Data Processing Agreement

Controller ↔ Processor, Last updated 6 June 2025

1 · Parties

• Controller: Customer identified in Order
• Processor: Grants Finder AI, Keizersgracht xxx, 1015 CS Amsterdam

2 · Subject-matter & duration

Processing of Controller-submitted business contact data for grant-matching until the earlier of deletion request or 3 years after last activity.

3 · Nature & purpose

Automated eligibility analysis; report delivery; support.

4 · Types of personal data & data subjects

5 · Processor obligations (Art. 28 (3))

a) Process only on documented instructions (this DPA & ToS).

b) Staff confidentiality.

c) Appropriate technical & organisational security (Annex I).

d) Sub-processor flow-down & prior-notice mechanism (Schedule B).

e) Assist with data-subject rights, DPIAs & breach notifications.

f) Delete or return all personal data at end of provision (unless EU law requires storage).

g) Make audit reports available; allow on-site audit with 30 days' notice.

6 · Security measures (Annex I)

• 2FA admin access
• EU-only primary hosting

7 · Sub-processors (Schedule B)

Stripe (Ireland/US), Supabase (Germany), OpenAI (US), Resend (Germany/US). Controller may object within 10 days of notice.

8 · International transfers

Where sub-processors are outside the EEA, Processor relies on 2021 Standard Contractual Clauses Module 3. No onward transfer without equivalent safeguards.

9 · Breach notification

Processor shall notify Controller without undue delay and in any case within 72 hours after becoming aware of a personal-data breach.

10 · Liability & indemnity

Each party is liable for damages it causes; Processor's liability is capped per ToS § 9. Controller shall indemnify Processor for claims arising from instructions or unlawful data supplied.

11 · Term & termination

This DPA terminates automatically upon deletion of all customer data by Processor. Clauses 5 f), 8 and 10 survive.

12 · Contact

Data Protection Officer — team@mail.grantsfinderai.com