented properly and are effective as measured against requirements under Data Protection Law and its policies and procedures and designed to ensure continued compliance with obligations imposed by law, regulation, or contract with respect to the security of Customer Data as well as the maintenance and structure of Groq’s information systems.

Was this page helpful?