Data Processing Agreement

This Data Processing Agreement (the "DPA") supplements the grantus Terms of Service between Digitálny Inovátor, s. r. o., registered office Záhradná ulica 10017/27, 917 08 Trnava, Slovak Republic, company ID 54 085 543, VAT ID SK2121567844, registered in the Commercial Register of the District Court Trnava, section Sro, file 50020/T (public registry) (the "Processor") and the customer entity that has executed a paid grantus plan (the "Controller").

The DPA is automatically incorporated into the Controller's grantus subscription at activation. A signed PDF copy is available on request at gdpr@grantus.sk for tenders and procurement files.

Processor processes Personal Data on behalf of Controller solely for the purpose of providing the grantus service as described in the Terms. The DPA remains in effect for the duration of the Controller's subscription plus the retention window in §5.

Processor processes (a) account identification data (e-mail, organisation name, optional IČO), (b) usage telemetry (request logs, API key usage, watchdog matches), and (c) optional outbound integration tokens (HubSpot, Pipedrive, Notion) provided by the Controller via OAuth. No special categories of data under Article 9 GDPR are processed.

Controller authorises Processor to engage the sub-processors listed below. Processor will give at least 14 days' notice of any addition or replacement via the e-mail address on file. Controller may object within that window; unresolved objections give Controller the right to terminate the subscription with a pro-rata refund.

• Hostinger (EU region) — infrastructure / database / object storage.
• Resend (EU sub-region) — transactional e-mail delivery.
• Anthropic — AI classification of grant calls (no Controller PII transmitted).
• Voyage AI — embedding generation.
• Sentry (EU region) — backend and frontend error monitoring. Stack traces + opaque trace id only; no request bodies, query strings, or credentials are forwarded.
• PostHog (eu.posthog.com EU instance) — product analytics. IP address dropped at ingest, autocapture disabled, only explicit named events forwarded.
• Better Stack (EU region) — uptime monitoring + log shipping. Structured pino JSON only.
• Stripe (once payments are live) — payment processing.

The machine-readable, versioned list with the date each sub-processor was added is published at grantus.sk/dpa/subprocessors; that page is the authoritative reference for procurement files.

• TLS 1.3 in transit, AES-256 at rest for all primary stores.
• Per-tenant row-level isolation by organization_id.
• OAuth 2.1 with PKCE; HMAC-SHA256 signed webhooks.
• API keys hashed at rest (SHA-256 with per-key salt).
• Quarterly internal security review; external penetration test annually after the first €100k in ARR.
• Audit log of admin actions retained 30 days.

Processor will notify Controller without undue delay and at the latest within 48 hours of becoming aware of a Personal Data breach affecting the Controller's data. The notice will describe the breach scope, the categories of data concerned, the likely consequences, and the measures taken or proposed.

Controller may, on 14 days' written notice and at most once per calendar year, request a written security audit summary covering Processor's controls. For on-site audits and questionnaires, Processor reserves the right to charge a reasonable hourly rate.

Personal Data is processed within the EEA. Where a sub-processor (e.g. Anthropic) operates from a third country, transfers are protected by the EU Standard Contractual Clauses (SCCs) 2021/914 Module 3 (processor to sub-processor).

On termination of the subscription, Processor will, at Controller's choice, return or delete all Personal Data within 30 days. Backups are purged on a rolling 30-day cycle thereafter. Anonymised, aggregated statistics may be retained indefinitely.