Global Data Processing Agreement
This Data Processing Agreement (this "Agreement" or "DPA") forms part of and supplements the booking forms, order forms, master services agreement, statement of work and/or any other commercial contract entered into between the parties (the "Global Services Agreement"), and is made effective from the date of signature of the last party to sign below (the "Effective Date").
between the undersigned parties:
(i) The Client (the "Controller"); and
(ii) Givergy Ltd / Givergy Inc, whose trading address is Rosedale Studios, Rosedale Road, Richmond, TW9 2SX, United Kingdom ("Givergy" or the "Processor"), each a "Party" and together the "Parties".
1. Terms of Agreement
1.1 This Agreement supplements the Principal Contract and makes legally binding provisions for compliance with Data Protection Laws in respect of all Processing of Personal Data carried out by the Processor on behalf of the Controller. As required by Article 28 of the EU GDPR and Article 28 of the UK GDPR, all Processing of Personal Data by a processor on behalf of a controller shall be governed by a contract that is binding on the processor with regard to the controller. The terms, obligations and rights set out in this Agreement relate directly to the Processing activities and conditions described in Schedule 1.
1.2 The terms used in this Agreement have the meanings set out in clause 2 (Definitions). Any capitalised term used but not defined in this Agreement shall have the meaning given to it in the Principal Contract.
1.3 In the event of any conflict or inconsistency between the provisions of this Agreement and the Principal Contract, the provisions of this Agreement shall prevail to the extent that the conflict relates to the Processing of Personal Data. In the event of any conflict between this Agreement and the Standard Contractual Clauses or the UK Addendum (as defined and incorporated under Schedule 4), the Standard Contractual Clauses or the UK Addendum (as applicable) shall prevail.
1.4 This Agreement is intended to satisfy the requirements of Article 28(3) of the EU GDPR and Article 28(3) of the UK GDPR. The Parties acknowledge that the absence of a specific term in this Agreement does not relieve either Party of its statutory obligations under Data Protection Laws.
2. Definitions
In this Agreement, unless the context requires otherwise, the following words and expressions shall have the meanings set out below.
2.1 "APP" or "Australian Privacy Principle" means an Australian Privacy Principle set out in Schedule 1 to the Privacy Act, and "APPs" means those principles collectively.
2.2 "APP Entity" has the meaning given in section 6(1) of the Privacy Act.
2.3 "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, as defined in Article 4(7) of the GDPR. Where the context requires under the Privacy Act, the term shall be read as a reference to the APP Entity that determines the purposes for which Personal Information is collected, used or disclosed.
2.4 "Data Protection Laws" means, in respect of the Processing of Personal Data hereunder: (i) the EU GDPR; (ii) the UK GDPR; (iii) the United Kingdom Data Protection Act 2018; (iv) the EU ePrivacy Directive 2002/58/EC and any national implementing legislation, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (UK PECR); (v) the Privacy Act 1988 (Cth) of Australia (the "Privacy Act"), including the Australian Privacy Principles in Schedule 1 thereto, the Notifiable Data Breaches scheme in Part IIIC and any binding registered APP code, in each case as amended (including by the Privacy and Other Legislation Amendment Act 2024 (Cth)); and (vi) any other data protection or privacy law applicable to the Processing, in each case as amended, replaced or superseded from time to time, together with any binding guidance, opinion, code of practice or determination issued by a Supervisory Authority.
2.5 "Data Subject" means an identified or identifiable natural person to whom Personal Data relates. For the purposes of the Privacy Act, the term shall be read as a reference to the individual to whom Personal Information relates.
2.6 "EEA" means the European Economic Area.
2.7 "Effective Date" means the date on which this Agreement comes into force, as set out on the cover page or, if none is stated, the date of signature of the last Party to sign.
2.8 "Eligible Data Breach" has the meaning given in section 26WE of the Privacy Act, namely (in summary) unauthorised access to, unauthorised disclosure of or loss of Personal Information held by an APP Entity that is likely to result in serious harm to any individual to whom the information relates, where the entity has not been able to prevent the likely risk of serious harm with remedial action.
2.9 "EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
2.10 "GDPR" means, as the context requires, the EU GDPR, the UK GDPR or both.
2.11 "NDB Scheme" means the Notifiable Data Breaches scheme set out in Part IIIC of the Privacy Act.
2.12 "OAIC" means the Office of the Australian Information Commissioner (which exercises the functions of the Australian Information Commissioner and the Privacy Commissioner under the Privacy Act), and any successor authority.
2.13 "Personal Data" has the meaning given to it in Article 4(1) of the GDPR and refers, for the purposes of this Agreement, only to Personal Data Processed by the Processor on behalf of the Controller pursuant to the Principal Contract. For Processing within the territorial scope of the Privacy Act, references to Personal Data shall be read as including "Personal Information" within the meaning of section 6(1) of the Privacy Act.
2.14 "Personal Data Breach" has the meaning given to it in Article 4(12) of the GDPR. For Processing within the territorial scope of the Privacy Act, the term shall be read as including any unauthorised access to, unauthorised disclosure of, or loss of Personal Information that is, or may be, an Eligible Data Breach for the purposes of the NDB Scheme.
2.15 "Principal Contract" means the main commercial contract between the Parties (including any booking form, order form, master services agreement or statement of work) to which this Agreement is annexed or otherwise applies.
2.16 "Privacy Act" means the Privacy Act 1988 (Commonwealth) of Australia, as amended (including by the Privacy and Other Legislation Amendment Act 2024), together with any regulations and any registered APP code made or issued under it from time to time.
2.17 "Processing" has the meaning given to it in Article 4(2) of the GDPR; "Process", "Processes" and "Processed" shall be construed accordingly. For the purposes of the Privacy Act, references to Processing shall be read as including any act of collection, holding, use or disclosure of Personal Information.
2.18 "Processor" means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller, as defined in Article 4(8) of the GDPR. The Processor under this Agreement is Givergy. Where the context requires under the Privacy Act, the term shall be read as a reference to Givergy as a service provider acting on behalf of an APP Entity Controller, on the basis that Givergy may itself be an APP Entity in respect of its own activities.
2.19 "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA which is not subject to an adequacy decision adopted by the European Commission under Article 45 of the EU GDPR; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to a country outside the United Kingdom which is not subject to a regulation adopted by the Secretary of State under section 17A of the UK Data Protection Act 2018 or otherwise designated as adequate; and (iii) where the Privacy Act applies, a disclosure of Personal Information about an individual to an overseas recipient (within the meaning of APP 8 and section 16C of the Privacy Act).
2.20 "Sensitive Information" has the meaning given in section 6(1) of the Privacy Act, including information or an opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record (that is also Personal Information), as well as health information, genetic information, biometric information used for the purpose of automated biometric verification or biometric identification, or biometric templates.
2.21 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR, set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as updated, replaced or superseded from time to time.
2.22 "Special Category Data" means Personal Data falling within the categories set out in Article 9(1) GDPR (revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation), and Personal Data relating to criminal convictions and offences within Article 10 GDPR.
2.23 "Sub-Processor" means any person or entity (including any affiliate of the Processor) appointed by or on behalf of the Processor to Process Personal Data on behalf of the Controller in connection with the Principal Contract.
2.24 "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 of the EU GDPR, the Information Commissioner's Office (the "ICO") in the United Kingdom, the OAIC in Australia, and any other public authority with statutory authority to supervise compliance with Data Protection Laws applicable to the Processing under this Agreement, and any successor authority.
2.25 "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under section 119A of the UK Data Protection Act 2018, version B1.0 in force from 21 March 2022, as updated, replaced or superseded from time to time.
2.26 "UK GDPR" means the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419), and as further amended from time to time.
2.27 "UK IDTA" means the International Data Transfer Agreement issued by the Information Commissioner under section 119A of the UK Data Protection Act 2018, version A1.0 in force from 21 March 2022, as updated, replaced or superseded from time to time.
3. Subject Matter, Nature, Purpose, Duration and Categories
3.1 The subject matter, nature and purpose of the Processing, the type of Personal Data Processed, the categories of Data Subjects, the duration of the Processing and the obligations and rights of the Controller are as set out in Schedule 1 to this Agreement.
