Data Processing Agreement

1. Definitions

• Controller: the charity that uploads donor data to Gift Aid Boost
• Processor: Gift Aid Boost, which processes data on behalf of the controller
• Data subjects: donors whose personal data is processed
• Personal data: as defined in UK GDPR Article 4(1)
• Processing: as defined in UK GDPR Article 4(2)
• Sub-processor: third parties engaged by the processor, listed in the sub-processor register

2. Scope of Processing

• Purpose: processing donor personal data solely for Gift Aid recovery
• Categories of data subjects: charity donors
• Types of personal data processed:
  • Names (title, first name, last name)
  • Contact details (email, phone)
  • Address (house name/number, postcode)
  • Date of birth
  • Donation amounts and dates
  • Gift Aid declarations
• Duration: for the term of the agreement + 6 years HMRC retention
• Legal basis: legitimate interests of the controller (Gift Aid recovery)

3. Processor Obligations (Article 28(3))

• (a) Process only on documented instructions from the controller
• (b) Ensure authorised persons are under confidentiality obligation
• (c) Implement appropriate technical and organisational security measures:
  • Encryption at rest for donor personal data
  • Encryption in transit (TLS 1.2+)
  • Database-level multi-tenant isolation
  • Two-factor authentication and session security
  • Security event monitoring and alerting
  • Automated vulnerability scanning
  • Immutable audit logging
  • AI privacy boundary (no PII sent to AI services)
• (d) Only engage sub-processors with prior written authorisation
  • Current sub-processors listed at /compliance-pack
  • 30-day notification of sub-processor changes
• (e) Assist the controller with data subject requests (Articles 15–22)
  • Provide data export within 5 business days
  • Execute erasure requests within 5 business days
  • Rectification upon controller instruction
• (f) Assist the controller with DPIA obligations (Article 35)
• (g) Breach notification: notify controller within 72 hours
  • Include: nature of breach, categories and number of data subjects, likely consequences, measures taken
• (h) At termination: delete all personal data within 90 days
  • Exception: data required for HMRC audit (6-year retention)
  • Written confirmation of deletion on request

4. Controller Obligations

• Ensure lawful basis for processing
• Ensure data subjects have been informed (via charity’s own privacy notice)
• Respond to data subject requests as controller
• Ensure data accuracy before uploading
• Not upload special category data (Article 9)

5. Data Transfers

• Primary data storage within EEA (EU-based database hosting)
• Sub-processors outside EEA: application hosting (US, SOC 2), email delivery (US, SOC 2 Type II), payment processing (US, PCI-DSS Level 1)
• Transfers covered by UK adequacy decisions and standard contractual clauses
• No data transferred to countries without adequate protections

6. Security Measures

7. Audit Rights

• Controller may audit processor’s compliance with this DPA
• Processor will provide information to demonstrate compliance
• Audits at controller’s expense, with 30 days’ notice

8. Liability

• Each party liable for its own breaches of data protection law
• Processor’s liability limited to fees paid in preceding 12 months
• Exclusions for indirect and consequential loss

9. Term and Termination

• Effective from account creation until termination of service
• Surviving obligations: data deletion (section 3h), HMRC retention
• Either party may terminate on 30 days’ written notice

10. Governing Law

• This agreement is governed by the laws of England and Wales
• Subject to the exclusive jurisdiction of the English courts

Contact: james@giftaidboost.com