Data Processing Addendum

This Data Processing Addendum (the “DPA”) is an addendum to the Order Form between Benevity, Inc. (“Benevity”) and Client (as defined in the Order Form) and is dated as of the Effective Date of the Order Form (together with the Terms of Service, the “Agreement”). Capitalized terms used but not defined herein shall have the meanings set forth in the Agreement.

(A)    Benevity and Client entered into the Agreement that requires Benevity to process Personal Data on behalf of Client;

(B)     This DPA sets out the additional terms, requirements, and conditions on which Benevity will process Personal Data when providing services under Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).

1. Definitions: In this DPA, the following terms shall have the following meanings:

(a)    “Applicable Data Protection Law” means all applicable laws and regulations relating to Processing and protection of Personal Data in force from time to time, including but not limited to the (i) European Union’s General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); (ii) in respect of the United Kingdom, the Data Protection Act 2018 and the GDPR as saved into the United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”); (iii) in respect of Switzerland, the Federal Act on Data Protection (“Swiss FADP”); (iv) in respect of the United States, applicable federal or state information privacy laws including but not limited to California Consumer Privacy Act, Civ. Code 1798.100 et seq., as amended including by the California Privacy Rights Act (“CCPA”); or (v) any other relevant applicable data protection law.
(b)    “Controller” means a person or organization who controls the collection, holding, Processing or use of Personal Data, including a person or organization who instructs another person or organization to collect, hold, Process, use, Transfer or disclose personal information on his or her behalf. 
(c)    “Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
(d)    “Data Subject” means the identified or identifiable person to whom Personal Data relates.
(e)    “Europe” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland, and Liechtenstein ("EEA"), as well as, for the purposes of this DPA, Switzerland and the United Kingdom.
(f)    "International Data Transfer Agreement” or “IDTA” means the template IDTA A1.0 issued by the United Kingdom’s Information Commissioner’s Office and laid before Parliament in accordance with S.119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 5.4, together with the relevant tables set out in the Annexes and Appendices of this Addendum.
(g)    “Personal Data” means any information relating to (i) an identified or identifiable natural person, and (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information) under Applicable Data Protection Law; and (iii) personal information that Benevity collects on behalf of Client or that Client shares with and/or otherwise discloses to Benevity pursuant to Agreements and in the course of obtaining Services from Benevity (“Covered Personal Data”).
(h)   “Processor” means the entity which Processes Data on behalf of the Controller. 
(i)    “Process”, “Processes” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available (including the transferring of Personal Data to third-parties), alignment or combination, restriction, erasure or destruction.
(j)    “Restricted Transfer” means: (i) where the GDPR applies, a Transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a Transfer of Personal Data from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss FADP applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
(k)    “Standard Contractual Clauses” means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the Transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council (available as of June 2021 here:, (the "EU SCCs"); (ii) where UK GDPR applies, the IDTA or UK Addendum; and (iii) where the Swiss FADP applies, the EU SCCs in accordance with the Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) statement on August 27, 2021, the EU SCCs.
(l)    “Subprocessor” means any entity which is processing Personal Data on behalf of the Processor (including any affiliate of the Processor).
(m)    “Transfer” means to disclose or otherwise make Personal Data available to a third party (including to any affiliate or Subprocessor), either by physical movement of the Personal Data to a third party or by enabling access to the Personal Data by other means.
(n)    “Transfer Impact Assessment” means a local country assessment that evaluates the extent to which adequate protection is afforded to the Personal Data within that country, in the context of a transfer of Personal Data to the country in question, including with regards to enforcement rights and effective legal remedies of a Data Subject(s). 
(o)    “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the United Kingdom’s Information Commissioner's Office in accordance with the S119A(1) Data Protection Act 2018 on February 2, 2022 (as may be amended, updated or superseded from time to time by the UK Government or the Information Commissioner's Office) and attached hereto as Appendix D.
(p)    For Personal Data protected by US Privacy Laws, the terms “business,” “business purpose,” “commercial purpose,” “controller,” “processor,” “sale,” “sell,” “service provider” and “share” shall have the meanings given to those terms in the applicable US Privacy Laws.

1.2. In
the case of conflict or ambiguity between:

(a)   any provision contained in the body of this DPA and any provision contained in the Appendicies of this DPA, the provision in the body of this DPA will prevail;

(b)   the terms of the Agreement and any provision contained in the Appendicies of this DPA, the provision contained in the Appendicies will prevail;

(c)   any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail; and

(d)   any of the provisions of this DPA and any executed SCC, the provisions of the executed SCC will prevail.
2. Relationship of the Parties: Client (the Controller) appoints Benevity as its Processor to Process the Personal Data.  Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. The Client retains control of the Personal Data and remains responsible for its compliance obligations under the Applicable Data Protection Law, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Benevity.

Where applicable, with respect to US Privacy Laws, Client is a “business” or “Controller” and is engaging Benevity as a “service provider” or “Processor” to Process Covered Personal Data in the performance of the Services on behalf of Client.

