ILegal framework

Data processing under Art. 28 GDPR.

When we operate Grantifex for you, we process personal data on your behalf.

When foundations, public authorities or other organisations run their grant portal as a Grantifex instance hosted by us, we process personal data — for example of applicants and reviewers — exclusively on their behalf. The organisation remains the controller within the meaning of the GDPR; we act as the processor.

Art. 28 GDPR requires a data processing agreement (DPA) for this. It bindingly defines the subject matter, duration, nature and purpose of the processing as well as the obligations of both parties. For productive use of Grantifex, our customers conclude such a DPA with us.

IIKey terms

What our DPA covers.

The essential commitments in brief.

• Documented instructions — we process data exclusively on the customer's documented instructions.
• Technical and organisational measures (TOMs) — encryption, access control, tenant separation and backups, documented as an annex to the agreement.
• Sub-processors — listed by name; changes are announced in advance, with a right to object.
• Deletion concept — defined periods for the deletion and return of all data at the end of the contract.
• Audit rights — customers may verify compliance themselves or have it verified.

We provide the complete data processing agreement on request: [email protected].

IIIDemo instances

Demos run on test data.

A simple rule applies to demo instances: no real personal data.

Demo instances are for evaluation and process test data only. Please do not enter any real personal data into a demo — neither of applicants nor of staff. Demo instances are deleted completely after 14 days; a data processing agreement is only concluded when moving to productive operation.