3.2 The Processor shall not Process Personal Data for any purpose other than as set out in Schedule 1, the Principal Contract or any other documented instructions issued by the Controller from time to time.
3.3 The Parties acknowledge that, in respect of the Processing under this Agreement, the Controller is the controller of the Personal Data and the Processor (Givergy) is a processor acting on behalf of the Controller. Where Givergy Processes Personal Data for its own purposes (including for the provision of statistical, security, fraud-prevention, billing, internal record-keeping, product-improvement or any other purpose determined by Givergy), Givergy shall act as a controller in respect of such Processing and shall comply with Data Protection Laws in its own right; such Processing falls outside the scope of this Agreement and is governed by Givergy's Privacy Notice.
4. Obligations of the Processor
4.1 Documented Instructions (Article 28(3)(a) GDPR)
4.1.1 The Processor shall Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law (or, in the case of the UK GDPR, the law of the United Kingdom) to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest.
4.1.2 This Agreement, together with the Principal Contract and Schedule 1, constitute the Controller's initial documented instructions. Any further instructions must be issued in writing (including by email).
4.1.3 The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Laws. In such a case, the Processor is entitled to suspend performance of the relevant instruction until the Controller confirms or modifies it.
4.2 Confidentiality (Article 28(3)(b) GDPR)
4.2.1 The Processor shall ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access to Personal Data is granted on a strict need-to-know basis.
4.2.2 The Processor shall require all such persons to undertake regular and documented training on data protection and information security obligations.
4.3 Security of Processing (Article 32 GDPR)
4.3.1 The Processor shall implement and maintain the technical and organisational measures set out in Schedule 3 (the "TOMs"), being measures appropriate to the risk presented by the Processing in accordance with Article 32 of the GDPR. Where the TOMs would not be sufficient to address a particular risk reasonably foreseeable to the Processor, the Processor shall notify the Controller and propose additional measures.
4.3.2 When assessing the appropriate level of security, the Processor shall take into account in particular the risks presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
4.3.3 The Processor may update the TOMs from time to time, provided that any such update does not result in a material reduction of the security of the Personal Data. The Processor shall make the current TOMs available to the Controller on request.
4.4 Sub-Processors (Article 28(2) and 28(4) GDPR)
4.4.1 The Controller hereby grants the Processor general written authorisation to engage Sub-Processors for the purpose of providing the Services, subject to the terms of this clause 4.4. The Processor's current Sub-Processors are listed in Schedule 2 and on the Processor's sub-processor page accessible at https://www.givergy.com/uk/fundraise/dataProcessors/ (the "Sub-Processor List").
4.4.2 The Processor shall provide the Controller with at least thirty (30) days' prior notice of any intended addition or replacement of a Sub-Processor ("Sub-Processor Notice"). Notice may be given by updating the Sub-Processor List, by email to the Controller's designated contact, or by any other reasonable means notified to the Controller.
4.4.3 The Controller may object in writing to the appointment of a new Sub-Processor on reasonable data-protection grounds within thirty (30) days of the Sub-Processor Notice. The Parties shall discuss the objection in good faith with a view to reaching a mutually acceptable resolution. If no resolution is reached within thirty (30) days, the Controller may, as its sole and exclusive remedy, terminate the Principal Contract (or the relevant part of it affected by the new Sub-Processor) with effect from the date the new Sub-Processor would otherwise be engaged, without liability to either Party other than in respect of accrued obligations and any work-in-progress.
4.4.4 The Processor shall enter into a written contract with each Sub-Processor that imposes on the Sub-Processor data-protection obligations equivalent to and no less protective than those set out in this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures so that the Processing meets the requirements of Data Protection Laws.
4.4.5 The Processor shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations under the relevant sub-processing contract.
4.5 International Transfers
4.5.1 The Processor shall not make a Restricted Transfer of Personal Data unless: (i) the Controller has authorised the transfer in writing (such authorisation being given for the transfers identified in Schedule 2); and (ii) an appropriate transfer mechanism is in place under Chapter V of the GDPR or, as applicable, under APP 8 and section 16C of the Privacy Act, as further described in Schedule 4 and (in respect of Australian disclosures) in Schedule 5.
4.5.2 Where the Processor relies on the Standard Contractual Clauses or the UK Addendum to legitimise a Restricted Transfer, the Parties agree that those clauses are incorporated by reference into this Agreement on the terms set out in Schedule 4 and that, in the event of any conflict, those clauses shall prevail.
4.5.3 The Processor shall, in respect of each Restricted Transfer, conduct and document a transfer impact assessment in line with EDPB Recommendations 01/2020 (or any successor guidance) and, where the Privacy Act applies to the disclosure, having regard to the OAIC's APP Guidelines on cross-border disclosure (Chapter 8). The Processor shall make such assessment available to the Controller on reasonable request.
4.5.4 Where Personal Information is disclosed to an overseas recipient in circumstances to which APP 8.1 applies, the Processor shall ensure, by contractual or equivalent enforceable means, that the recipient does not breach the Australian Privacy Principles in relation to the Personal Information; and the Parties acknowledge that section 16C of the Privacy Act may render the disclosing entity accountable for the acts and practices of the recipient. The application of the exceptions in APP 8.2 (including substantially similar law and reasonable steps) shall be documented in Schedule 5.
4.6 Assistance with Data Subject Rights (Article 28(3)(e) GDPR)
4.6.1 The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).
4.6.2 If the Processor receives a request directly from a Data Subject, the Processor shall promptly forward that request to the Controller and shall not respond substantively without the Controller's prior written authorisation, save to confirm receipt and refer the Data Subject to the Controller.
4.7 Assistance with Compliance Obligations (Article 28(3)(f) GDPR)
4.7.1 The Processor shall provide the Controller with reasonable assistance, taking into account the nature of the Processing and the information available to the Processor, in ensuring compliance with the Controller's obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments and prior consultation with a Supervisory Authority).
4.8 Personal Data Breach Notification (Article 33 GDPR; Part IIIC Privacy Act)
4.8.1 The Processor shall notify the Controller without undue delay, and in any event within forty-eight (48) hours of becoming aware of a Personal Data Breach affecting Controller Personal Data.
4.8.2 The notification shall, to the extent reasonably possible at the time, contain at least: (i) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; (ii) the name and contact details of the Processor's data protection officer or other contact point; (iii) a description of the likely consequences of the Personal Data Breach; (iv) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; (v) for any breach affecting Personal Information within the territorial scope of the Privacy Act, an indication as to whether, in the Processor's preliminary assessment, the breach is or is likely to be an Eligible Data Breach for the purposes of the NDB Scheme; and (vi) any other information reasonably required by the Controller for the purpose of complying with Articles 33 and 34 of the GDPR or Part IIIC of the Privacy Act.
4.8.3 Where, and insofar as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. The Processor shall reasonably co-operate with and provide such further information as may be required by the Controller to investigate and respond to a Personal Data Breach, including any assessment under section 26WH of the Privacy Act of whether an Eligible Data Breach has occurred and any preparation of a statement to the OAIC under section 26WK.
4.8.4 The Processor shall not communicate with any Data Subject, Supervisory Authority (including the OAIC), or other regulator in respect of a Personal Data Breach affecting Controller Personal Data without the Controller's prior written approval, save where required by law applicable to the Processor.
4.8.5 Where Givergy is itself an APP Entity in respect of Personal Information affected by a breach, Givergy shall comply with its independent obligations under the NDB Scheme. Nothing in this Agreement transfers, suspends or qualifies any such independent obligation.
4.9 Deletion or Return of Personal Data (Article 28(3)(g) GDPR)
4.9.1 On termination of the Principal Contract, or earlier if requested in writing by the Controller, the Processor shall, at the Controller's choice, return or delete all Personal Data Processed on behalf of the Controller and delete existing copies, save where Union, Member State or UK law requires storage of the Personal Data. Where deletion is requested, the Processor shall ensure that all live, archive and back-up copies are deleted in line with the Processor's documented retention and erasure procedures.
4.9.2 The Processor shall provide a written certification of deletion to the Controller within thirty (30) days of completion of deletion, on request.
4.9.3 The Processor may retain Personal Data for the duration of any retention period required by law, provided that it shall continue to ensure the confidentiality and security of such Personal Data and shall Process it solely for the purposes for which retention is required.