Should Benevity reasonably believe that a specific Processing activity beyond the scope of the Client’s instructions but is required to comply with a legal obligation to which Benevity as Processor is subject, Benevity shall inform the Client of that legal obligation before undertaking such Processing.

3. Purpose limitation: Benevity shall Process the Personal Data as a Processor as necessary to perform its obligations under the Agreement, including performing the Services specified therein and strictly in accordance with the documented instructions of Client, provided this does not infringe Applicable Data Protection Law, and in such a case, Benevity shall notify Client of that legal requirement before Processing, unless the applicable law prohibits such notification (the “Permitted Purpose”).

Without prejudice to the terms of this Clause 3, Benevity is granted a “General Written Authorisation” under Clause 9 of the Standard Contractual Clauses to transfer Personal Data to any Subprocessors named in this DPA.

In no event shall Benevity Process the Personal Data for its own purposes or those of any third party.
For Personal Data protected under applicable US Privacy Laws, any Processing of Covered Personal Data, is not for monetary or other valuable consideration, but instead to support the Services pursuant to the Agreement, and therefore does not constitute a sale of Covered Personal Data to Benevity. The Processor is expressly prohibited from selling or sharing the Covered Personal Data, retaining, using or disclosing the Covered Personal Data for any other purpose other than the specific purpose of performing the Services including retaining, using, or disclosing the Covered Personal Data for a commercial purpose other than providing the Services; and retaining, using, or disclosing the information outside of the direct business relationship. 

4. International transfers: Benevity shall not Transfer the Personal Data (nor permit the Personal Data to be Transferred) across country borders unless: (a) it has first obtained Client's prior written consent; (b) it takes measures as are necessary and legally required, such as entering into applicable Standard Contractual Clauses, to ensure the Transfer is in compliance with Applicable Data Protection Law; and (c) it has implemented all necessary additional measures and safeguards as required by Applicable Data Protection Laws.  Client hereby consents to the Transfer of Personal Data between Canada and the United States and across country borders as may be required to facilitate the Services, further, and for the avoidance of doubt, the Client hereby consents to the appointment by Benevity of Subprocessors located outside the UK and the EEA, and the Client authorizes Benevity to enter into the SCCs contained in this DPA with such of its Subprocesssors as is appropriate.

5. Confidentiality of processing: Benevity shall ensure that any person that it authorizes to Process the Personal Data (including Benevity's staff, agents and subcontractors) (an "Authorized Person(s)") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality. Benevity shall ensure that all Authorized Persons process the Personal Data only as necessary for the Permitted Purpose.

6. Security: Benevity shall implement appropriate technical and organizational measures to protect the Personal Data from Data Breaches.   Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.  At a minimum, such measures shall include the measures identified in Exhibit A of the Software and Service Information and as described in Appendix B of this DPA.
Additionally, Benevity will ensure that, as appropriate, its employees:

(a)   are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;

(b)   have undertaken training on the Applicable Data Protection Law relating to handling Personal Data and how it applies to their particular duties; and

(c)   are aware of their duties and obligations to support the Security measures set out at Appendix C to this DPA. 


7. Subprocessing: Except as following this subsection, Benevity shall not subcontract any Processing of the Personal Data to a third party Subprocessor without the prior written consent of Client. Client hereby consents to Benevity engaging third party Subprocessors to Process the Personal Data provided that: (a) Benevity provides the Client the opportunity to object to the use of a Subprocessor by providing at least thirty (30) days' prior notice of the addition of any new Subprocessor (including details of the scope of Processing it performs or will perform and the location and identity of the Subprocessor), which may be given by emailing details of such addition to Client; (b)  Benevity carries out adequate due diligence on the Subprocessor to ensure it is capable of providing the level of protection of Personal Data required by this DPA; (c) Benevity imposes data protection terms on any new Subprocessor that protect the Personal Data to the same standard provided for by this DPA; and (d) Benevity remains fully liable for any breach of this DPA that is caused by an act, error or omission of its Subprocessor. A list of approved Subprocessors as at the date of this DPA is attached at Appendix A. If Client refuses Benevity’s appointment of a third-party Subprocessor on reasonable grounds relating to the protection of the Personal Data, then either Benevity will not appoint the Subprocessor or Client may elect to suspend or terminate the Agreement without penalty.
If Client terminates the Agreement pursuant to this Section 7, it does so without penalty or liability (other than for fees due and owing to Benevity for services performed prior to such termination).

8. Cooperation and Data Subjects’ Rights: Taking into account the nature of the Processing, Benevity shall provide assistance (including by appropriate technical and organizational measures) to Client to enable Client to respond to: (a) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Personal Data (together, a “Request”). In the event that any such Request, is made directly to Benevity, Benevity shall promptly inform Client providing full details of the same.

9. Data Protection Impact Assessment: Taking into account the nature, scope, context and purposes of the Processing, if the Client directs, or if Benevity believes or becomes aware that its Processing of the Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall promptly inform Client and provide Client with all such reasonable and timely assistance as Client may require in order to conduct a Transfer Impact Assessment. 

