This Data Processing Agreement ("DPA") is available on request to Fund Manager customers of the Portfolio Tracker. It supplements the Terms of Service and governs the processing of personal data by NIRE HQ Limited on behalf of the customer. It is not a public page. To request a signed copy, contact privacy@nirehq.com.


1. Parties

This DPA is entered into between:

Controller: The Fund Manager organisation that has agreed to NIRE's Terms of Service and uses the Portfolio Tracker ("Customer", "Controller")

Processor: NIRE HQ Limited, a company registered in England and Wales (Company No. 17241292), with its registered office at Seven Grange Lane, Pitsford, Northampton, England, NN6 9AP ("NIRE", "Processor")


2. Background

2.1 The Customer uses the NIRE Portfolio Tracker to store and manage data about portfolio companies, including personal data relating to company contacts, employees, and representatives ("Portfolio Data").

2.2 In providing the Portfolio Tracker, NIRE processes Portfolio Data on behalf of the Customer as a data processor acting on the Customer's instructions, within the meaning of Article 28 of the UK General Data Protection Regulation ("UK GDPR").

2.3 This DPA sets out the obligations and rights of both parties with respect to that processing.


3. Scope of Processing

3.1 Subject Matter

Processing of personal data entered into the Portfolio Tracker by or on behalf of the Customer, including:

3.2 Duration

For the duration of the Customer's active use of the Portfolio Tracker, plus 12 months following account closure (the retention period under the Terms of Service), or until the Customer requests deletion.

3.3 Nature and Purpose

Storing, organising, retrieving, and presenting Portfolio Data to authorised users within the Customer's organisation. The Processor does not use Portfolio Data for any purpose other than providing the service.

3.4 Categories of Data Subjects

3.5 Categories of Personal Data


4. Processor Obligations

NIRE shall, with respect to Portfolio Data:

4.1 Process only on documented instructions. Process personal data only on the Customer's instructions (as expressed through use of the Platform and these Terms), unless required to do so by UK law. If required by law to process for another purpose, NIRE will inform the Customer before processing (unless prohibited by law).

4.2 Confidentiality. Ensure that all personnel authorised to process personal data are bound by appropriate obligations of confidentiality.

4.3 Security. Implement appropriate technical and organisational measures to protect personal data against accidental loss, destruction, alteration, unauthorised disclosure, or access, including:

4.4 Sub-processors. Not engage sub-processors without informing the Customer. The current list of approved sub-processors is in Schedule 1. NIRE will give the Customer at least 30 days' written notice before adding or replacing a sub-processor. The Customer may object in writing within 14 days; if the objection cannot be resolved, either party may terminate the service on notice.

4.5 Data subject rights. Assist the Customer in responding to requests from data subjects exercising their rights under UK GDPR, to the extent possible given the nature of the processing and the information available to NIRE.

4.6 Security incidents. Notify the Customer without undue delay after becoming aware of a personal data breach affecting Portfolio Data, and provide sufficient information to enable the Customer to meet its own notification obligations.

4.7 Data protection impact assessments. Provide reasonable assistance to the Customer in carrying out data protection impact assessments and prior consultations with the ICO where required.

4.8 Deletion or return on termination. On termination of the service, at the Customer's choice, delete or return all personal data to the Customer, and delete existing copies, unless retention is required by law.

4.9 Audit assistance. Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by the Customer or its mandated auditor, on reasonable notice and subject to confidentiality obligations.


5. Controller Obligations

The Customer shall:

5.1 Ensure it has a lawful basis for processing Portfolio Data and has made appropriate disclosures to data subjects.

5.2 Ensure it has the necessary rights, consents, and agreements to store data about portfolio companies with NIRE.

5.3 Provide NIRE with timely instructions, information, and assistance as needed to meet NIRE's obligations under this DPA.

5.4 Ensure that any personal data entered into the Portfolio Tracker is accurate, adequate, and not excessive for the stated purpose.


6. International Transfers

6.1 Portfolio Data processed by NIRE's sub-processors may be transferred outside the UK. All such transfers are subject to appropriate safeguards as set out in Schedule 1.

6.2 NIRE will not transfer Portfolio Data to a country outside the UK unless an appropriate transfer mechanism is in place (Standard Contractual Clauses approved by the ICO, adequacy regulation, or UK IDTA addendum as applicable).


7. Liability

7.1 Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service, except to the extent that such limitations are prohibited by applicable data protection law.

7.2 NIRE's liability for breaches of this DPA relating to personal data is limited to the amount paid by the Customer to NIRE in the 12 months preceding the claim, except in cases of wilful misconduct or gross negligence.


8. Governing Law and Disputes

This DPA is governed by the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.


9. Changes to This DPA

NIRE may update this DPA to reflect changes in applicable law or sub-processor arrangements. Material changes will be notified to the Customer in writing at least 30 days before taking effect. Continued use of the service after the effective date constitutes acceptance.


Schedule 1: Approved Sub-processors

Sub-processorPurposeLocationTransfer Mechanism
Supabase (Supabase Inc.)Database storage, authentication, and row-level securityAWS, US/EU regionsStandard Contractual Clauses; UK IDTA addendum available on request
Vercel (Vercel Inc.)Application hosting, CDN, and serverless functionsUS/EUStandard Contractual Clauses
Stripe (Stripe, Inc.)Payment processing (Founders only; not used for Portfolio Tracker billing)EU/USStandard Contractual Clauses; PCI-DSS compliant
Resend (Resend, Inc.)Transactional email delivery (account notifications, invites)USStandard Contractual Clauses

Schedule 2: Technical and Organisational Security Measures

The following measures are implemented and maintained by NIRE:

Access controls

Data security

Operational security

Incident response


10. Execution

This DPA takes effect on the date the Customer accepted the Terms of Service (or, where a signed copy is exchanged, on the date of last signature).

For a countersigned copy of this DPA, contact: privacy@nirehq.com

NIRE HQ Limited
Seven Grange Lane, Pitsford, Northampton, England, NN6 9AP
Company No. 17241292
VAT Registration: GB 521 0400 63