DATA PROCESSING ADDENDUM

Version 3.0

Last updated: 9 March 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Grand Intelligence Group Limited (“Grand”) and the customer (“Customer”) and applies only where and to the extent that Grand processes Personal Data as a Processor on behalf of the Customer in connection with a product or feature that involves such processing.

This DPA is incorporated by reference into the applicable Product Terms and the Platform Terms & Conditions.

1. DEFINITIONS

Terms used but not defined in this DPA have the meanings given in the Platform Terms.

Applicable Data Protection Law

The General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation, and any applicable national data protection laws.

Controller, Processor, Personal Data, Processing, Personal Data Breach

Have the meanings given in the GDPR.

Customer Personal Data

Personal Data processed by Grand solely on behalf of the Customer as Processor under this DPA.

Grand Intelligence Data

Data, outputs, insights, scores, indicators, analytics, inferences, models, signals, logs, metadata, or aggregated or derived data generated by Grand through analysis, monitoring, or operation of the Platform. Where Grand Intelligence Data is derived from or incorporates Customer Personal Data, Grand shall ensure it is anonymised or aggregated such that individual data subjects are not identifiable.

2. SCOPE AND ROLE OF THE PARTIES

2.1 Conditional Application

This DPA applies only where Grand acts as a Processor on behalf of the Customer. Where Grand processes Personal Data as an independent Controller or separate Controller, this DPA does not apply.

2.2 Roles

  • Customer is the Controller of Customer Personal Data
  • Grand is the Processor of Customer Personal Data

2.3 Controller Activities Excluded

This DPA does not apply to:

  • data independently sourced or generated by Grand
  • Grand Intelligence Data
  • aggregated, anonymised, or inferred data
  • monitoring, profiling, or network intelligence generated by Grand

Such processing is governed by the Platform Terms and Privacy & Data Protection Policy.

3. PROCESSING DETAILS (ARTICLE 28(3))

3.1 Subject Matter

Processing of Personal Data for the purpose of providing the relevant product or feature enabled by the Customer.

3.2 Duration

For the duration of the Customer’s use of the applicable product, unless otherwise required by law.

3.3 Nature and Purpose

Collection, verification, storage, analysis, and transmission of Personal Data as required to perform Customer-configured onboarding, verification, or data collection workflows.

3.4 Categories of Data Subjects

May include:

  • company directors or officers
  • beneficial owners
  • employees or representatives
  • applicants or authorised contacts

3.5 Categories of Personal Data

May include:

  • identity data
  • contact data
  • verification data
  • documentation submitted by or on behalf of the Customer

4. PROCESSING ON CUSTOMER INSTRUCTIONS

4.1 Grand shall process Customer Personal Data only on documented instructions from the Customer, including those configured through the Platform.

4.2 Customer warrants that its instructions comply with Applicable Data Protection Law.

4.3 Grand is not responsible for determining whether Customer instructions are lawful.

4.4 If Grand believes an instruction infringes Applicable Data Protection Law, Grand shall promptly inform the Customer.

5. CONFIDENTIALITY

Grand shall ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

6. SECURITY MEASURES

6.1 Grand shall implement appropriate technical and organisational measures to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

6.2 Security measures may evolve over time in line with industry standards and risk assessments.

7. SUBPROCESSORS

7.1 Customer grants Grand general authorisation to engage subprocessors to process Customer Personal Data.

7.2 Grand shall maintain a current list of subprocessors and make it available to the Customer on request.

7.3 Grand shall notify the Customer of any intended changes to subprocessors (additions or replacements) and shall give the Customer fourteen (14) days from the date of notification to object on reasonable data protection grounds.

7.4 If the Customer objects and the parties cannot resolve the objection within a reasonable period, the Customer may terminate the affected product on written notice.

7.5 In the event of an emergency operational or security change requiring immediate engagement of a subprocessor, Grand may proceed without prior notification, provided that Grand notifies the Customer as soon as reasonably practicable thereafter.

7.6 Grand shall ensure that subprocessors are bound by data protection obligations no less protective than those in this DPA.