4.9.4 Notwithstanding clause 4.9.1, the Processor may continue to retain anonymised data (which is no longer Personal Data within the meaning of Article 4(1) GDPR) for any purpose.
4.10 Audit and Information Rights (Article 28(3)(h) GDPR)
4.10.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
4.10.2 Such audits shall be conducted: (i) on at least thirty (30) days' prior written notice (save where required earlier by a Supervisory Authority or following a Personal Data Breach); (ii) during the Processor's normal business hours; (iii) no more than once in any twelve (12) month period (save where required by a Supervisory Authority or following a Personal Data Breach); and (iv) subject to reasonable confidentiality obligations and any operational, security or legal restrictions imposed by the Processor.
4.10.3 The Controller may, in lieu of conducting an on-site audit, accept the Processor's most recent independent third-party audit reports (including SOC 2 Type II reports, ISO/IEC 27001 certification statements and equivalent attestations), penetration test summaries and other security assurance documentation as evidence of the Processor's compliance with this Agreement.
4.10.4 Each Party shall bear its own costs of any audit, save that the Controller shall reimburse the Processor for the reasonable and documented internal costs of supporting any audit that exceeds one (1) business day per twelve (12) month period.
4.11 Record of Processing Activities (Article 30(2) GDPR)
4.11.1 The Processor shall maintain a written (including in electronic form) record of all categories of Processing activities carried out on behalf of the Controller in accordance with Article 30(2) of the GDPR, including: (i) the name and contact details of the Processor and, where applicable, of the Controller, the Controller's representative and the Controller's data protection officer; (ii) the categories of Processing carried out on behalf of the Controller; (iii) where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and the suitable safeguards relied upon; and (iv) a general description of the technical and organisational measures referred to in Article 32(1) GDPR.
4.11.2 The Processor shall make the record available to a Supervisory Authority on request and shall inform the Controller of any such request unless prohibited by law.
4.12 Data Protection Officer
4.12.1 The Processor shall designate a data protection officer (or equivalent privacy lead where designation is not required by law) for the duration of the Principal Contract. The contact details for the Processor's data protection officer / privacy lead are: dpo@givergy.com.
4.12.2 The Processor shall co-operate with Supervisory Authorities in accordance with Article 31 of the GDPR and any equivalent provision of applicable Data Protection Laws.
4.13 Non-Derogation
4.13.1 Nothing in this Agreement relieves the Processor of its own direct responsibilities, obligations and liabilities under Data Protection Laws.
4.13.2 The Processor is responsible for ensuring that each of its employees, agents, contractors and Sub-Processors is made aware of, and complies with, the obligations under this Agreement and Data Protection Laws.
4.14 Australian Privacy Principles — Allocation of Responsibility
4.14.1 Where the Processing of Personal Information falls within the territorial scope of the Privacy Act, the Parties shall comply with the Privacy Act and the Australian Privacy Principles in relation to that Processing. Schedule 5 (Australia-specific Terms) sets out the detailed APP-by-APP allocation of responsibility between the Parties; in the event of inconsistency between this clause 4.14 and Schedule 5, Schedule 5 prevails.
4.14.2 The Controller shall be responsible (as APP Entity) for: (i) APP 1 (open and transparent management) at the level of donor- and supporter-facing privacy notices; (ii) APP 3 (collection of solicited Personal Information); (iii) APP 5 (notification of collection); (iv) APP 6 (use or disclosure for the primary purpose), including giving the Processor lawful, documented instructions; (v) APP 7 (direct marketing) including the obtaining and management of any consent or opt-out; and (vi) APP 9 (government related identifiers), to the extent any such identifiers are introduced into the Processing.
4.14.3 The Processor shall: (i) take reasonable steps under APP 11.1 to protect Personal Information from misuse, interference, loss, unauthorised access, modification or disclosure, applying the technical and organisational measures set out in Schedule 3; (ii) take reasonable steps under APP 11.2 to destroy or de-identify Personal Information when no longer needed; (iii) assist the Controller in giving an individual access to and correction of his or her Personal Information under APPs 12 and 13; (iv) where it discloses Personal Information to an overseas recipient, take reasonable steps under APP 8.1; and (v) where Givergy is itself an APP Entity, comply with the APPs in its own right.
4.14.4 The Parties acknowledge that the Privacy and Other Legislation Amendment Act 2024 has introduced further requirements potentially relevant to the Processing, including a statutory tort for serious invasions of privacy, enhanced enforcement powers of the OAIC, and (when commenced) a Children's Online Privacy Code and additional transparency requirements for automated decision-making with significant effect. The Parties shall comply with each such requirement to the extent it applies to the Processing on its commencement, and shall co-operate in good faith to update this Agreement (in particular Schedule 5) to reflect any changes to applicable Australian law from time to time.
4.14.5 Each Party agrees that the OAIC is a Supervisory Authority for the purposes of this Agreement to the extent the Privacy Act applies, and the Processor shall co-operate with the OAIC in respect of any investigation, inquiry, determination or enforcement action concerning Personal Information Processed under this Agreement.
5. Obligations of the Controller
5.1 The Controller warrants and represents that: (i) it has, and shall maintain throughout the term of the Principal Contract, all necessary rights, consents, authorisations and notices required under Data Protection Laws to enable the Personal Data to be Processed by the Processor in accordance with this Agreement; (ii) its instructions to the Processor (including those described in Schedule 1) are lawful and comply with Data Protection Laws; and (iii) it has fulfilled its information obligations to Data Subjects under Articles 13 and 14 of the GDPR.
5.2 The Controller shall be responsible for the lawfulness of the collection, transmission and disclosure of Personal Data to the Processor and for the determination of the purposes and means of Processing.
5.3 The Controller authorises the Processor to engage the Sub-Processors set out or referenced in Schedule 2, subject to the change-notification mechanism in clause 4.4.
5.4 The Controller shall provide the Processor with the contact details of its data protection officer or privacy lead (if any) and any other reasonable information necessary for the Processor to perform its obligations under this Agreement and Data Protection Laws.
6. Special Category Data, Sensitive Information and Children's Data
6.1 Save where expressly identified in Schedule 1, the Personal Data Processed under this Agreement does not include Special Category Data, Sensitive Information or Personal Data relating to criminal convictions and offences. The Controller shall not transfer or otherwise make available to the Processor any Special Category Data, Sensitive Information or criminal-offence data without the prior written agreement of the Processor and the implementation of any additional safeguards required under Article 9 or Article 10 of the GDPR or under the Privacy Act in respect of Sensitive Information (including the consent and use-or-disclosure constraints in APPs 3.3 and 6.3).
6.2 The Controller acknowledges that the Processor's services are not intended to be used in connection with Personal Data of children under the age of thirteen (13). Where the Controller intends to use the services in connection with fundraising, ticketing, prize-draw or auction activities involving Data Subjects who are or are likely to be children, the Controller shall: (i) inform the Processor in writing in advance; (ii) obtain any necessary parental or guardian consent in accordance with Article 8 of the GDPR and any analogous requirement under applicable law; (iii) implement appropriate measures to protect the rights and interests of children consistent with the ICO's Children's Code (the Age Appropriate Design Code), the Children's Online Privacy Code as and when commenced under the Privacy Act, and equivalent guidance issued under the EU GDPR.
7. Liability and Indemnity
7.1 The liability of each Party under or in connection with this Agreement (including for breach of Data Protection Laws) shall be subject to the exclusions and limitations of liability set out in the Principal Contract, save that nothing in this Agreement or the Principal Contract shall limit or exclude either Party's liability: (i) for fraud or fraudulent misrepresentation; (ii) for death or personal injury caused by negligence; or (iii) where and to the extent that liability cannot be limited or excluded under applicable law (including Article 82 of the GDPR).
7.2 Each Party shall be liable to the other for damages caused by Processing only where it has not complied with obligations of Data Protection Laws specifically directed to processors (in the case of the Processor) or controllers (in the case of the Controller), or where it has acted outside or contrary to the lawful instructions of the Controller.
7.3 Where a Party has paid full compensation to a Data Subject for damage suffered, that Party shall be entitled to claim back from the other Party that part of the compensation corresponding to the other Party's share of responsibility, in line with Article 82(5) GDPR.
