Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Give A Little Terms and Conditions available at https://givealittle.co/terms-and-conditions, (as updated from time to time) between Fundraiser and Give A Little, (the "Terms and Conditions").

This DPA is an agreement between you and the entity you represent ("Fundraiser", "you" or "your") and "Give A Little".

  1. Data Processing.
    1. Scope and Roles. This DPA applies when Donation Data (e.g the donor payment data) is processed by Give A Little, Give A Little will act as processor to Fundraiser, who acts as a controller of Donation Data.
    2. Details of Data Processing.
      • Subject matter. The subject matter of the data processing under this DPA is Donation Data.
      • Duration. As between Give A Little and Fundraiser, the duration of the data processing under this DPA is determined by the Fundraiser.
      • Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Fundraiser from time to time.
      • Nature of the processing. Donations made by donors, Give A Little platform, computer, storage and such other Services and initiated by Fundraiser from time to time.
      • Type of Donation Data. Donation Data uploaded to the Services under Fundraiser’s Give A Little accounts.
      • Categories of data subjects. The data subjects include Fundraiser’s Donors.
    3. Compliance with Laws- Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the UK GDPR.
  2. Fundraiser Instructions.
    1. The parties agree that this DPA and the Terms and Conditions (including Fundraiser providing instructions via configuration tools such as the Give A Little platform and APIs made available by Give A Little for the Services) constitute Fundraiser’s documented instructions regarding Give A Little’s processing of Donation Data ("Documented Instructions").
    2. Give A Little will process Donation Data only in accordance with Documented Instructions. Taking into account the nature of the processing, Fundraiser agrees that it is unlikely Give A Little can form an opinion on whether Documented Instructions infringe the UK GDPR. If Give A Little forms such an opinion, it will immediately inform Fundraiser, in which case, Fundraiser is entitled to withdraw or modify its Documented Instructions.
  3. Confidentiality of Donation Data.
    1. Give A Little will not access or use, or disclose to any third party, any Donation Data, except, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a court order).
  4. Confidentiality.

    Give A Little restricts its personnel from processing Donation Data without authorisation by Give A Little. Give A Little imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

  5. Security of Data Processing.
    1. Give A Little has implemented and will maintain the technical and organisational measures for the Give A Little platform. We take our obligation to keep your data safe from loss, misuse, unauthorised access, disclosure, alteration, and destruction very seriously. We have in place policies and processes along with a series of physical and technological controls to keep your data safe. All donor data is encrypted at rest and in transit. Our accounts require a username and password to log in. You must keep your username and password secure, and never disclose it to a third party.
  6. Sub-processing.
    1. Authorised Sub-processors. Fundraiser provides general authorisation to Give A Little’s use of sub-processors to provide processing activities on Donation Data on behalf of Fundraiser ("Sub-processors") in accordance with this Section.
    2. Sub-processors that are currently engaged by Give A Little:
      • Amazon Web Services for data storage. All data stored using Amazon Web Services is stored either in the European Economic Area or the UK. Data is encrypted both in transit and at rest
      • Google for our mailbox tool
      • HelpScout as our communications and Fundraiser support tool
      • Mailjet for sending donor receipts and for service notifications
    3. At least 30 days before Give A Little engages a Sub-processor, Give A Little will update clause 6.2 and provide Fundraiser with a mechanism to obtain notice of that update. To object to a Sub-processor, Fundraiser can terminate the Terms and Conditions pursuant to its terms;
    4. Sub-processor Obligations. Where Give A Little authorises a Sub-processor as described in Section 6.1:
      1. Give A Little will restrict the Sub-processor’s access to Donation Data only to what is necessary to provide or maintain the Services, and Give A Little will prohibit the Sub-processor from accessing Donation Data for any other purpose;
      2. Give A Little will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by Give A Little under this DPA, Give A Little will impose on the Sub-processor the same contractual obligations that Give A Little has under this DPA; and
      3. Give A Little will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Give A Little to breach any of Give A Little’s obligations under this DPA.
  7. Give A Little Assistance with Data Subject Requests. Taking into account the nature of the processing, the Service platform is the technical and organizational measures by which Give A Little will assist Fundraiser in fulfilling Fundraiser’s obligations to respond to data subjects’ requests under the UK GDPR. If a data subject makes a request to Give A Little, Give A Little will promptly forward such request to Fundraiser.
  8. Security Incident Notification.
    1. Security Incident. Give A Little will (a) notify Fundraiser of a Security Incident without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
  9. Give A Little Certifications and Audits.
    1. Give A Little Reports. In addition to the information contained in this DPA, upon Fundraiser’s request, and provided that the parties have an applicable NDA in place, Give A Little will make available any applicable security certificates issued (or other documentation evidencing compliance with applicable security standards e.g ISO27001, ISO9001, and CyberEssentials Plus).
    2. Audit Reports. At Fundraiser’s written request, and provided that the parties have an applicable NDA in place, Give A Little will provide Fundraiser with a copy of any applicable audit so that Fundraiser can reasonably verify Give A Little’s compliance with its obligations under this DPA.
    3. Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to Give A Little, Give A Little will assist Fundraiser in complying with Fundraiser’s obligations in respect of data protection impact assessments and prior consultation, by providing the information Give A Little makes available under this Section 9.
  10. Termination of the DPA. This DPA will continue in force until the termination of the Terms and Conditions (the "Termination Date").
  11. Deletion of Donation Data. 90 days after the Termination Date we will delete the Donation Data and delete existing copies of the personal data unless UK law requires it to be stored. You will be given access to the Give A Little platform for 10 days in order to download a copy of your data before it’s deleted.