Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Agreement”) between you (the “Customer” or “Controller”) and DonorKit, Inc., doing business as townhall (“townhall,” “we,” “us,” or the “Processor”), governing the Processing of Personal Data carried out by townhall on the Customer's behalf.

This DPA reflects the parties' agreement on the Processing of Personal Data in accordance with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”), the UK GDPR, and other applicable data protection laws. Where there is a conflict between this DPA and the Agreement, this DPA prevails with respect to the Processing of Personal Data.

Capitalized terms not defined in this DPA have the meaning given in the Agreement. For the purposes of this DPA:

• “Personal Data” means any information relating to an identified or identifiable natural person that is Processed by townhall on behalf of the Customer under the Agreement.
• “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
• “Controller,” “Processor,” “Processing,” and “Supervisory Authority” have the meanings given to them in the GDPR.
• “Sub-processor” means any third party engaged by townhall to Process Personal Data in connection with the Service.
• “Standard Contractual Clauses” (“SCCs”) means the standard data protection clauses adopted by the European Commission for the transfer of Personal Data to third countries.
• “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the GDPR and the UK GDPR.

The parties acknowledge that, with respect to the Processing of Personal Data under the Agreement, the Customer acts as the Controller and townhall acts as the Processor. Where the Customer is itself acting as a Processor on behalf of a third-party Controller, townhall acts as a Sub-processor.

townhall will Process Personal Data only as necessary to provide the Service and in accordance with the Customer's documented instructions. The details of the Processing are as follows:

townhall will Process Personal Data only on documented instructions from the Customer, including with regard to international transfers, unless required to do otherwise by Union or Member State law. The Agreement, this DPA, and the Customer's use and configuration of the Service constitute the Customer's complete and final documented instructions.

townhall will immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other Applicable Data Protection Laws. townhall has no obligation to assess the lawfulness of the Customer's instructions beyond this notification duty.

townhall ensures that persons authorized to Process Personal Data are bound by appropriate obligations of confidentiality, whether by contract or statutory duty, and have received appropriate training on their responsibilities. Access to Personal Data is limited to personnel who require access to provide and support the Service.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, townhall implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
• Secure password hashing (bcrypt) and support for two-factor authentication
• Role-based access controls and the principle of least privilege
• Network segmentation, firewalls, and security monitoring
• Logical separation of Customer data within multi-tenant infrastructure
• Regular vulnerability scanning and security assessments
• Backup, restoration, and business-continuity procedures
• A documented incident response and breach notification process

townhall may update its security measures from time to time provided that such updates do not materially reduce the overall level of protection of Personal Data.

The Customer provides a general authorization for townhall to engage Sub-processors to Process Personal Data, subject to the conditions in this section. townhall imposes data protection obligations on each Sub-processor that are no less protective than those set out in this DPA, and remains liable for the performance of each Sub-processor's obligations.

The current Sub-processors used to provide the Service are:

townhall will notify the Customer of any intended addition or replacement of a Sub-processor, giving the Customer the opportunity to object on reasonable data-protection grounds within 30 days. To receive notifications of Sub-processor changes, contact dpo@townhall.gg. If the Customer objects and the matter cannot be resolved, the Customer may terminate the affected portion of the Service.

Taking into account the nature of the Processing, townhall will assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under the GDPR, including the rights of access, rectification, erasure, restriction, portability, and objection.

The Service provides self-service tools that enable the Customer to access, correct, export, and delete Personal Data. If townhall receives a request directly from a Data Subject relating to the Customer's Personal Data, it will, where legally permitted, promptly notify the Customer and will not respond directly except on the Customer's documented instructions.

townhall will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Customer's Personal Data. The notification will, to the extent available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

townhall will assist the Customer in meeting the Customer's breach-notification and communication obligations to Supervisory Authorities and Data Subjects under Articles 33 and 34 of the GDPR. A notification is not an acknowledgement by townhall of any fault or liability.

townhall and its Sub-processors may Process Personal Data in countries outside the European Economic Area, the United Kingdom, or the Customer's jurisdiction, including the United States. Where such transfers occur, townhall ensures that an appropriate transfer mechanism is in place, including:

• The Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum where applicable)
• Adequacy decisions, where available for the relevant country
• Supplementary technical and organizational measures, such as encryption

The SCCs are incorporated into this DPA by reference and apply to any transfer of Personal Data that requires them. In case of conflict, the SCCs prevail with respect to the relevant transfer.

townhall will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

To minimize disruption, the Customer will provide reasonable prior notice, conduct audits no more than once per year (unless required by a Supervisory Authority or following a Personal Data Breach), and comply with townhall's reasonable confidentiality and security requirements. townhall may satisfy an audit request by providing relevant certifications, third-party audit reports, or security documentation.

Upon termination or expiry of the Agreement, townhall will, at the Customer's choice, delete or return all Personal Data Processed on the Customer's behalf and delete existing copies, unless Union or Member State law requires continued storage.

• The Customer may export Personal Data through the dashboard or API before termination
• Account data is deleted within 30 days of account deletion
• Uploaded files are removed from storage and the CDN
• Backups containing Personal Data are purged within 90 days

townhall may retain Personal Data to the extent and for as long as required by Applicable Data Protection Laws, and only for the purposes and duration specified by such law, applying appropriate confidentiality and security measures during that period.

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together.

This DPA takes effect on the date the Customer accepts the Agreement and remains in force for as long as townhall Processes Personal Data on the Customer's behalf. Provisions that by their nature should survive termination, including those relating to confidentiality, deletion, and liability, continue to apply.

For questions about this DPA or to request a counter-signed copy, please contact us:

• Data Protection Officer: dpo@townhall.gg
• Legal: legal@townhall.gg
• Company: DonorKit, Inc. (d.b.a. townhall)