Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Give A Little Terms and Conditions available at

, (as updated from time to time) between the Fundraiser and Give A Little, (the "Terms and Conditions").

This DPA is an agreement between you and the entity you represent ("Fundraiser", "you" or "your") and "Give A Little".

1. Scope and Roles. This DPA applies when Donation Data (e.g the donor payment data) is processed by Give A Little, Give A Little will act as processor to Fundraiser, who acts as a controller of Donation Data.

   1. The parties agree that this DPA and the Terms and Conditions (including Fundraiser providing instructions via configuration tools such as the Give A Little platform and APIs made available by Give A Little for the Services) constitute Fundraiser’s documented instructions regarding Give A Little’s processing of Donation Data ("Documented Instructions").

   2. Give A Little will process Donation Data only in accordance with Documented Instructions. Taking into account the nature of the processing, Fundraiser agrees that it is unlikely Give A Little can form an opinion on whether Documented Instructions infringe Data Protection Legislation. If Give A Little forms such an opinion, it will immediately inform Fundraiser, in which case, Fundraiser is entitled to withdraw or modify its Documented Instructions.

2. Data Processing.

   1. Details of Data Processing.

      1. Subject matter. The subject matter of the data processing under this DPA is Donation Data.

      2. Duration. As between Give A Little and Fundraiser, the duration of the data processing under this DPA is determined by the Fundraiser.

      3. Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Fundraiser from time to time.

      4. Nature of the processing. Donations made by donors, Give A Little platform, computer, storage and such other Services and initiated by Fundraiser from time to time.

      5. Type of Donation Data. Donation Data uploaded to the Services under Fundraiser’s Give A Little account.

      6. Categories of data subjects. The data subjects include Fundraiser’s Donors, Administrators, Volunteers and Supporters.

      7. Type of Personal Data. Donor Personal Data uploaded to the Services under Fundraiser’s Give A Little accounts could include: name, email address, postal address, and phone number. Fundraisers can additionally request donor personal information which is not predefined by the Give A Little service. Other data subjects including Administrators, Volunteers, and Supporters include name and email address.

   2. Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the UK GDPR and other Applicable Data Protection Law.

   3. Confidentiality. Give A Little will not access or use, or disclose to any third party, any Donation Data, except, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a court order). Give A Little restricts its personnel from processing Donation Data without authorisation by Give A Little. Give A Little imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

3. Sub-processing.

   1. Authorised Sub-processors. Fundraiser provides general authorisation to Give A Little’s use of sub-processors to provide processing activities on Donation Data on behalf of Fundraiser ("Sub-processors") in accordance with this Section.

   2. Sub-processors that are currently engaged by Give A Little:

      1. Amazon Web Services for data storage. All data stored using Amazon Web Services is stored either in the European Economic Area or the UK. Data is encrypted both in transit and at rest

      2. Google for our mailbox tool

      3. HelpScout as our communications and Fundraiser support tool

      4. Mailjet for sending donor receipts and for service notifications

   3. At least 30 days before Give A Little engages a Sub-processor, Give A Little will update clause 6.2 and provide Fundraiser with a mechanism to obtain notice of that update. To object to a Sub-processor, Fundraiser can terminate the Terms and Conditions pursuant to its terms;

   4. Sub-processor Obligations. Where Give A Little authorises a Sub-processor as described in Section 6.1:

      1. Give A Little will restrict the Sub-processor’s access to Donation Data only to what is necessary to provide or maintain the Services, and Give A Little will prohibit the Sub-processor from accessing Donation Data for any other purpose;

      2. Give A Little will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by Give A Little under this DPA, Give A Little will impose on the Sub-processor the same contractual obligations that Give A Little has under this DPA; and

      3. Give A Little will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Give A Little to breach any of Give A Little’s obligations under this DPA.

4. Data Subject Requests. Taking into account the nature of the processing, the Service platform is the technical and organizational measures by which Give A Little will assist Fundraiser in fulfilling Fundraiser’s obligations to respond to data subjects’ requests under the UK GDPR. If a data subject makes a request to Give A Little, Give A Little will promptly forward such request to Fundraiser.

