Data Processing Agreement

11 May 2026
info@joingrasp.com
joingrasp.com

This Data Processing Agreement ("DPA") is entered into between the customer identified in the Order Form (the "Controller") and Traece B.V., a Dutch besloten vennootschap with registered office at Vrije Heerlijkheid 39, 1566 MH Assendelft, the Netherlands, registered in the Dutch Commercial Register under number 98464604 (the "Processor" or "Grasp").

This DPA forms part of the Master Subscription Agreement or Order Form between the parties (together, the "Agreement"). In the event of conflict, this DPA prevails with respect to the Processing of Personal Data.

1. Definitions

Capitalised terms not defined here have the meaning given in the GDPR.

  • "GDPR" means Regulation (EU) 2016/679, and where applicable the UK GDPR.
  • "Personal Data", "Processing", "Data Subject", "Personal Data Breach", "Controller", and "Processor" have the meanings in Article 4 GDPR.
  • "Services" means the Grasp AI governance and compliance platform.
  • "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
  • "SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914.
  • "Customer Personal Data" means Personal Data Processed by the Processor on behalf of the Controller, as described in Annex I.

2. Roles and scope

2.1 The Processor Processes Customer Personal Data on behalf of the Controller solely to provide the Services.

2.2 The Controller is the Controller of Customer Personal Data. The Processor is the Processor.

2.3 The processing details are set out in Annex I .

3. Processing instructions

3.1 The Processor shall Process Customer Personal Data only on documented instructions from the Controller, unless required otherwise by EU or Member State law (in which case the Processor shall inform the Controller of that requirement, unless the law prohibits such information on important grounds of public interest).

3.2 The Agreement (including this DPA and the Order Form) constitutes the Controller's complete documented instructions.

3.3 The Processor shall inform the Controller if it believes an instruction infringes applicable Data Protection Laws.

4. Confidentiality

4.1 The Processor ensures that personnel authorised to Process Customer Personal Data are bound by confidentiality obligations and have received appropriate data protection training.

5. Security

5.1 The Processor implements and maintains the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk, in line with Article 32 GDPR.

5.2 The Processor may update Annex II from time to time, provided the overall level of security is not materially diminished.

6. Sub-processors

6.1 The Controller provides general authorisation for the Processor to engage the Sub-processors listed in Annex III as of the Effective Date.

6.2 The Processor shall give the Controller at least thirty (30) days' prior written notice (by email to the Controller's designated contact) of any intended addition or replacement of a Sub-processor.

6.3 The Controller may object to a new Sub-processor on reasonable data protection grounds within thirty (30) days of notification. If the parties cannot resolve the objection within a further thirty (30) days, the Controller may terminate the affected Services on written notice. Termination under this section applies only to those specific Services that cannot be provided without the disputed Sub-processor, and does not affect the remainder of the Agreement.

6.4 The Processor imposes data protection obligations on each Sub-processor that are substantively equivalent to those in this DPA, by written contract, and remains liable to the Controller for the Sub-processor's performance.

7. Data subject rights

7.1 The Processor shall assist the Controller, by appropriate technical and organisational measures and insofar as possible, in responding to Data Subject requests under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, automated decision-making).

7.2 If the Processor receives a Data Subject request directly, it shall promptly forward it to the Controller and shall not respond except on the Controller's instructions or as required by law.

8. Personal Data Breach

8.1 The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

8.2 The notification shall include, to the extent then known:

  • (a) the nature of the breach, including categories and approximate number of Data Subjects and records affected;
  • (b) likely consequences;
  • (c) measures taken or proposed to address the breach and mitigate its effects;
  • (d) the Processor's data protection contact for follow-up.

8.3 Where information is unavailable at the time of initial notification, the Processor shall provide it in subsequent updates without undue delay.

8.4 Notification is not, in itself, an admission of fault or liability.

9. DPIAs and prior consultation

9.1 The Processor shall provide reasonable assistance to the Controller, taking into account the nature of the Processing and the information available to the Processor, with Article 35 DPIAs and Article 36 prior consultations relating to Customer Personal Data.

