Data Processing Agreement
Last updated: February 2026This DPA is designed to ensure compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection laws. By using Grade's services, you agree to the terms of this DPA.
1. Definitions and Interpretation
In this DPA, unless the context requires otherwise:- "Company Personal Data" means any personal data processed by the Processor on behalf of the Company pursuant to or in connection with the Principal Agreement.
- "Data Protection Laws" means the GDPR, the UK GDPR, the EU ePrivacy Directive (2002/58/EC as amended), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and any other applicable data protection legislation in any relevant jurisdiction.
- "Sub-processor" means any third party appointed by the Processor to process Company Personal Data on behalf of the Company.
- "Data Subject" means the identified or identifiable natural person to whom Company Personal Data relates.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Company Personal Data.
- "EEA" means the European Economic Area.
- "Standard Contractual Clauses" or "SCCs" means the contractual clauses approved by the European Commission for the transfer of personal data to processors established in third countries.
2. Processing of Company Personal Data
2.1. The Processor shall process Company Personal Data only on documented instructions from the Company, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law, in which case the Processor shall inform the Company of that legal requirement before processing (unless prohibited by law).2.2. The Company instructs the Processor to process Company Personal Data for the following purposes:
- Provision of the Grade platform and related services as described in the Principal Agreement
- Performance tracking, payout calculation, and payment execution
- Identity verification and KYC/AML compliance
- Tax reporting and regulatory compliance
- Platform security, fraud prevention, and technical support
3. Processor Personnel
3.1. The Processor shall ensure that all personnel authorised to process Company Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.3.2. The Processor shall ensure that access to Company Personal Data is limited to those personnel who require such access for the performance of the services under the Principal Agreement.
3.3. The Processor shall ensure that all personnel authorised to process Company Personal Data have received appropriate training in data protection.
4. Security
4.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures include but are not limited to:- Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
- Pseudonymisation of personal data where feasible
- Role-based access controls and multi-factor authentication
- Network segmentation and intrusion detection systems
- Regular security assessments, penetration testing, and vulnerability scanning
- Business continuity and disaster recovery procedures
- Processes for regularly testing, assessing, and evaluating the effectiveness of security measures
5. Sub-processing
5.1. The Company provides a general authorisation to the Processor to engage Sub-processors to process Company Personal Data. A current list of approved Sub-processors is available in our Privacy Policy (Section 16).5.2. The Processor shall notify the Company of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, giving the Company the opportunity to object to such changes. Notifications will be sent to the email address associated with the Company's Grade account.
5.3. If the Company objects to a new Sub-processor on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution can be reached, the Company may terminate the affected services without penalty.
5.4. Where the Processor engages a Sub-processor, the Processor shall impose data protection obligations no less protective than those set out in this DPA by way of a written contract. The Processor shall remain fully liable to the Company for the performance of each Sub-processor's obligations.
6. Data Subject Rights
6.1. Taking into account the nature of the processing, the Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Notification obligation (Article 19)
- Right to data portability (Article 20)
- Right to object (Article 21)
7. Personal Data Breach
7.1. The Processor shall notify the Company without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Company Personal Data. The notification shall include:- A description of the nature of the breach, including the categories and approximate number of Data Subjects and personal data records concerned
- The name and contact details of the Processor's point of contact for further information
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
8. Data Protection Impact Assessment
8.1. The Processor shall provide reasonable assistance to the Company with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities that the Company reasonably considers to be required under Article 35 or Article 36 of the GDPR, in each case solely in relation to the processing of Company Personal Data.8.2. Such assistance shall be provided taking into account the nature of processing and the information available to the Processor.
9. Deletion or Return of Company Personal Data
9.1. Upon termination or expiry of the Principal Agreement, the Processor shall, at the Company's election, delete or return all Company Personal Data to the Company within 30 days of such request, and delete existing copies unless applicable law requires storage of the personal data.9.2. Where the Processor is required by applicable law to retain any Company Personal Data, the Processor shall isolate and protect such data from any further processing except to the extent required by law and shall delete it as soon as the legal retention obligation expires.
9.3. The Processor shall provide written certification of deletion upon the Company's request.
10. Audit Rights
10.1. The Processor shall make available to the Company all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Company or an auditor mandated by the Company.10.2. Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Company shall bear its own costs of any audit.
10.3. The Processor shall immediately inform the Company if, in its opinion, an instruction from the Company infringes the GDPR or other applicable data protection provisions.
11. International Data Transfers
11.1. The Processor shall not transfer Company Personal Data outside the EEA or the United Kingdom without the prior written consent of the Company, unless required by applicable law.11.2. Where such transfer is authorised, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914)
- Supplementary measures as recommended by the EDPB where necessary
- Transfer impact assessments where required
12. General Terms
12.1. Confidentiality. Each party shall keep confidential all information received from the other party in connection with this DPA, except where disclosure is required by applicable law, a competent court, or a supervisory authority.12.2. Notices. All notices and communications given under this DPA shall be in writing and shall be delivered by email to the addresses specified in the Principal Agreement or as otherwise notified in writing.
12.3. Liability. Each party's liability under this DPA shall be subject to the exclusions and limitations of liability set out in the Principal Agreement. Nothing in this DPA shall limit either party's liability for breaches of Data Protection Laws.
12.4. Precedence. In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the processing of Company Personal Data.
12.5. Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
13. Governing Law and Jurisdiction
13.1. This DPA shall be governed by and construed in accordance with the laws that govern the Principal Agreement, unless otherwise required by Data Protection Laws.13.2. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts specified in the Principal Agreement.
Annex A — Details of Processing
Categories of Data Subjects
- Content creators and freelancers engaged by the Company
- Company employees and administrators with platform access
- Financial team members involved in payout workflows
Types of Personal Data
- Identity data (name, email, address)
- Tax identification data (W-9, W-8BEN, or equivalent)
- Payment data (payout identifiers, bank details held by payment processors)
- Performance and engagement metrics from connected platforms
- Device and access logs (IP address, browser, timestamps)
Sensitive DataGrade does not intentionally process special categories of personal data (as defined in Article 9 of the GDPR). If such data is incidentally included in Company Personal Data, the Processor shall apply the same security measures described in Article 4 of this DPA.
Duration of ProcessingProcessing shall continue for the duration of the Principal Agreement, plus any applicable retention period required by law or as described in our Privacy Policy (Section 9).
Nature and Purpose of ProcessingThe Processor processes Company Personal Data for the purpose of providing the Grade platform, including performance tracking, payout calculation and execution, identity verification, tax compliance, and platform security, as further described in Article 2.2 of this DPA.
Contact
For questions about this Data Processing Agreement, or to request a signed copy, please contact:Email: lotts@creatorcheck.io
See also our Privacy Policy and Terms & Conditions for additional information.