Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer (the "Controller") and GrantPilot, operated by Hempp LLC (the "Processor"), and governs the Processor's handling of Personal Data on behalf of the Controller. It is designed to satisfy Article 28 of the EU General Data Protection Regulation (GDPR), the UK GDPR, and analogous provisions of the California Consumer Privacy Act (CCPA).

1. Definitions

"Personal Data," "Controller," "Processor," "Processing," "Data Subject," and "Subprocessor" have the meanings given in the GDPR. "Services" means the GrantPilot platform and related features accessed by the Controller under the Terms of Service.

2. Roles and Scope

The Controller determines the purposes and means of processing the Personal Data it submits to the Services. The Processor processes that Personal Data solely to provide, maintain, and secure the Services, and in accordance with the Controller's documented instructions as reflected in the Terms of Service, this DPA, and Controller's use of the Services configuration.

3. Categories of Data and Data Subjects

Categories of Personal Data: contact details (name, email), organizational profile (mission, EIN, address), user-submitted grant content, uploaded documents, application drafts, billing metadata (via Stripe), and usage / telemetry records.

Categories of Data Subjects: the Controller's employees, contractors, board members, and any individuals whose information the Controller chooses to include in grant narratives (e.g., key personnel bios).

4. Processing Purposes and Duration

Processing occurs for the duration of the Controller's subscription and for any retention period required to comply with the Processor's legal obligations. Upon termination, the Processor will delete or return Personal Data within 30 days at the Controller's written request, except for audit log entries retained for forensic and compliance purposes.

5. Confidentiality

The Processor ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations (whether by contract or statutory duty). Production access is limited to named engineers with business need and requires MFA.

6. Security Measures

The Processor implements the technical and organizational measures described in the Trust Center, including encryption in transit (TLS 1.2+), encryption at rest (provider-managed and, for sensitive PII fields, AES-256-GCM application-side), audit logging, row-level authorization, CSRF and SSRF defenses, and a documented incident response program.

7. Subprocessors

The Controller provides general authorization for the Processor to engage the Subprocessors listed in the Trust Center. Each Subprocessor is bound by data protection obligations substantially similar to those in this DPA. The Processor will provide 30 days' notice of any intended change to its Subprocessors, during which the Controller may object on reasonable data-protection grounds.

8. International Transfers

To the extent Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to the United States, the parties agree that the Standard Contractual Clauses (EU Commission Implementing Decision 2021/914) Module Two (Controller-to-Processor) are incorporated by reference into this DPA and apply to those transfers. The Processor maintains supplementary measures consistent with the recommendations of the European Data Protection Board.

9. Data Subject Rights

The Services enable the Controller to respond to Data Subject requests for access, rectification, erasure, portability, and restriction directly through the product (account export and deletion endpoints). Where the Controller requires additional assistance to respond to a Data Subject request, the Processor will cooperate in good faith at no additional charge within the scope reasonable for the complexity and volume of the request.

10. Personal Data Breaches

The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller's data. The notification will include the nature of the breach, the categories and approximate volume of records affected (where known), the likely consequences, and the measures taken or proposed to mitigate.

11. Audits

On reasonable request, the Processor will make available information necessary to demonstrate compliance with Article 28 obligations, including current SOC 2 reports (when available) and a written summary of security controls. The Controller may conduct audits no more than annually and at its own expense, subject to 30 days' notice and reasonable confidentiality protections.

12. Return and Deletion

On termination of the Services, the Processor will, at the Controller's choice, delete or return all Personal Data within 30 days, unless retention is required by applicable law. Audit log rows may be retained for the retention period required for legal compliance.

13. Liability and Indemnity

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects under Article 82 of the GDPR.

14. Precedence

In case of conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of Personal Data.

15. Contact

Data protection questions or DPA execution requests: privacy@grantpilot.dev. Security reports: security@grantpilot.dev.