10. International transfers

10.1 Current processing locations. As of the Effective Date, all Sub-processors that Process Customer Personal Data on behalf of the Controller do so primarily within the European Union, as set out in Annex III. Limited transfers to third countries occur in the following cases:

  • Stripe — the Processor's merchant relationship is with Stripe Payments Europe Ltd (Ireland), and payment data is primarily processed within the European Union. Limited onward transfers to Stripe, Inc. (United States) may occur for global card network processing, fraud prevention, and platform support, governed by Stripe's intra-group Standard Contractual Clauses.
  • OpenAI — API inputs (application names, process names, bundle identifiers, domains derived from the Controller's environment) and outputs are processed in the United States. No directly identifying Personal Data of data subjects is transmitted.
  • Firecrawl — URLs and domains submitted for retrieval of publicly available vendor documentation are processed in the United States.
  • Exa — URLs and domains submitted for web search and retrieval are processed in the United States.
  • Have I Been Pwned — email addresses submitted for breach exposure checks are processed in the United States (Microsoft Azure).
  • Cloudflare — Customer Personal Data in transit may be routed through Cloudflare's global edge network. Cloudflare applies EU routing where available and processes data at rest within the European Union.

10.2 Transfer mechanism. For transfers to a country without an adequacy decision of the European Commission, the parties incorporate the EU Standard Contractual Clauses, Module Two (Controller to Processor) , with the following selections:

  • Clause 7 (Docking): not applicable;
  • Clause 9(a) (Sub-processors): Option 2 — General Written Authorisation, notice period as in Section 6.2;
  • Clause 11 (Redress): independent dispute resolution body not offered;
  • Clause 17 (Governing Law): the laws of the Netherlands ;
  • Clause 18 (Forum): the courts of Amsterdam ;
  • Annexes I, II, and III to the SCCs are populated by Annexes I, II, and III to this DPA.

10.3 Adequacy and equivalent frameworks. Where a Sub-processor is certified under the EU-US Data Privacy Framework or is established in a country covered by an adequacy decision, transfers may rely on that mechanism in place of the SCCs.

10.4 Transfer impact assessments. The Processor has assessed each transfer to a third country in line with EDPB Recommendations 01/2020 and applies appropriate supplementary measures (including encryption in transit, encryption at rest, and access controls) to ensure an essentially equivalent level of protection.

10.5 UK transfers. For transfers from the United Kingdom, the parties incorporate the UK International Data Transfer Addendum issued by the ICO.

10.6 Changes in transfer locations. Any change to the processing locations set out in Section 10.1 will be communicated to the Controller in accordance with the Sub-processor change procedure in Section 6.2.

11. Audit and information rights

11.1 The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with Article 28 GDPR, including:

  • (a) the Processor's then-current security documentation, available on written request under reasonable confidentiality terms;
  • (b) responses to reasonable security questionnaires, no more than once per twelve (12) month period;
  • (c) any external audit reports or certifications the Processor maintains as they become available.

11.2 Where the information in Section 11.1 is insufficient to address a specific concern, the parties shall discuss in good faith an audit approach proportionate to the concern. Any on-site or remote audit shall be subject to the parties' agreement on scope, timing, notice (at least sixty (60) days), and the Processor's reasonable confidentiality and security requirements. The Controller shall bear its own costs.

11.3 Notwithstanding Section 11.2, the Controller may exercise audit rights without prior agreement where required by a supervisory authority or following a confirmed Personal Data Breach materially affecting the Controller's data.

12. Return and deletion

12.1 On termination or expiry of the Agreement, the Processor shall, at the Controller's choice, delete or return Customer Personal Data and delete existing copies, unless required to retain it by EU or Member State law.

12.2 The Controller may export Customer Personal Data through the Services during the Term and during a thirty (30) day post-termination grace period.

12.3 After the grace period, the Processor shall delete Customer Personal Data within a further thirty (30) days. The following limited categories follow their own retention schedules and are excluded from the foregoing deletion timeline:

  • Encrypted backups held by infrastructure Sub-processors (notably Convex), deleted in accordance with the Sub-processor's standard backup retention cycle and in any event within ninety (90) days of termination.
  • Operational logs held by Cloudflare and other infrastructure Sub-processors for security, observability, and abuse prevention, retained in line with the relevant Sub-processor's documented retention policies.
  • Billing and transaction records retained by the Processor and Stripe to comply with Dutch tax and accounting law, which requires retention for up to seven (7) years.
  • Email delivery logs held by Resend (where transactional or marketing email is enabled), retained in line with Resend's documented retention policy.
  • Data that the Processor is required to retain by EU or Member State law.

12.4 The Processor shall confirm deletion in writing on request.

13. Liability

13.1 Liability under this DPA is governed by the limitation of liability provisions of the Agreement.

13.2 Nothing in this DPA limits a party's liability to a Data Subject under Article 82 GDPR.

14. AI-specific commitments

14.1 The Processor shall not use Customer Personal Data to train, fine-tune, or improve any AI or machine learning model, except where the data is used solely to deliver the Services to the Controller within the Controller's tenant (and not in any aggregated, generalised, or cross-customer model).