8. Penalties, Suspension and Termination
8.1 The Processor acknowledges the legal and enforcement actions to which it may be subject under Data Protection Laws for any failure to meet its obligations, including: (i) the investigative and corrective powers of Supervisory Authorities under Article 58 of the GDPR; (ii) administrative fines under Article 83 of the GDPR; (iii) compensation obligations under Article 82 of the GDPR; and (iv) any other penalties applicable under local laws.
8.2 Without prejudice to its other rights, the Controller may suspend the transfer of Personal Data to the Processor and/or terminate the Principal Contract (or the relevant part affected) where: (i) the Processor is in material breach of this Agreement and has not remedied the breach within thirty (30) days of written notice to do so; (ii) the Processor is unable to comply with Data Protection Laws for any reason and the Parties cannot agree on a remedy within a reasonable period; or (iii) a Supervisory Authority orders the suspension or cessation of the Processing.
8.3 Termination of this Agreement shall be without prejudice to the obligations of the Parties under clauses 4.9 (Deletion or return), 4.11 (Records), 7 (Liability), and any other provisions which by their nature are intended to survive termination.
9. Order of Precedence
9.1 In the event of conflict, the order of precedence between documents addressing data protection matters between the Parties shall be: (i) the Standard Contractual Clauses and the UK Addendum (where applicable to a particular Restricted Transfer); (ii) Schedule 5 of this Agreement (Australia-specific Terms), but only in respect of Processing within the territorial scope of the Privacy Act and only to the extent of any inconsistency with the rest of this Agreement; (iii) this Agreement (excluding Schedule 5); (iv) the Principal Contract; and (v) any other agreement between the Parties.
10. Governing Law and Jurisdiction
10.1 This Agreement shall be governed by and construed in accordance with the laws of England and Wales (or, where the Principal Contract is entered into between the Controller and Givergy Inc. and is governed by the laws of the State of New York, the laws of the State of New York; or, where the Principal Contract is entered into between the Controller and Givergy Ltd (Australia) and is governed by the laws of the Commonwealth of Australia and a State or Territory thereof, those laws), and each Party agrees to submit to the exclusive jurisdiction of the courts of England and Wales (or, where applicable, the courts of the State of New York, or the courts of the relevant Australian jurisdiction), save that nothing in this clause limits or restricts the rights of a Data Subject or a Supervisory Authority (including the OAIC) under Data Protection Laws.
10.2 Where the Standard Contractual Clauses or the UK Addendum apply to a particular Restricted Transfer, the governing law and jurisdiction of those clauses (as completed in Schedule 4) shall apply to that transfer. Where Schedule 5 applies to a particular Processing of Personal Information, the operation of the Privacy Act and any Australian-law provisions of Schedule 5 shall not be displaced by this clause.
Schedule 1 — Processing Details (Article 28(3) GDPR)
| Subject matter of the Processing | Provision by Givergy of its fundraising-platform services to the Controller, including online and in-person auction, prize-draw, donation, ticketing and payment-collection services. |
|---|---|
| Duration of the Processing | The duration of the Principal Contract, plus any retention period required for the purposes set out in clause 4.9 (Deletion or return) and applicable law. |
| Nature of the Processing | Collection, recording, organisation, structuring, storage, retrieval, consultation, use, hosting, transmission, disclosure to authorised Sub-Processors, restriction, erasure or destruction of Personal Data, in each case for the provision of the services set out in the Principal Contract. |
| Purpose of the Processing | Enabling the Controller to operate fundraising events (including auctions, prize draws, donations, ticketing and payments); providing event-related communications to Data Subjects on behalf of the Controller; producing reports and analytics for the Controller; performance of the Principal Contract; and compliance with the Processor's legal obligations as a processor under Data Protection Laws. |
| Categories of Data Subjects | Event attendees, online participants, bidders, donors, ticket buyers, prize-draw entrants and other supporters of the Controller; the Controller's staff and event organisers. |
| Categories of Personal Data | Identification and contact data: full name, email address, telephone number, postal address. Financial data: limited cardholder data and tokenised payment-method identifiers necessary to authorise and reconcile transactions (full primary account numbers are not stored by Givergy and are processed by Givergy's payment Sub-Processors in their capacity as PCI DSS-compliant service providers). Transactional data: bid amounts, donation amounts, ticket purchases, prize-draw entries, and pledge moments. Electronic identifiers: IP address, device identifiers, online identifiers, browser metadata. User-generated content: comments, messages, profile fields where supplied by the Data Subject. |
| Special Category Data and criminal-offence data | None, save where expressly identified by the Controller in writing in advance and subject to clause 6 of this Agreement. |
| Frequency of the transfer | Continuous, for the duration of the Principal Contract. |
| Retention period | For the duration of the Principal Contract. After termination, at the Controller's instruction, return or deletion within the period agreed (and in any event no later than ninety (90) days from termination, save where retention is required by law). Identifying fields (name, email, phone number, postal address) shall be obfuscated by the Processor on the Controller's instruction after each event when no longer required. Anonymised aggregate data may be retained indefinitely for the Processor's legitimate purposes. |
| Identity of the Processor | Givergy Ltd (UK), registered office: Rosedale Studios, Rosedale Road, Richmond, TW9 2SX, United Kingdom; and/or Givergy Inc (US), as applicable to the Principal Contract. Processor data protection contact: dpo@givergy.com. |
| Identity of the Controller | As set out on the cover page of this Agreement. |
Schedule 2 — Authorised Sub-Processors and Onward Transfers
The Controller authorises the Processor to engage the Sub-Processors listed below for the purpose of providing the services. The Processor maintains an up-to-date and complete list of Sub-Processors at https://www.givergy.com/uk/fundraise/dataProcessors/ (the "Sub-Processor List"), including Sub-Processors used for technical, marketing, and auction-item or lot-related functions. The Sub-Processors listed below comprise the Processor's data and analytics stack and are used in connection with the Processing of Controller Personal Data.
Part A — Data and Analytics Sub-Processors (Onward Transfers)
| Sub-Processor (and parent entity) | Function / Processing operation | Location of processing / data residency | Transfer mechanism for Restricted Transfers |
|---|---|---|---|
| dbt Labs, Inc. (operating dbt Cloud) | Data transformation and modelling within the Processor's data warehouse environment; orchestration of data pipelines. | United States; certain regions (e.g. EU, EMEA) may be available depending on the deployment region selected by the Processor. | Where data is transferred to the United States: EU SCCs (Module 3, Processor-to-Processor) and the UK Addendum, supplemented by reliance on the EU-US Data Privacy Framework where the importer is certified, and supplementary technical and organisational measures as appropriate (encryption in transit and at rest, access controls). |
| Snowflake Inc. | Cloud data warehousing; storage and querying of analytical datasets containing pseudonymised event and transactional data. | Account region selected by the Processor (EU/UK regions where available); otherwise United States. | EU SCCs (Module 3) and the UK Addendum where data is transferred outside the EEA / UK to a non-adequate country; the Processor relies on Snowflake's Data Processing Addendum and customer-controlled encryption keys where applicable. |
| Lightdash Ltd | Self-service business intelligence and visualisation layer connecting to the Processor's data warehouse; access to dashboards and metrics by authorised Processor personnel. | United Kingdom (Lightdash Cloud EU/UK region) where available; otherwise hosted by the Processor in its own infrastructure region. | Where data remains in the United Kingdom or EEA: no transfer mechanism required. Where any element of the service involves transfer to a non-adequate country: EU SCCs (Module 3) and the UK Addendum. |
| Amplitude, Inc. | Product analytics; analysis of pseudonymised user-interaction events on the Processor's platform for product-improvement purposes. | United States (with data residency options for EU customers depending on contract). | EU SCCs (Module 3) and the UK Addendum, supplemented by reliance on the EU-US Data Privacy Framework where the importer is certified, and configuration of Amplitude's privacy and IP-anonymisation features in line with EDPB Guidelines 04/2019 and 05/2020. |
| FullStory, Inc. | Digital experience analytics including session replay and funnel analysis to support troubleshooting and product-improvement, configured to mask sensitive form fields and personal identifiers. | United States. | EU SCCs (Module 3) and the UK Addendum, supplemented by reliance on the EU-US Data Privacy Framework where the importer is certified. Supplementary measures: configuration of element-level masking and exclusion rules; suppression of payment-card and special-category fields; minimisation of session-replay scope; documented transfer impact assessment. |
| Twilio Inc. (operating Twilio Segment) | Customer Data Platform: collection, transformation and routing of pseudonymised event data between the Processor's applications and downstream analytics and warehousing destinations. | United States and EU (Frankfurt and Dublin regions, where available, depending on workspace configuration). | EU SCCs (Module 3) and the UK Addendum where data is transferred outside the EEA / UK to a non-adequate country; the Processor relies on Twilio's Data Processing Addendum incorporating the SCCs. |
Part B — Other Sub-Processors
The remaining Sub-Processors engaged by the Processor (including hosting, payment, communications, customer-support, marketing and event-related Sub-Processors) are listed and maintained on the Sub-Processor List at https://www.givergy.com/uk/data-processors/. Each such Sub-Processor is engaged under a written contract that imposes data-protection obligations equivalent to and no less protective than those set out in this Agreement, in accordance with Article 28(4) GDPR.
