Data Processing Agreement
Pursuant to Art. 28 GDPR — Effective: February 2026
This Data Processing Agreement ("DPA") is concluded between NMA Venture Capital GmbH ("Processor") and the Customer using the GRID platform ("Controller"), and forms part of the Terms of Service.
1. Subject Matter and Duration
The Processor processes personal data on behalf of the Controller in the context of providing the GRID SaaS platform (as described in the Service Description). The duration of this DPA corresponds to the duration of the main contract (Terms of Service).
2. Nature and Purpose of Processing
The Processor processes personal data solely for the purpose of providing the contractually agreed services, including:
- User account management and authentication
- Storage and processing of uploaded pitch decks and company data
- AI-powered analysis and matching services
- Delivery of transactional emails
- Platform analytics (with consent)
3. Categories of Data Subjects and Personal Data
Data subjects
Employees and representatives of the Controller; founders and team members whose data is uploaded via the platform.
Categories of personal data
- Contact data (name, email address)
- Company data (company name, sector, funding information)
- Pitch deck content (which may contain personal data of team members)
- Usage data (log files, session data)
4. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller
- Ensure that persons authorized to process personal data are bound by confidentiality
- Implement appropriate technical and organizational security measures (Art. 32 GDPR)
- Assist the Controller in responding to data subject rights requests
- Delete or return all personal data upon termination of the contract
- Provide all necessary information to demonstrate compliance with Art. 28 GDPR
5. Sub-processors
The Controller hereby grants general authorization for the use of sub-processors. Current sub-processors include:
- Hetzner Online GmbH (server infrastructure, Germany)
- Cloudflare Inc. (CDN/DNS, EU SCC basis)
- Google Cloud Platform Ireland Ltd. (infrastructure, EU)
- Google Ireland Ltd. (Gemini AI API, EU SCC basis)
- Mollie B.V. (payment processing, Netherlands)
The Processor will notify the Controller of any intended changes concerning additions or replacements of sub-processors, giving the Controller the opportunity to object to such changes.
6. Technical and Organizational Measures (TOMs)
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Access control and principle of least privilege
- Regular security assessments and penetration testing
- Incident response and breach notification procedures
- Regular staff training on data protection
7. Transfers to Third Countries
Where personal data is transferred to sub-processors in third countries (e.g. the USA), such transfers are made on the basis of the EU-U.S. Data Privacy Framework adequacy decision, or Standard Contractual Clauses (SCC) adopted by the EU Commission.
8. Contact
For DPA-related inquiries: [email protected]