14.2 Where the Services rely on AI Sub-processors (e.g., foundation model providers), the Processor engages such Sub-processors under terms that prohibit or default-disable the use of Customer Data and Controller inputs and outputs for model training, and does not opt into any contrary training arrangement. The current AI Sub-processors are listed in Annex III.

14.3 The Processor maintains its own conformance with applicable obligations under Regulation (EU) 2024/1689 (the EU AI Act) corresponding to its role.

15. Miscellaneous

15.1 Governing law. This DPA is governed by Dutch law. Disputes are subject to the exclusive jurisdiction of the courts of Amsterdam, save for the SCCs which follow Section 10.2.

15.2 Order of precedence. SCCs (where applicable) → this DPA → the Agreement.

15.3 Amendments. The Processor may update this DPA to reflect changes in Data Protection Laws or supervisory authority guidance, provided no such update materially reduces the protections afforded to the Controller.

15.4 Severability. If any provision is held invalid, the remainder remains in full force.

Annex I — Description of Processing

A. Parties

Data Exporter (Controller): As identified in the Order Form.

Data Importer (Processor): Traece B.V., Vrije Heerlijkheid 39, 1566 MH Assendelft, the Netherlands. KvK 98464604. Data protection contact: info@joingrasp.com .

B. Description of transfer

Item | Detail Data Subjects | Controller's employees, contractors, and other personnel who use, are owners of, or are referenced in AI tools and connected applications governed through the Services. Personal Data categories | Identification & contact: name, business email, job title. Employment: department, role, manager. Authentication & access: SSO login activity, session metadata, MFA status, OAuth scopes granted, OAuth access and refresh tokens (encrypted at rest). Device & software (via desktop agent, where deployed): device identifier, hardware metadata (model, OS, hostname), installed application inventory and versions, application and process names, bundle/package identifiers, number of application sessions. Browser activity (via desktop agent, where deployed): visited domains and browser extension identifiers observed by the agent. Page-level content, URLs beyond the domain, form input, and keystrokes are not collected. Integration sync metadata: data retrieved from connected workspace and identity providers (see Annex III §2), including directory data and AI tool sign-in events. Audit & compliance metadata: assessment decisions, sign-offs, comments, and platform audit logs. Special categories | None intended. The Controller shall not submit special categories of data to the Services. Frequency | Continuous, for the duration of the Services. Nature | Hosting, storage, access, retrieval, organisation, structuring, analysis, automated discovery, deletion. Purpose | Providing the Grasp AI governance platform: discovering AI tool usage, governing access and policy, accelerating compliant adoption, producing audit and compliance evidence. Retention | Duration of the Agreement plus the deletion timelines in Section 12.

C. Competent supervisory authority

Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag, the Netherlands.

Annex II — Technical and organisational measures (Article 32 GDPR)

The Processor implements the following measures, proportionate to its scale and the nature of the Services. Specific configurations are documented in the Processor's Information Security Policy, available on written request under reasonable confidentiality terms.

1. Encryption

  • Customer Personal Data is encrypted at rest using vendor-managed encryption controls, including AES-256 where provided by the relevant hosting or database provider.
  • TLS 1.2 or higher, or equivalent secure transport encryption, is used for external transmission of Customer Personal Data.
  • Encryption keys are managed through vendor-managed key management systems and access-controlled infrastructure. Where configurable, keys and secrets are rotated on a risk-based basis.

2. Access control

  • Role-based access on a least-privilege basis.
  • MFA required for all personnel accessing production systems.
  • Customer data is logically segregated between tenants.
  • Periodic access reviews.

3. Network and infrastructure

  • Hosting and processing are performed by reputable cloud infrastructure and platform providers listed in Annex III, including Cloudflare and Convex.
  • Production and non-production environments are logically separated through separate deployments, access controls, and secrets.
  • Vulnerability scanning of dependencies and infrastructure.

4. Logging and incident response

  • Security-relevant system events and administrative access are logged where supported by the relevant systems.
  • Alerting on critical security events.
  • Documented incident response procedure with defined roles.

5. Personnel

  • Confidentiality obligations in employment and contractor agreements.
  • Security awareness training on hire and at appropriate intervals thereafter.
  • Documented offboarding procedure including credential revocation.