Schedule 3 — Technical and Organisational Measures (Article 32 GDPR)
This Schedule sets out the technical and organisational measures (the "TOMs") implemented and maintained by the Processor to ensure a level of security appropriate to the risks presented by the Processing, in accordance with Article 32 of the GDPR. The structure follows the headings set out in Annex II of the EU SCCs (Commission Implementing Decision (EU) 2021/914) so that this Schedule may also serve as the Annex II description for the purposes of any Restricted Transfer to which the SCCs apply.
The measures described below are derived from, and supported by, the Processor's information security policy suite, including its Information Security Policy, Encryption Policy, Access Control Policy, Endpoint Security Policy, Operations Security Policy, Network Security Procedure, HR Security Policy, Asset Management Policy, Data Classification Policy, Incident Management Policy, Business Continuity & Disaster Recovery Policy, Vendor Management Policy, Media Disposal Policy, and System Acquisition and Development Lifecycle Policy. Updated copies of these policies are available to the Controller on reasonable request, subject to confidentiality obligations.
1. Information Security Management System (ISMS) Governance
The Processor operates an Information Security Management System (ISMS) covering the entirety of the in-scope service environment. The ISMS is overseen by an Information Security Officer with executive sponsorship from the Chief Product Officer.
Information security responsibilities are formally allocated through job descriptions and task delegation. Conflicting duties are segregated; where segregation is not feasible, compensating controls (activity monitoring, audit trails, supervisory review) are implemented. The ISMS is reviewed and revised at least annually, and on any material change to the organisation, the threat environment or applicable law. The Processor uses Secureframe as its compliance-management platform for the maintenance of the ISMS, including the inventory of assets, employee onboarding and policy acknowledgements, control evidence collection and continuous-monitoring alerts.
2. Pseudonymisation and Encryption of Personal Data (Art. 32(1)(a))
2.1 Encryption in transit. All Personal Data transmitted over public networks is protected by Transport Layer Security (TLS) version 1.2 as a minimum, with TLS 1.3 preferred where supported by client endpoints. Public-facing services use security certificates issued by recognised, trusted certificate authorities. HTTPS is enforced for all administrative interfaces and for all Data Subject-facing donation, bidding and ticketing journeys. Connections to upstream Sub-Processors and downstream data and analytics destinations are encrypted in transit; insecure protocols (HTTP, FTP, Telnet, unencrypted SMTP) are not used for Personal Data.
2.2 Encryption at rest. Personal Data stored within the Processor's production environment is encrypted at rest using infrastructure-provider managed encryption (Google Cloud Platform), with key management performed by the infrastructure provider. Where additional protection is required, customer-managed encryption keys may be used. Endpoint devices issued to Processor personnel are full-disk encrypted in accordance with the Processor's Endpoint Security Policy.
2.3 Pseudonymisation. Identifying fields (such as name, email, phone number and postal address) are obfuscated after each event on Controller instruction, in accordance with Schedule 1. Datasets used for analytics, product-improvement, business intelligence and reporting are pseudonymised wherever feasible: payment-card numbers are not stored in clear and are replaced by tokens issued by PCI DSS-compliant payment Sub-Processors; direct identifiers in analytics events are replaced with stable pseudonymous identifiers.
3. Confidentiality, Integrity, Availability and Resilience (Art. 32(1)(b))
3.1 Access control. Access to Personal Data is granted on the principle of least privilege and need-to-know. Role-based access control (RBAC) is implemented for production systems; access outside the default role-matrix requires documented business justification and approval. Access to systems containing customer data is granted only after the user has acknowledged the Acceptable Usage Policy and completed onboarding training. Privileged access (administrative, root, infrastructure-management) is limited to a defined population of Operations team members and is reviewed periodically. Multi-factor authentication is enforced for all administrative access, single sign-on (SSO) is used wherever feasible, and password policies (complexity, length, history, lockout) are enforced for any local accounts. User access rights are reviewed at least quarterly and on every change of role, and revoked promptly on termination of employment or contract.
3.2 Network security. Production networks are deployed within Virtual Private Cloud (VPC) environments with restrictive ingress and egress rules, perimeter protection and network segmentation between production, staging and corporate environments. A Web Application Firewall (WAF) is deployed in front of public-facing applications; intrusion-detection capabilities are provided through Wazuh and the cloud provider's Security Command Centre. Anomalies are surfaced to the Engineering and Information Security functions for review and, where appropriate, escalation as security incidents. Configuration changes to network controls follow the formal change-management process described below.
3.3 Endpoint security. Endpoint devices issued to Processor personnel are subject to mandatory hardening: full-disk encryption, automated patching, anti-malware protection, screen-lock, and prohibition of unauthorised software installation. Removable media is prohibited for the transfer of Personal Data.
3.4 Change and configuration management. All changes to production infrastructure, software, network devices and configurations follow a documented change-management procedure: requestor, reviewer/approver and implementer responsibilities are segregated; all changes are recorded, approved, tested and (where feasible) validated in a representative environment before deployment. Configuration baselines are defined for critical infrastructure components; deviations from baselines require documented approval. Production environments are logically separated from non-production environments; production data is not used in non-production environments without equivalent safeguards.
3.5 Backups and resilience. Customer data on infrastructure operated by the Processor is backed up daily to encrypted Google Cloud Platform storage; restoration points are created at five-minute intervals. The defined Recovery Point Objective (RPO) for database loss or corruption is five (5) minutes; the Recovery Time Objective (RTO) for complete loss of the GCP region is two (2) hours. Backup restoration exercises and disaster-recovery mock drills are conducted at least annually; results and any remediation actions are recorded. Backups are stored in a redundant location outside the production environment.
3.6 Logging and monitoring. Security-relevant events are logged across infrastructure and application layers (including the use of privileged accounts, system failures, policy violations, unauthorised access attempts and firewall traffic). Logs are retained for the period required to support incident investigation, dispute resolution and applicable legal and contractual requirements; logging facilities are protected against tampering and unauthorised access. Continuous-monitoring alerts are produced through Security Command Centre and Wazuh and reviewed by Engineering and Information Security.
3.7 Vulnerability and patch management. An annual independent third-party penetration test is conducted against the production environment; identified findings are remediated within timelines prescribed by their criticality. Patches addressing high-risk vulnerabilities are tested in a non-production environment and deployed to production within defined service-level timeframes.
4. Restoration of Availability and Access following Incident (Art. 32(1)(c))
The Processor maintains a Business Continuity Plan and Disaster Recovery Plan covering its production infrastructure. The plan defines escalation paths, recovery teams, RPO/RTO commitments, and disaster-declaration authority. DR exercises are conducted at least annually and may include walkthroughs, simulations or parallel testing. Where a disaster materially affects multiple business units, declaration is made by senior management; declared disasters are communicated promptly to relevant stakeholders, customers and regulatory bodies as required.
5. Regular Testing, Assessment and Evaluation (Art. 32(1)(d))
Information security policies are reviewed at least annually and on any material change. An external penetration test is performed annually; vulnerability scans are performed on an ongoing basis. The Processor participates in independent third-party assurance activities (e.g. SOC 2 Type II reporting) as set out in the Processor's most recent compliance attestations available to the Controller on reasonable request.
