Legal
Browse legal+
Data Processing Addendum
This Data Processing Addendum (“DPA”) supplements the Grantio Terms of Service (“Terms”) when Grantio processes personal data on behalf of your organization in connection with the Service. It describes how we act as a processor, the safeguards we apply, and where to find subprocessors and transfer mechanisms.
Effective as of Apr 15, 2026
1. Introduction
(A) In providing the Service under the Terms, Grantio will process certain personal data on your behalf. This DPA, including the appendices below, forms part of the agreement between you and Grantio and applies when you use the Service as or on behalf of an organization (the “Customer”).
(B) For personal data that the Customer determines the purposes and means of processing, the Customer is the controller (or, where the Customer processes personal data on behalf of a third party, a processor) and Grantio is a processor (or sub-processor, as applicable). For personal data that each party processes for its own purposes (for example, account administration, billing, or security telemetry about our infrastructure), each party is an independent controller.
Capitalized terms used in this DPA and not defined here have the meanings in the Terms or in applicable data protection law (including the GDPR and UK GDPR, collectively “Data Protection Laws” where applicable).
2. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person, within the scope of Data Protection Laws.
- “Customer Personal Data” means Personal Data processed by Grantio on behalf of the Customer in connection with the Service, as described in Appendix 1.
- “Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
- “Subprocessor” means a third party engaged by Grantio to process Customer Personal Data on Grantio’s behalf.
3. Customer responsibilities
The Customer warrants and agrees that:
- It has the authority to enter into this DPA and to instruct Grantio to process Customer Personal Data as contemplated by the Service.
- It is solely responsible for the lawfulness of the processing of Customer Personal Data, including providing any required notices to data subjects and obtaining any required consents or other lawful bases.
- It will not instruct Grantio to process Customer Personal Data in a way that violates Data Protection Laws.
- It has reviewed Grantio’s security practices at a high level (including our Privacy Policy) and considers them appropriate for the nature of the processing.
4. Grantio obligations
Grantio will process Customer Personal Data only on documented instructions from the Customer, including as described in the Terms and Appendix 1, unless applicable law requires otherwise (in which case Grantio will, to the extent permitted, inform the Customer of that requirement before processing).
Grantio will:
- Ensure that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organizational measures as described in Appendix 2, taking into account the state of the art, cost, and risks of processing.
- Engage Subprocessors only under a written agreement that imposes data protection obligations materially no less protective than those in this DPA, and remain responsible for Subprocessors’ performance of those obligations.
- Assist the Customer, taking into account the nature of the processing, in responding to requests from data subjects exercising rights under Data Protection Laws, and in meeting the Customer’s obligations regarding data protection impact assessments and prior consultation with supervisory authorities, where applicable.
- Notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide information reasonably available to help the Customer meet any notification obligations.
- At the end of the Service relationship, at the Customer’s choice, delete or return Customer Personal Data in accordance with the Terms and our technical capabilities, unless applicable law requires retention.
- Make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits conducted by the Customer or its auditor, subject to reasonable notice, confidentiality obligations, no more than once per twelve months except where required by law or a supervisory authority, and in a manner that does not compromise the security or confidentiality of other customers.
5. Subprocessors
The Customer grants general authorization for Grantio to use the Subprocessors listed in section 4 of our Privacy Policy, as updated from time to time. Grantio will publish changes to that list in advance (for example, by posting an updated disclosure at least thirty (30) days before a new Subprocessor processes Customer Personal Data, except where a shorter period is necessary for security or legal reasons). The Customer may object to a new Subprocessor on reasonable data-protection grounds by contacting us within that notice period; if the parties cannot resolve the objection, either party may terminate the affected portions of the Service as described in the Terms.
6. International transfers
Where Customer Personal Data is transferred from the European Economic Area, Switzerland, or the United Kingdom to countries not recognized as providing an adequate level of protection, Grantio will ensure appropriate safeguards in accordance with Data Protection Laws. Unless another valid mechanism applies, the parties agree that the standard contractual clauses approved by the European Commission (Implementing Decision (EU) 2021/914), as updated or replaced (“EU SCCs”), shall apply as follows: Module Two (controller to processor) or Module Three (processor to processor), as applicable, with the Customer as data exporter and Grantio as data importer, and Appendix 1 to this DPA supplies the information required by Annex I and II of the EU SCCs. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (version B1.0, as issued by the ICO) shall apply and form part of this DPA.
Execution of an order, subscription, or online acceptance of the Terms that reference this DPA constitutes signature of the EU SCCs and UK Addendum as incorporated herein.
7. Term
This DPA remains in effect for as long as Grantio processes Customer Personal Data on behalf of the Customer. Sections intended to survive (including deletion or return of data, confidentiality, and liability limits in the Terms where applicable) survive termination or expiry of the Service.
Appendix 1: Processing details
The following describes the processing carried out under this DPA for the EU SCCs and UK Addendum where applicable.
A. List of parties
| Data exporter | Data importer | |
|---|---|---|
| Name | The Customer (legal entity using the Service) | Grantio, Inc. |
| Address | As provided in the Customer’s account or order | United States — contact details via Contact |
| Role | Controller (or processor, if the Customer processes on behalf of a third party) | Processor |
B. Processing activities
| Subject matter | Provision of the Grantio grant lifecycle platform (discovery, applications, awards, reporting, and related collaboration features). |
|---|---|
| Duration | For the term of the Customer’s use of the Service, plus any period required to delete or return data or comply with law. |
| Nature and purpose | Hosting, storage, authentication, access control, support, backups, logging for security and reliability, and processing necessary to operate features the Customer enables (including notifications and integrations configured by the Customer). |
| Categories of data subjects | The Customer’s employees, contractors, collaborators, and other individuals the Customer invites to the workspace; individuals identified in content the Customer chooses to upload (for example, names in applications or reports). |
| Types of Personal Data | Identifiers and contact data (such as name, email, organization); account and profile data; authentication identifiers; content the Customer submits to the Service (which may include free-text fields relating to grants, programs, or individuals); technical and usage data tied to accounts (such as IP address, device/browser metadata, and audit logs). |
| Special categories | The Service is not intended for processing special categories of personal data or similarly sensitive data. The Customer should not submit such data unless it has established a lawful basis and instructions agreed with Grantio in writing. |
Appendix 2: Technical and organizational measures
Grantio implements administrative, technical, and organizational safeguards appropriate to the risk, including measures such as:
- Access controls and authentication for production systems and data stores.
- Encryption of data in transit and encryption at rest where supported by infrastructure providers.
- Logging and monitoring to support security investigations and availability.
- Vendor due diligence and contractual security requirements for Subprocessors.
- Processes for vulnerability handling and employee confidentiality.
Further detail may be provided in our privacy materials and in response to reasonable customer questionnaires.
Questions about this DPA or execution for procurement? Contact us.