Neither document is needed to upload data to Grand Challenge.

Data Processing Agreement (DPA) A DPA is only required under GDPR when personal data is being transferred to a third party for processing. The data uploaded to Grand Challenge is expected to be fully anonymized data — once properly anonymized, it no longer qualifies as personal data under GDPR, and the regulation's requirements, including the obligation to have a DPA, do not apply.

Data Transfer Agreement (DTA) A DTA is typically used to govern the transfer of data between two institutions, covering aspects like ownership, permitted use, and liability. Uploading data to Grand Challenge does not constitute such a transfer — you retain full ownership and control over your data, and the relationship with the platform is already governed by the Grand Challenge Terms of Service. Accepting those terms upon registration covers the necessary conditions, making a separate DTA redundant.

If you have any further questions, or your institution does require a specific agreement, please contact us via support@grand-challenge.org.