6. User Identification and Authorisation
All access to systems containing Personal Data requires individual authentication; shared accounts are not used for production systems. Single sign-on (SSO) and multi-factor authentication (MFA) are enforced wherever supported. User accounts are provisioned and de-provisioned through documented joiner-mover-leaver processes; access reviews are conducted periodically.
7. Protection of Data during Transmission
As described in section 2.1 of this Schedule (TLS ≥ 1.2; trusted certificate authorities; HTTPS for all Data Subject and administrative endpoints; encryption of Sub-Processor-bound traffic).
8. Protection of Data during Storage
As described in section 2.2 of this Schedule (provider-managed encryption at rest on GCP; full-disk encryption of endpoints; salted hashing of credentials; secret-management for keys).
9. Physical Security of Locations at which Personal Data are Processed
Production Personal Data is hosted exclusively in Tier-3 or equivalent commercial data-centre facilities operated by the Processor's cloud infrastructure provider (Google Cloud Platform), which maintains a comprehensive set of physical-security controls (perimeter security, access control, environmental controls, redundancy) as evidenced by the provider's ISO/IEC 27001 certification, SOC 2 Type II reports and equivalent attestations. Processor offices implement reasonable physical-access controls, visitor management and clean-desk practices; however, no Personal Data is stored locally at offices in the ordinary course of business. Remote and home-working environments are subject to the Processor's Acceptable Usage Policy; personnel are required to designate a safe workspace, prevent unauthorised access, and return equipment on termination of employment.
10. Events Logging and Audit
As described in section 3.6 of this Schedule (security-relevant event logging; tamper-protection; retention; continuous monitoring; SIEM-equivalent tooling via Security Command Centre and Wazuh).
11. System Configuration including Default Configuration
Configuration baselines are documented for critical infrastructure components, including server hardening, endpoint hardening and firewall and network device configurations. Changes follow the change-management procedure. Default configurations are reviewed for security at design time; insecure defaults are not relied upon.
12. Internal IT and IT Security Governance and Management
Information security roles and responsibilities are defined through job descriptions and task delegation. The Information Security Officer maintains contact with relevant authorities and special-interest groups. Information security is integrated into project management methods so that risks are identified and addressed within projects. An ISMS communications matrix supports periodic communication with executive management, all employees, IT and Information Security functions, customers and regulators.
13. Data Quality
The Processor provides interfaces enabling the Controller to update or correct Personal Data on behalf of Data Subjects, supports rectification requests forwarded by the Controller, and applies validation rules at point of capture to reduce data-quality errors.
14. Accountability
The Processor maintains documented evidence of compliance with Article 32 GDPR through its policy suite, training records, audit trails, vulnerability-management records, incident records, change records and access-review records.
15. Human Resources Security
Pre-employment screening is performed on all employees and contractors with access to Personal Data, in accordance with applicable law. Employment terms include information-security responsibilities; employees and contractors sign the Acceptable Usage Policy and confidentiality / non-disclosure obligations on or before commencement. Mandatory information security and data protection training is delivered at onboarding and at least annually thereafter; supplementary training is delivered on material role or process changes.
16. Vendor / Sub-Processor Management
Sub-Processors with access to Personal Data are subject to a documented vendor risk-assessment process before engagement, covering security, privacy and operational resilience. Sub-Processor relationships are reviewed at least annually; material changes trigger reassessment. Each Sub-Processor is engaged under a written contract that imposes obligations equivalent to and no less protective than those of this Agreement, including in respect of international transfers.
17. Incident Management
Information security events and incidents are reported through documented channels and are recorded, classified, investigated and tracked to closure. Personal Data Breach notification to the Controller is performed in accordance with clause 4.8 of this Agreement (within 48 hours of awareness, with the content prescribed by Article 33(3) GDPR). Lessons learned are documented and used to inform corrective and preventive actions.
18. Secure Media Disposal
Decommissioned end-user equipment is securely sanitised through full-disk encryption, software-based secure erasure and, for high-criticality data, physical destruction.
Schedule 4 — International Data Transfers — EU SCCs and UK Addendum (Incorporated by Reference)
This Schedule sets out the transfer mechanisms relied upon by the Parties under Chapter V of the EU GDPR and the UK GDPR for any Restricted Transfer of Personal Data made under or in connection with this Agreement.
1. Incorporation by Reference
1.1 The Standard Contractual Clauses (the "EU SCCs"), being the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, are incorporated into this Agreement by reference and shall apply to any Restricted Transfer of Personal Data falling within the scope of the EU GDPR.
1.2 The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force from 21 March 2022, the "UK Addendum"), as issued by the Information Commissioner under section 119A of the UK Data Protection Act 2018, is incorporated into this Agreement by reference and shall apply to any Restricted Transfer of Personal Data falling within the scope of the UK GDPR. References in the EU SCCs to the EU GDPR shall, to the extent the UK Addendum applies, be read as references to the UK GDPR.
1.3 Where the Parties wish to use a stand-alone International Data Transfer Agreement ("UK IDTA", version A1.0, in force from 21 March 2022) instead of the UK Addendum for any Restricted Transfer falling within the scope of the UK GDPR, they shall execute that document separately, and references in this Schedule to the UK Addendum shall be read accordingly to that UK IDTA.
1.4 If, during the term of this Agreement, the European Commission, the Information Commissioner or any other competent authority issues, amends or replaces the SCCs or the UK Addendum, the Parties shall co-operate in good faith to amend or update the documents incorporated by reference in this Schedule so as to give effect to the new instrument with effect from the date specified by the relevant authority.
2. Applicable Module of the EU SCCs
2.1 Where the Controller is the data exporter and the Processor is the data importer, Module Two (Controller-to-Processor) of the EU SCCs shall apply between them.
2.2 Where the Processor is the data exporter and a Sub-Processor is the data importer, Module Three (Processor-to-Processor) of the EU SCCs shall apply between them, and the Processor shall procure that each such Sub-Processor enters into the EU SCCs and (where applicable) the UK Addendum on equivalent terms.
2.3 Where the Processor itself acts as a controller in respect of any Processing falling outside the scope of this Agreement (as contemplated by clause 3.3), Module One (Controller-to-Controller) shall apply if and as agreed between the Parties for that limited Processing.
3. Completion of the EU SCCs
For the purposes of completing the EU SCCs incorporated under section 1 of this Schedule:
| Provision of the EU SCCs | Completion / agreed terms |
|---|---|
| Clause 7 (docking clause) | The optional docking clause does not apply unless the Parties expressly agree otherwise in writing. |
| Clause 9 (use of sub-processors) | Option 2 (general written authorisation) applies. The time period for prior notice of sub-processor changes shall be thirty (30) days, in accordance with clause 4.4 of this Agreement. |
| Clause 11 (redress) | The optional independent dispute-resolution body in Clause 11(a) does not apply. |
| Clause 13 (supervision) | Where the data exporter is established in an EU Member State, the supervisory authority of the Member State of establishment shall act as competent supervisory authority. Where the data exporter is established in the United Kingdom, the Information Commissioner's Office shall act as competent supervisory authority. Where the data exporter is not established in the EU but is subject to the EU GDPR by virtue of Article 3(2), the supervisory authority of the EU Member State in which the data exporter's representative under Article 27 EU GDPR is established shall act as competent supervisory authority. |
| Clause 17 (governing law) | Option 1 applies. The EU SCCs shall be governed by the laws of Ireland (or, where the data exporter is established in another EU Member State whose law allows for third-party beneficiary rights, the law of that Member State as agreed by the Parties in writing). |
| Clause 18 (forum and jurisdiction) | The Parties agree that the courts of Ireland (or, where applicable, the courts of the EU Member State whose law is selected under Clause 17) shall have jurisdiction. Data Subjects may also bring proceedings in their Member State of habitual residence in accordance with Clause 18(c). |
| Annex I.A (List of Parties) | As set out in the cover page of this Agreement and Schedule 1. |
| Annex I.B (Description of transfer) | As set out in Schedule 1 of this Agreement and, in respect of onward transfers to Sub-Processors, in Schedule 2. |
| Annex I.C (Competent supervisory authority) | As determined under Clause 13 of the EU SCCs and as completed above. |
| Annex II (Technical and organisational measures) | As set out in Schedule 3 of this Agreement. |
| Annex III (List of sub-processors) | As set out in Schedule 2 of this Agreement and on the Sub-Processor List published at https://www.givergy.com/uk/fundraise/dataProcessors/. |
4. Completion of the UK Addendum
For the purposes of completing the UK Addendum incorporated under section 1 of this Schedule:
| UK Addendum Table | Completion |
|---|---|
| Table 1 (Parties) | Exporter and importer details: as set out on the cover page of this Agreement (and, in respect of onward transfers to Sub-Processors, in Schedule 2). Key contact for each Party: as notified by each Party from time to time, with the data protection contact for the Processor being dpo@givergy.com. |
| Table 2 (Selected SCCs, Modules and Selected Clauses) | The version of the EU SCCs incorporated under section 1 of this Schedule, with the modules and option selections set out in section 3 of this Schedule. |
| Table 3 (Appendix Information) | Annex 1A: as set out in this Schedule and Schedule 1. Annex 1B: as set out in Schedule 1 and Schedule 2. Annex II: as set out in Schedule 3. Annex III: as set out in Schedule 2. |
| Table 4 (Ending the Addendum) | Both the importer and the exporter may end the UK Addendum as set out in Section 19 of the UK Addendum where the ICO issues a revised approved Addendum. |
5. EU-US Data Privacy Framework
Where any Sub-Processor of the Processor is certified under the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework (the so-called "UK Data Bridge"), or the Swiss-US Data Privacy Framework (each a "DPF"), and the relevant adequacy decision (or equivalent designation) is in force, the Parties may rely on the relevant DPF as a transfer mechanism for the relevant transfer in lieu of, or in addition to, the EU SCCs and the UK Addendum, provided that the Sub-Processor remains validly certified for the relevant categories of Personal Data. The Processor shall, on request, evidence each relied-upon DPF certification.
