This Data Processing Agreement ("DPA") is available on request to Fund Manager customers of the Portfolio Tracker. It supplements the Terms of Service and governs the processing of personal data by NIRE HQ Limited on behalf of the customer. It is not a public page. To request a signed copy, contact privacy@nirehq.com.
1. Parties
This DPA is entered into between:
Controller: The Fund Manager organisation that has agreed to NIRE's Terms of Service and uses the Portfolio Tracker ("Customer", "Controller")
Processor: NIRE HQ Limited, a company registered in England and Wales (Company No. 17241292), with its registered office at Seven Grange Lane, Pitsford, Northampton, England, NN6 9AP ("NIRE", "Processor")
2. Background
2.1 The Customer uses the NIRE Portfolio Tracker to store and manage data about portfolio companies, including personal data relating to company contacts, employees, and representatives ("Portfolio Data").
2.2 In providing the Portfolio Tracker, NIRE processes Portfolio Data on behalf of the Customer as a data processor acting on the Customer's instructions, within the meaning of Article 28 of the UK General Data Protection Regulation ("UK GDPR").
2.3 This DPA sets out the obligations and rights of both parties with respect to that processing.
3. Scope of Processing
3.1 Subject Matter
Processing of personal data entered into the Portfolio Tracker by or on behalf of the Customer, including:
- Names and contact details of portfolio company personnel
- Financial and operational data relating to portfolio companies that may include personal data
- User account data for the Customer's invited users
3.2 Duration
For the duration of the Customer's active use of the Portfolio Tracker, plus 12 months following account closure (the retention period under the Terms of Service), or until the Customer requests deletion.
3.3 Nature and Purpose
Storing, organising, retrieving, and presenting Portfolio Data to authorised users within the Customer's organisation. The Processor does not use Portfolio Data for any purpose other than providing the service.
3.4 Categories of Data Subjects
- Employees, directors, and representatives of portfolio companies
- The Customer's own fund managers, analysts, and limited partners with account access
3.5 Categories of Personal Data
- Names and email addresses
- Job titles and organisational roles
- Financial performance data that may be referable to individuals
- Notes and comments entered by the Customer's users
4. Processor Obligations
NIRE shall, with respect to Portfolio Data:
4.1 Process only on documented instructions. Process personal data only on the Customer's instructions (as expressed through use of the Platform and these Terms), unless required to do so by UK law. If required by law to process for another purpose, NIRE will inform the Customer before processing (unless prohibited by law).
4.2 Confidentiality. Ensure that all personnel authorised to process personal data are bound by appropriate obligations of confidentiality.
4.3 Security. Implement appropriate technical and organisational measures to protect personal data against accidental loss, destruction, alteration, unauthorised disclosure, or access, including:
- Encryption of data at rest and in transit (TLS 1.2+)
- Row-level security policies restricting data access to the Customer's own organisation
- Multi-factor authentication available for all user accounts
- Access restricted to minimum necessary roles
4.4 Sub-processors. Not engage sub-processors without informing the Customer. The current list of approved sub-processors is in Schedule 1. NIRE will give the Customer at least 30 days' written notice before adding or replacing a sub-processor. The Customer may object in writing within 14 days; if the objection cannot be resolved, either party may terminate the service on notice.
4.5 Data subject rights. Assist the Customer in responding to requests from data subjects exercising their rights under UK GDPR, to the extent possible given the nature of the processing and the information available to NIRE.
4.6 Security incidents. Notify the Customer without undue delay after becoming aware of a personal data breach affecting Portfolio Data, and provide sufficient information to enable the Customer to meet its own notification obligations.
4.7 Data protection impact assessments. Provide reasonable assistance to the Customer in carrying out data protection impact assessments and prior consultations with the ICO where required.
4.8 Deletion or return on termination. On termination of the service, at the Customer's choice, delete or return all personal data to the Customer, and delete existing copies, unless retention is required by law.
4.9 Audit assistance. Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by the Customer or its mandated auditor, on reasonable notice and subject to confidentiality obligations.
5. Controller Obligations
The Customer shall:
5.1 Ensure it has a lawful basis for processing Portfolio Data and has made appropriate disclosures to data subjects.
5.2 Ensure it has the necessary rights, consents, and agreements to store data about portfolio companies with NIRE.
5.3 Provide NIRE with timely instructions, information, and assistance as needed to meet NIRE's obligations under this DPA.
5.4 Ensure that any personal data entered into the Portfolio Tracker is accurate, adequate, and not excessive for the stated purpose.
6. International Transfers
6.1 Portfolio Data processed by NIRE's sub-processors may be transferred outside the UK. All such transfers are subject to appropriate safeguards as set out in Schedule 1.
6.2 NIRE will not transfer Portfolio Data to a country outside the UK unless an appropriate transfer mechanism is in place (Standard Contractual Clauses approved by the ICO, adequacy regulation, or UK IDTA addendum as applicable).
7. Liability
7.1 Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service, except to the extent that such limitations are prohibited by applicable data protection law.
7.2 NIRE's liability for breaches of this DPA relating to personal data is limited to the amount paid by the Customer to NIRE in the 12 months preceding the claim, except in cases of wilful misconduct or gross negligence.
8. Governing Law and Disputes
This DPA is governed by the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
9. Changes to This DPA
NIRE may update this DPA to reflect changes in applicable law or sub-processor arrangements. Material changes will be notified to the Customer in writing at least 30 days before taking effect. Continued use of the service after the effective date constitutes acceptance.
Schedule 1: Approved Sub-processors
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase (Supabase Inc.) | Database storage, authentication, and row-level security | AWS, US/EU regions | Standard Contractual Clauses; UK IDTA addendum available on request |
| Vercel (Vercel Inc.) | Application hosting, CDN, and serverless functions | US/EU | Standard Contractual Clauses |
| Stripe (Stripe, Inc.) | Payment processing (Founders only; not used for Portfolio Tracker billing) | EU/US | Standard Contractual Clauses; PCI-DSS compliant |
| Resend (Resend, Inc.) | Transactional email delivery (account notifications, invites) | US | Standard Contractual Clauses |
Schedule 2: Technical and Organisational Security Measures
The following measures are implemented and maintained by NIRE:
Access controls
- Role-based access control: four roles (
fund_manager,analyst,lp,portfolio_company) with differentiated permissions - Row-level security in the database: users can only access data belonging to their own organisation
- Multi-factor authentication (TOTP) available for all accounts
- Secure password hashing via Supabase Auth (bcrypt)
Data security
- All data encrypted at rest (AES-256 via AWS infrastructure managed by Supabase)
- All data in transit encrypted via TLS 1.2+
- HTTP-only session cookies; server-side session validation on every request
Operational security
- Access to production environment restricted to minimum necessary personnel
- No direct production database access outside of Supabase console (restricted by credentials)
Incident response
- Processor will notify Controller without undue delay (and in any event within 72 hours where feasible) upon becoming aware of a personal data breach
10. Execution
This DPA takes effect on the date the Customer accepted the Terms of Service (or, where a signed copy is exchanged, on the date of last signature).
For a countersigned copy of this DPA, contact: privacy@nirehq.com
NIRE HQ Limited
Seven Grange Lane, Pitsford, Northampton, England, NN6 9AP
Company No. 17241292
VAT Registration: GB 521 0400 63