Skip to main content

Overview

Grain Analytics is built privacy-first with enterprise-grade security and compliance features. We’re GDPR and CCPA compliant by design, with transparent data handling and flexible consent management.

Data Residency

Current Infrastructure

All Grain Analytics data is stored in EU data centers by default:
  • Primary Region: Europe (West) – Frankfurt, Germany (Azure westeurope)
  • Architecture: Dual-plane storage with Cassandra (management) + ClickHouse (analytics)
  • Encryption: AES-256 at rest, TLS 1.3 in transit
  • Replication: Multi-node with cross-region backup
US Company, EU Storage: Xreos (Grain Analytics) is a US-based company that stores all analytics and configuration data in EU data centers to provide GDPR-compliant infrastructure by default.

Upcoming Regions

US (East) – Virginia is planned for January 2026, providing US-based data residency for teams that require it. Region selection will be available during tenant creation.
Need US data residency sooner? Contact us at [email protected] to join the early access waitlist.

Privacy Features

Cookieless by Default

Grain uses ephemeral session IDs in memory only until consent is granted:
  • Before consent: No cookies, no persistent IDs, minimal data (page path, timestamp)
  • After consent: Persistent user ID in localStorage/cookie for cross-session tracking
  • Explicit consent: Users must opt-in for persistent tracking (opt-in mode) or can opt-out (opt-out mode)
Three consent modes to fit your compliance needs:
ModeDescriptionUse Case
Opt-InGDPR strict – explicit consent requiredEU users, strict compliance
Opt-OutTrack by default, opt-out availableUS users, CCPA compliance
DisabledNo consent managementInternal tools, non-regulated
const grain = createGrainAnalytics({
  tenantId: 'your-tenant-id',
  consentMode: 'opt-in',  // or 'opt-out', 'disabled'
  waitForConsent: true
});

// Grant consent
grain.grantConsent(['necessary', 'analytics']);

// Revoke consent
grain.revokeConsent();

Data Minimization

Before consent is granted (opt-in mode):
  • Ephemeral session IDs (memory-only, not persisted)
  • Page path only (query params stripped to prevent PII leakage)
  • Timestamp and basic metadata
  • No cookies or localStorage

IP Anonymization

Optional IP masking removes the last octet before storage: 
192.168.1.xxx → 192.168.1.0
Enable in your dashboard under Privacy Settings.

Data Retention

Configurable retention periods from 30 to 365 days:
  • Automatic deletion: TTL-based pruning after retention period
  • Export before deletion: Download user data before it’s purged
  • Compliance-friendly: Meets GDPR data minimization requirements

User Rights (GDPR/CCPA)

Right to Access (GDPR Article 15)

Export all data for a specific user: 
curl -X GET https://api.grainql.com/v1/privacy/{tenantId}/export-user/{userId} \
  -H "X-API-Key: YOUR_SECRET_KEY"
Returns JSON with all events, properties, and consent history.

Right to Erasure (GDPR Article 17)

Delete all data for a specific user: 
curl -X POST https://api.grainql.com/v1/privacy/{tenantId}/data-deletion \
  -H "X-API-Key: YOUR_SECRET_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "userId": "user_123",
    "deleteEvents": true,
    "deleteProperties": true
  }'

Right to Anonymization

Replace user ID with an anonymized UUID while preserving aggregated analytics: 
curl -X POST https://api.grainql.com/v1/privacy/{tenantId}/anonymize-user \
  -H "X-API-Key: YOUR_SECRET_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "userId": "user_123",
    "anonymizeEvents": true,
    "anonymizeProperties": true
  }'

Data Processors

Grain uses the following third-party processors:
ProcessorPurposeData AccessRegionCompliance
AzureCloud infrastructureAll data (encrypted)Germany (westeurope)ISO 27001, SOC 1/2/3, GDPR
Auth0AuthenticationEmail, name, login timestampsUS/EUSOC 2 Type II, ISO 27001, GDPR
CloudflareCDN, DDoS protectionIP addresses (anonymized)Global edgeISO 27001, SOC 2, GDPR
AWS SESTransactional emailEmail addresses (transient)EU (Ireland)ISO 27001, SOC 1/2/3, GDPR
StripePayment processing (optional)Billing info (tokenized)US/EUPCI DSS Level 1, SOC 2, GDPR
IntercomCustomer support (optional)Name, email, conversationsUS/EUSOC 2 Type II, ISO 27001, GDPR
Subprocessor Changes: We provide 30-day advance notice for changes to our subprocessor list. Enterprise customers can object to new subprocessors.

Compliance Certifications

  • GDPR: Full compliance with data minimization, consent, user rights, and breach notification
  • CCPA: Right to know, delete, opt-out, and non-discrimination
  • SOC 2 Type II: (via Azure and Auth0 infrastructure)
  • ISO 27001: (via Azure and Auth0 infrastructure)

Security Measures

Network Security

  • TLS 1.3: Enforced on all public endpoints
  • DDoS Protection: Cloudflare WAF with automatic mitigation
  • Rate Limiting: Plan-based API rate limits

Application Security

  • JWT Validation: Auth0 issuer and audience validation
  • Secret Hashing: SHA-256 for API keys
  • RBAC: Role-based access control per tenant

Database Security

  • Encryption at Rest: AES-256 (Azure-managed)
  • Encryption in Transit: TLS 1.3
  • Network Isolation: No public database exposure
  • Tenant Isolation: UUID-based partitioning

Incident Response

Notification Timeline

SeverityInternalCustomerRegulatory (GDPR)
Critical (data breach)Immediate24-48 hours72 hours to supervisory authority
High (partial outage)4 hours12-24 hoursN/A unless personal data affected
Medium (degradation)12 hoursProactive updateN/A

Contact

Dashboard Privacy Controls

Manage all privacy settings from your dashboard at grainql.com/dashboard/privacy:
  • Consent Mode: Configure opt-in, opt-out, or disabled
  • Data Retention: Set auto-deletion period (30-365 days)
  • IP Anonymization: Enable/disable IP masking
  • Cookie Controls: Manage cookie consent requirements
  • User Data Tools: Export, anonymize, or delete user data
  • Consent Audit: View full audit trail of consent events

Implementation

See the Installation Guide - Privacy & GDPR section for code examples and best practices.

Next Steps

Privacy Setup

Implement consent banners and privacy controls

Authentication

Secure your analytics implementation

Query API

Programmatic access to analytics data

Dashboard

Manage privacy settings