6. Transfer Impact Assessment
In respect of each Restricted Transfer made under or in connection with this Agreement, the Processor shall: (i) document and maintain a transfer impact assessment in line with Recommendations 01/2020 of the European Data Protection Board (or successor guidance); (ii) consider the law and practice of the destination country, including the existence and scope of public-authority access regimes; (iii) implement supplementary technical, contractual and organisational measures where the assessment indicates that they are necessary to ensure an essentially equivalent level of protection; and (iv) make the assessment available to the Controller and to a Supervisory Authority on request.
Schedule 5 — Australia-specific Terms (Privacy Act 1988 (Cth) and the Australian Privacy Principles)
This Schedule sets out the additional terms that apply where the Processing of Personal Information falls within the territorial scope of the Privacy Act 1988 (Cth) (the "Privacy Act"), including by virtue of section 5B of the Privacy Act, the location of the data subjects, or otherwise. This Schedule supplements the main body of this Agreement and does not displace it save where expressly stated; the order of precedence is set out in clause 9.1 of this Agreement.
1. Application and Scope
1.1 This Schedule applies to (i) Personal Information of Australian individuals Processed by the Processor on behalf of the Controller; (ii) Personal Information that the Controller (acting as APP Entity) discloses to the Processor; and (iii) any Processing carried on outside Australia in respect of Personal Information collected in Australia or about an individual with an Australian link, where section 5B of the Privacy Act so provides.
1.2 Each Party acknowledges that the other Party may itself be an APP Entity in respect of the Processing under this Agreement. Nothing in this Schedule transfers, suspends, qualifies or extinguishes any obligation that the Privacy Act imposes on a Party in its own right.
1.3 Capitalised terms used in this Schedule and not defined in section 2 of this Agreement have the meanings given in the Privacy Act, including "APP Entity", "Australian Privacy Principle", "Collection", "Disclosure", "Health Information", "Overseas Recipient", "Personal Information", "Sensitive Information", "Use" and "interference with the privacy of an individual".
2. Allocation of Responsibility under the Australian Privacy Principles
The table below allocates the principal operational responsibility under each APP between the Parties. The allocation is operational only and does not relieve either Party of any obligation that the Privacy Act imposes on it directly.
| APP | Subject | Primary responsibility | Operational obligations |
|---|---|---|---|
| APP 1 | Open and transparent management of Personal Information | Controller | The Controller shall publish and keep up to date a privacy policy in respect of its handling of Personal Information collected through the Platform, addressing each of the matters required by APP 1.4. The Processor shall maintain its own privacy policy (the Givergy Privacy Notice V20 (UK) / V21 (Global)) and shall provide such information about Sub-Processors and international disclosures as the Controller reasonably requires to complete the Controller's policy. |
| APP 2 | Anonymity and pseudonymity | Controller (with Processor support) | The Controller shall design its donor-facing forms to permit anonymous or pseudonymous interaction where it is practicable and lawful to do so. The Processor shall configure the Platform features available to support pseudonymous donation flows where the Controller selects them, subject to legal and operational constraints (including PCI DSS). |
| APP 3 | Collection of solicited Personal Information | Controller | The Controller shall collect Personal Information only by lawful and fair means and only where reasonably necessary for, or directly related to, one or more of its functions or activities. The Processor shall collect on the Controller's behalf strictly in accordance with the Controller's documented instructions and the configuration of the Platform. |
| APP 4 | Dealing with unsolicited Personal Information | Joint | Where unsolicited Personal Information is received via the Platform, the Processor shall notify the Controller. The Controller shall determine whether the Personal Information could lawfully have been collected under APP 3 and shall instruct the Processor accordingly. Where retention is not lawful, the Processor shall destroy or de-identify the information, on Controller instruction, as soon as practicable. |
| APP 5 | Notification of the collection of Personal Information | Controller | The Controller shall provide the notice required by APP 5 to the individual at or before, or as soon as practicable after, the point of collection (in practice, through the Controller's privacy policy and donor-facing collection notices). The Processor will not provide separate APP 5 notices to data subjects on behalf of the Controller save where expressly instructed to do so. |
| APP 6 | Use or disclosure of Personal Information | Controller | The Controller is responsible for ensuring that any use or disclosure of Personal Information is permitted under APP 6 (primary purpose, or a permitted secondary purpose). The Processor shall use and disclose Personal Information only as instructed by the Controller and as set out in this Agreement. |
| APP 7 | Direct marketing | Controller | The Controller is responsible for compliance with APP 7, including obtaining and managing any consent or opt-out and providing a simple means by which individuals may request not to receive direct marketing. The Processor shall configure and operate the marketing channels available within the Platform to honour the consent / opt-out signals received from the Controller. The Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth) impose additional, separate obligations on the sender of electronic messages and telemarketing calls; the Controller shall ensure that any such messages or calls comply with those Acts. |
| APP 8 | Cross-border disclosure of Personal Information | Joint (Processor leads operationally) | The Parties acknowledge that the Processor discloses Personal Information to overseas recipients (including Sub-Processors based in the United States and elsewhere). The Processor shall take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs in relation to the Personal Information (APP 8.1), unless an exception in APP 8.2 applies. The Parties record the basis on which each disclosure proceeds in section 3 of this Schedule. The Parties acknowledge that section 16C of the Privacy Act may treat the disclosing entity as having committed an act or engaged in a practice of the overseas recipient if the Personal Information is mishandled by that recipient. |
| APP 9 | Adoption, use or disclosure of government related identifiers | Controller | The Parties do not contemplate that government related identifiers will be Processed under this Agreement. Where the Controller intends any such Processing, it shall notify the Processor in advance and the Parties shall agree any necessary additional safeguards. |
| APP 10 | Quality of Personal Information | Joint | The Controller shall ensure that the Personal Information it collects, uses or discloses is, having regard to the purpose of use, accurate, up to date, complete, and (in the case of use or disclosure) relevant. The Processor shall configure the Platform to support the Controller in maintaining data quality, including correction interfaces, reconciliation processes against payment Sub-Processor outputs, and validation rules at the point of capture. |
| APP 11 | Security of Personal Information | Processor (with Controller co-operation) | The Processor shall take reasonable steps under APP 11.1 to protect Personal Information from misuse, interference, loss, unauthorised access, modification or disclosure, in the manner described in Schedule 3 of this Agreement (Technical and Organisational Measures). The Processor shall take reasonable steps under APP 11.2 to destroy or de-identify Personal Information when it is no longer needed for any purpose for which it may be used or disclosed under the Privacy Act, subject to clause 4.9 of this Agreement and any retention period required by Australian law (including under the Income Tax Assessment Act 1997, the A New Tax System (Goods and Services Tax) Act 1999, AUSTRAC anti-money-laundering record-keeping obligations and the Australian Consumer Law). Reasonable steps will be assessed having regard to the OAIC's Guide to Securing Personal Information. |
| APP 12 | Access to Personal Information | Controller (with Processor assistance) | The Controller shall handle requests by individuals for access to their Personal Information in accordance with APP 12, including the timing requirements (response within a reasonable period; access in the manner requested by the individual where reasonable and practicable; charges no more than reasonable). The Processor shall assist the Controller within the timeframes set out in clause 4.6 of this Agreement, including by providing exports of Personal Information held within the Platform. |
| APP 13 | Correction of Personal Information | Controller (with Processor assistance) | The Controller shall handle requests by individuals for correction of their Personal Information in accordance with APP 13. The Processor shall provide the technical means by which corrections can be made and shall propagate corrections to relevant Sub-Processors and (where appropriate) to recipients to whom Personal Information has been disclosed, in accordance with the Controller's instructions. |
3. Cross-border Disclosures (APP 8 — Operational Record)
The Parties record below the operational basis on which Personal Information is disclosed to overseas recipients. The list mirrors and supplements the sub-processor list in Schedule 2 Part A and the international-transfer assessment in Schedule 4 of this Agreement and the companion Transfer Impact Assessment V1.0.