6. Software development

  • Code review on production changes.
  • Dependency vulnerability scanning.
  • Separation between development and production environments.

7. Business continuity

  • Backups and durable storage are protected using the encryption and resilience controls of the relevant hosting and database providers.
  • Documented recovery procedures.

8. Sub-processor management

  • Risk review of Sub-processors prior to onboarding.
  • Data protection obligations flowed down by contract.

9. Data minimisation

  • Collection limited to what is necessary to deliver the Services.

10. Compliance roadmap

  • The Processor is working towards ISO/IEC 27001 certification. Status updates are available on written request.

Annex III — Sub-processors and Third-Party Services

1. Sub-processors

For the purposes of this Data Processing Agreement, a "Sub-processor" is any third party engaged by Grasp (Traece B.V.) that processes Personal Data on behalf of the Controller, in accordance with Article 28 GDPR. Grasp engages the following Sub-processors to provide the Services:

Sub-processor | Service provided | Location of processing Cloudflare, Inc. | Content delivery network, DDoS protection, and web application firewall | Global edge network with EU routing applied where available Convex, Inc. | Database and backend-as-a-service hosting Customer Data | Deployed region per project configuration (currently Ireland, European Union) Better Auth | Authentication library, self-hosted by Grasp on Convex and Cloudflare infrastructure | Same as Convex and Cloudflare above Stripe Payments Europe Ltd / Stripe, Inc. | Payment processing and billing | Primarily Ireland (European Union); limited onward transfers to the United States for card network processing Resend, Inc. | Transactional and marketing email delivery (notifications, alerts, newsletters, product updates) | Ireland (European Union) PostHog Inc. | Product analytics and usage monitoring | Germany (European Union) Attio Ltd. | Customer relationship management for account contact data | European Union (Google Cloud) Have I Been Pwned (Superlative Enterprises Pty Ltd) | Breach exposure checks for user email addresses | United States (Microsoft Azure) OpenAI, L.L.C. | Large language model API used to classify and reason over AI tool catalog signals. Inputs may include application names, process names, bundle identifiers, and domains derived from the Controller's environment. No directly identifying Personal Data of data subjects (e.g., names, email addresses) is transmitted. OpenAI processes API inputs and outputs under terms that do not use Customer Data for model training. | United States Firecrawl (Mendable Labs, Inc.) | Web scraping and crawling. Inputs may include URLs and domains derived from the Controller's environment for the purpose of retrieving publicly available vendor documentation. | United States Exa Labs, Inc. | Web search and retrieval API. Inputs may include URLs and domains derived from the Controller's environment for the purpose of retrieving publicly available vendor information. | United States

Changes to Sub-processors. Grasp will notify the Controller in writing of any intended additions or replacements of Sub-processors at least thirty (30) days in advance. The Controller may object to such changes on reasonable grounds related to data protection within thirty (30) days of notification. If the Parties cannot resolve the objection in good faith, the Controller may terminate the affected Services without penalty.

2. Customer-controlled integrations

The Controller may, at its discretion, connect its own third-party workspace and identity provider accounts to the Services in order to enable functionality such as Single Sign-On (SSO) discovery, AI tool inventory, and access governance. These integrations are activated by the Controller through OAuth or equivalent authorisation flows and operate against the Controller's own tenants under the Controller's existing agreements with those providers.

For these integrations, the relevant providers are not Sub-processors of Grasp. They act as Processors of the Controller under the Controller's own agreement with the provider. Grasp Processes the data returned by these integrations strictly as set out in this DPA.

Provider | Service | Data retrieved by Grasp | Authorisation Microsoft Corporation | Microsoft 365 / Entra ID (Azure AD) | SSO login activity, user directory data, AI tool sign-in events from the Controller's Microsoft tenant | Controller-controlled via OAuth Google LLC | Google Workspace | SSO login activity, user directory data, AI tool sign-in events from the Controller's Google Workspace tenant | Controller-controlled via OAuth

Responsibility. The Controller is responsible for its own contractual and data protection relationship with the providers listed above. Grasp is responsible for the Processing of any Personal Data retrieved from these integrations once it enters the Services, in accordance with this DPA.

End of Data Processing Agreement.

Made in the

Netherlands

Platform
Discover
Govern
Accelerate
Solutions
Shadow AI Discovery
AI Risk Management
ISO 27001 & AI
EU AI Act
Automated Vendor Assessments
Resources
Blog
Help Center
Changelog
Company
About
Contact
Careers
Sitemap
Grasp
© 2026 Grasp — All rights reserved.