8. DATA SUBJECT RIGHTS

8.1 Grand shall provide reasonable assistance to enable the Customer to respond to requests from data subjects exercising their rights under Applicable Data Protection Law.

8.2 Where a request is made directly to Grand, Grand may redirect the data subject to the Customer unless legally required to respond directly.

9. DATA PROTECTION IMPACT ASSESSMENTS

Grand shall provide reasonable assistance to the Customer in conducting data protection impact assessments and, where required, prior consultations with supervisory authorities, in each case to the extent that such assistance is required by Applicable Data Protection Law and relates to the processing of Customer Personal Data.

10. PERSONAL DATA BREACHES

10.1 Grand shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

10.2 Notification shall include, to the extent reasonably available to Grand at the time:

  • a description of the nature of the breach, including where possible the categories and approximate number of data subjects and records concerned
  • the likely consequences of the breach
  • the measures taken or proposed to address the breach and mitigate its effects

10.3 Grand shall provide further information as it becomes available and shall cooperate with the Customer in investigating and remediating the breach.

11. DATA DELETION AND RETURN

11.1 Upon termination of the applicable product, Grand shall, at the Customer’s choice, delete or return Customer Personal Data within thirty (30) days, unless retention is required by Applicable Data Protection Law.

11.2 Grand Intelligence Data is expressly excluded from deletion or return obligations.

11.3 Backups containing Customer Personal Data may be retained in accordance with Grand’s standard backup retention cycles, provided that such data remains protected in accordance with this DPA and is deleted when the relevant backup cycle expires.

12. AUDIT RIGHTS

12.1 Customer may audit Grand’s compliance with this DPA, subject to:

  • reasonable prior written notice (not less than thirty (30) days)
  • scope limited to the processing of Customer Personal Data
  • confidentiality obligations binding on the Customer and any auditor

12.2 Grand may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2 Type II), or written summaries of its security and processing practices. Where such documentation reasonably addresses the Customer’s audit objectives, the Customer shall accept them in lieu of an on-site audit.

12.3 Audits shall not unreasonably interfere with Grand’s operations and shall not occur more than once in any twelve-month period unless required by a supervisory authority or in response to a Personal Data Breach.

12.4 The Customer shall bear its own costs of any audit. Where an on-site audit is conducted, Grand may charge reasonable fees for staff time and resources required to support the audit.

13. INTERNATIONAL TRANSFERS

13.1 Where Customer Personal Data is transferred outside the European Economic Area or the United Kingdom to a country not subject to an adequacy decision, Grand shall ensure appropriate safeguards are in place in accordance with Applicable Data Protection Law.

13.2 Appropriate safeguards may include Standard Contractual Clauses adopted by the European Commission, UK International Data Transfer Agreements, or other transfer mechanisms approved under Applicable Data Protection Law.

13.3 On request, Grand shall provide the Customer with information about the safeguards in place for any international transfer of Customer Personal Data.

14. LIABILITY

Liability arising under this DPA is subject to the limitations set out in the Platform Terms.

15. PRECEDENCE

In the event of conflict between this DPA and the Platform Terms:

  • this DPA prevails only with respect to processing governed by this DPA
  • the Platform Terms prevail in all other respects

16. GOVERNING LAW

This DPA is governed by the laws of Ireland, unless otherwise required by Applicable Data Protection Law.

17. CONTACT

Entity: Grand Intelligence Group Limited

Email: legal@heygrand.com

Data Protection Contact: dpo@heygrand.com

Registered Address:

Ireland: 24A Baggot Street Upper, Dublin, D04 N528, Ireland

United Kingdom: Ground Floor, Gallery Building, 65–69 Dublin Road, Belfast, BT2 7HG, Northern Ireland

Not sure where to start? Let’s talk.

See how Grand can help you find, grow and protect your revenue in a personalised demo.

By providing your information, you confirm that you agree to the Terms of Service and consent to our Privacy Policy.

5/5 stars4.7/5 based on 1,033 reviews