| Overseas recipient | Country | Function | APP 8 basis |
|---|---|---|---|
| dbt Labs, Inc. | United States | Data transformation and pipeline orchestration (analytics stack) | APP 8.1 — reasonable steps taken (contractual: SCCs Module 3 + UK Addendum, technical and organisational measures including pseudonymisation at egress; vendor risk assessment). APP 8.2 exceptions not relied on. |
| Snowflake Inc. | United States (or EEA / UK region where selected) | Cloud data warehousing | APP 8.1 — reasonable steps taken; supplementary technical measures include customer-managed encryption keys. Where Snowflake hosts in an EEA / UK region, no overseas disclosure outside that region arises in respect of that data. |
| Lightdash Ltd | United Kingdom (and self-hosted in UK / EEA Processor environment) | Business-intelligence and visualisation layer | APP 8.1 — reasonable steps taken; the United Kingdom is a comparable privacy regime under the OAIC's indicative list of countries with substantially similar privacy laws (no formal designation under the Privacy Act, but the EU–UK adequacy decision is a relevant consideration). |
| Amplitude, Inc. | United States (with EU residency option) | Product analytics | APP 8.1 — reasonable steps taken; supplementary measures include pseudonymisation at egress, IP truncation, and exclusion of payment data. |
| FullStory, Inc. | United States | Digital experience analytics including session replay | APP 8.1 — reasonable steps taken; supplementary measures include element-level masking of sensitive form fields, exclusion of payment and identifier fields, and annual configuration review. Subject to ongoing monitoring under the Transfer Impact Assessment V1.0. |
| Twilio Inc. (Twilio Segment) | EU regions (Frankfurt / Dublin) where configured, otherwise United States | Customer Data Platform | APP 8.1 — reasonable steps taken where US region is used; no overseas disclosure outside EU region arises where EU region is used. |
| Stripe, Inc. and TriplePlayPay | United States (with regional processing as applicable) | Payment processing | APP 8.1 — reasonable steps taken; PCI DSS v4.0.1 compliance regime applies to the Processor and the payment Sub-Processor; cardholder data is handled under separate, scheme-mandated controls. |
| Mailgun and the SMS providers | United States and others (per Sub-Processor list) | Email and SMS delivery | APP 8.1 — reasonable steps taken via Article 28 GDPR-aligned data processing addenda incorporating contractual safeguards equivalent to APP 8.1. |
4. Notifiable Data Breaches Scheme
4.1 The Parties acknowledge that, where they are each APP Entities, each is independently subject to the NDB Scheme. Operationally, the Processor will notify the Controller of any Personal Data Breach affecting Personal Information in the manner and within the timeframes set out in clause 4.8 of this Agreement, including its preliminary assessment under section 26WH of whether the breach is or is likely to be an Eligible Data Breach.
4.2 Where the Processor identifies an actual or suspected Eligible Data Breach affecting Controller Personal Information, the Processor shall, in addition to its obligations under clause 4.8 of this Agreement, provide reasonable assistance to enable the Controller to prepare and issue (as required) a statement to the OAIC under section 26WK and notifications to affected individuals under section 26WL. The Processor shall not itself notify the OAIC or affected individuals in respect of Controller Personal Information without the Controller's prior written approval, save where required by law applicable to the Processor.
4.3 Where Givergy is itself an APP Entity in respect of Personal Information affected by a breach, Givergy shall make any required statement to the OAIC and notifications to affected individuals in its own right and shall not be relieved by this Agreement of that independent obligation.
4.4 The Parties shall co-operate in good faith in the assessment, containment, remediation, notification and post-incident review of any Personal Data Breach affecting Personal Information. Each Party shall preserve evidence relevant to the breach and shall make such evidence available to the other Party as reasonably required for purposes of compliance with the NDB Scheme.
5. Complaints, Investigation and Enforcement
5.1 The Processor shall provide reasonable assistance to the Controller in handling any complaint received by the Controller from an individual in respect of the Processing under this Agreement, including any complaint subsequently referred to the OAIC under Part V of the Privacy Act. The Processor shall not respond substantively to any individual complaint received directly without the Controller's prior written authorisation, save to confirm receipt and refer the individual to the Controller (consistent with clause 4.6.2 of this Agreement).
5.2 Each Party shall co-operate with the OAIC in any investigation, inquiry, determination or enforcement action relating to the Processing under this Agreement. Where one Party receives a notice, request or compulsory order from the OAIC concerning Personal Information held by the other Party, it shall promptly notify the other Party (save where prohibited by law) and the Parties shall co-operate to respond.
5.3 The Parties acknowledge that the OAIC has, since the commencement of the relevant provisions of the Privacy and Other Legislation Amendment Act 2024, expanded enforcement powers including a tiered civil penalty regime; nothing in this Agreement shall be construed as limiting such powers as against either Party.
6. Statutory Tort and Children's Online Privacy
6.1 The Parties acknowledge that, on commencement of the relevant provisions of the Privacy and Other Legislation Amendment Act 2024, an individual may have a cause of action for serious invasion of privacy. The allocation of liability between the Parties for any such cause of action shall be determined by reference to clause 7 of this Agreement and the underlying conduct giving rise to the cause of action; nothing in this Agreement excludes or limits any liability owed to a third-party data subject.
6.2 On commencement of the Children's Online Privacy Code under the Privacy Act, the Parties shall comply with the Code in relation to any Processing within its scope. Where the Controller intends to operate Platform features in a manner likely to engage the Code (including features reasonably likely to be accessed by children under 18), the Controller shall notify the Processor in advance and the Parties shall co-operate to apply such design and operational measures as the Code requires (consistent with clause 6.2 of this Agreement).
7. Automated Decision-making
7.1 On commencement of the relevant Privacy and Other Legislation Amendment Act 2024 provisions concerning automated decision-making, the Controller shall ensure that any privacy policy issued in respect of the Processing addresses (where applicable) the kinds of decisions made using automation in connection with Personal Information collected through the Platform.
7.2 The Processor confirms that the Platform does not, at the date of this Agreement, perform decisions producing legal or similarly significant effects on individuals on a solely automated basis. Fraud-detection rules feed into a human-in-the-loop review process. The Processor shall notify the Controller before any change in this position.
8. Precedence and Interpretation
8.1 This Schedule prevails over the rest of this Agreement to the extent of any inconsistency, but only in respect of Processing within the territorial scope of the Privacy Act and only to the extent necessary to give effect to the Privacy Act.
8.2 Words and expressions used in this Schedule and not otherwise defined shall have the meaning given in the Privacy Act. References to a section or other provision of the Privacy Act are references to that provision as in force from time to time.
© 2026 momoGood. All rights reserved.