5. Security.

   1. Security Measures. Give A Little has implemented and will maintain appropriate technical and organisational measures to protect the personal data against unauthorised access, accidental loss or destruction. We take our obligation to keep your data safe from loss, misuse, unauthorised access, disclosure, alteration, and destruction very seriously. We have in place policies and processes along with a set of physical and technological controls to keep your data safe. All donor data is encrypted at rest and in transit. Our accounts require a username and password to log in and offer multi-factor authentication. You must keep your username and password secure, and never disclose these to a third party.

   2. Security Incidents. Give A Little must notify Fundraiser without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Security Incident. Give A Little must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Give A Little’s reasonable control. Upon Fundraiser’s request and taking into account the nature of the Processing and the information available to Give A Little, Give A Little must assist Fundraiser by providing information reasonably necessary for Fundraiser to meet its Security Incident notification obligations under Applicable Data Protection Law. Give A Little may not delay notification under this clause on the basis that an investigation is incomplete or on-going. Give A Little’s notification of a Security Incident is not an acknowledgment by Give A Little of its fault or liability.

   3. Incident Confidentiality. Neither party will release or publish any filing, communication, notice, press release, or report concerning any Data Security Breach without the prior written permission of the other party save to the extent such Breach Notice is required by applicable law; and not make or permit any announcement to any party, without the other’s consent and which may be subject to conditions.

   4. Security Certifications. Give A Little is certified to stringent industry applicable security standards, specifically: ISO27001, ISO9001, CyberEssentials, and CyberEssentials Plus. Give A Little will make available to Fundraiser security certificates issued.

6. Audit.

   1. Audit Reports. Give A Little is regularly audited by independent third-party auditors and/or internal auditors. In addition to the information contained in this DPA, upon Fundraiser’s request, and provided that the parties have an applicable NDA in place: 

      1. Give A Little will supply a summary copy of relevant audit report(s) to Fundraiser, so Fundraiser can verify Give A Little's compliance with the audit standards against which it has been assessed, and this DPA. If Fundraiser cannot reasonably verify Give A Little’s compliance with the terms of this DPA, Give A Little will provide written responses (on a confidential basis) to all reasonable requests for information made by Fundraiser related to its processing of Donation Data, provided that such right may be exercised no more than once every twelve (12) months except (i) if and when required by instruction of a Supervisory Authority; or (ii) if Fundraiser believes a further audit is necessary due to a Data Security Breach suffered by Give A Little.

   2. Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to Give A Little, Give A Little will assist Fundraiser in complying with Fundraiser’s obligations in respect of data protection impact assessments and prior consultation, by providing the information Give A Little makes available under this Section.

7. Deletion of Data. 90 days after the Termination Date we will delete the Donation Data and delete existing copies of the personal data unless UK law requires it to be stored. You will be given access to the Give A Little platform for 10 days in order to download a copy of your data before it’s deleted.

8. Indeminity.

   1. Give A Little shall indemnify, defend, and hold harmless Fundraiser against any third-party claims, demands, suits, or proceedings (“Claims”) alleging that the Services, as provided by Give A Little, infringe any intellectual property rights of such third party. Give A Little shall have no obligation under this Section to the extent that a Claim arises from: (i) use of the Services in combination with any hardware, software, or other materials not provided by Give A Little; (ii) modifications to the Services not made by or authorised by Give A Little; or (iii) use of the Services in a manner contrary to the written instructions or documentation provided by Give A Little. Fundraiser shall promptly notify Give A Little in writing of any Claim and shall provide Give A Little with all reasonable information and assistance necessary to defend such Claim. Give A Little shall have sole control of the defense and all related settlement negotiations. Give A Little’s total liability to Fundraiser under this Section shall not exceed the amounts paid by Fundraiser to Give A Little under this Agreement in the twelve (12) months preceding the Claim. If the Services are found to infringe, Give A Little may, at its option: (i) modify the Services to be non-infringing; (ii) obtain a license for Fundraiser to continue using the Services; or (iii) terminate the Agreement and refund to Fundraiser any prepaid, unused fees. Except as expressly provided in this Section, Give A Little makes no warranties, express or implied, regarding the Services, and disclaims all other warranties, including any implied warranties of merchantability, fitness for a particular purpose, and non-infringement

9. Termination of the DPA. This DPA will continue in force until the termination of the Terms and Conditions (the "Termination Date").