10. Data Breaches: Upon becoming aware of a Data Breach affecting Client’s Personal Data, Benevity shall inform Client without undue delay, and in any event no longer than 24 hours.  Benevity shall provide all such timely information and cooperation as Client may require in order for Client to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.  Such notification shall include, at a minimum: (a) a description of the nature of the breach (including, where possible, categories and approximate number of Data Subjects and Personal Data records concerned); (b) details of a contact point where more information can be obtained; (c) a description of the likely consequences of the Data Breach; and (d) a description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.  Benevity shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Personal Data Breach and shall keep Client up-to-date about all developments in connection with the Personal Data Breach.

11. Deletion or Return of Personal Data: Upon termination or expiry of the Agreement, Benevity shall (at Client’s election) destroy or return to Client all Personal Data (including all copies of the Personal Data) in its possession or control (including any Personal Data subcontracted to a third party for Processing).  Notwithstanding the foregoing, and only to the extent necessary for the prevention of fraud and to adhere to taxation record retention requirements, Benevity retains Personal Data pertaining to donation transactions in accordance with requirements under applicable laws, but in general for seven (7) years from the date of termination of the Agreement. The requirement to destroy or return herein shall also not apply to the extent that Benevity is required by any other applicable law to retain some or all of the Personal Data. In the event of any of the foregoing exceptions, Benevity shall isolate and protect the Personal Data from any further Processing except to the extent required for fraud prevention or by such law. In all cases, for so long as Personal Data is retained in accordance with this Section 11:  (i) the obligations of confidentiality and security set out in the Agreement and this DPA shall apply in relation to that Personal Data; (ii) the Personal Data will not be used for any commercial purpose; and (iii) the Personal Data will be deleted or otherwise destroyed in a timely manner in accordance with Benevity’s document management/destruction policies.

12. Security Package, Audit and Inspection:

(a) Benevity Security Package.  Upon request by Client, Benevity will provide initially and annually to Client, without charge, Benevity’s standard security package which includes copies of: (i) Benevity’s audit report performed by an independent third-party auditor; (ii) Benevity’s hosting provider’s audit report; (iii) PCI DSS attestations of compliance from payment processors used; and (iv) a completed industry-standard information security questionnaire (together the “Benevity Security Package”).  Benevity will assist Client with reasonable inquiries that may not be covered by the Benevity Security Package. Where requests to complete Client’s security questionnaire, are duplicative of material available in the Benevity Security Package, Benevity will charge a reasonable agreed-upon fee to Client for such additional assistance.

(b) Audit and Inspection. Benevity shall permit Client (or its third-party auditors) to inspect or audit for Benevity’s compliance with this DPA to the extent required by Applicable Data Protection Law with mutual agreement on scope, timing and duration, provided that Client gives at least thirty (30) days’ prior notice of its intention to inspect or audit, conducts its inspection or audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Benevity’s operations. Client shall ensure that its personnel (or its third-party auditors) adhere to Benevity’s reasonable internal security measures and are bound to confidentiality obligations no less stringent than those in the Agreement. Except for an audit or inspection as a result of Section 12(c)(i) and (ii) below, Benevity will charge a reasonable agreed-upon fee to Client for such additional assistance.

Any audits with respect to Benevity’s Subprocessor Amazon Web Services (AWS) shall be conducted in accordance with the AWS audit policy located at: 

(c) Annual Request. Client will not exercise its audit and inspection rights more than once in any twelve (12) calendar month period, except: (i) if and when required by instruction of a competent data protection authority; or (ii) Client reasonably believes a further audit is necessary due to a Data Breach suffered by Benevity. 

13. Standard Contractual Clauses: The parties agree that when the Transfer of Personal Data from Client (as “data exporter”) to Benevity (as “data importer”) is a Restricted Transfer and Applicable Data Protection Law requires that appropriate safeguards are put in place, the Parties will be subject to the relevant Standard Contractual Clause(s). The relevant Standard Contractual Clause(s) will be deemed incorporated into and form a part of this DPA as follows:

(a) In relation to Transfers of Personal Data protected by the GDPR, the EU SCCs will be completed as follows:

(i) the clauses as set forth in Module Two (Controller to Processor) shall apply;
(ii) the “data exporter” is the Client and the data exporter’s contact information is set forth in Appendix B;
(iii) the “data importer” is Benevity, and Benevity’s contact information is set forth in Appendix B;
(iv) in Clause 7, the optional docking clause will apply;
(v) in Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set out in Section 7 of this DPA;
(vi) in Clause 11, the optional language will not apply;
(vii) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(viii) in Clause 18(b), disputes will be resolved before the courts of Ireland; and
(ix) Annexes I and II of the Appendix are set forth in Appendix B below.
(b) In relation to Transfers of Personal Data protected by the UK GDPR, the EU SCCs together with the UK Addendum will apply to such Transfers subject to the following: 
(i) Part 1: Table 1 to such UK Addendum shall be deemed to be the party details listed in Appendix B(A);
(ii) Part 1: Table 2 to such UK Addendum shall be interpreted as referencing the EU SCC (module Controller to Processor) as completed in the EU SCC Exhibit;
(iii) Part 1: Table 3 – Annex 1A and 1B to such UK Addendum shall be deemed to be the same as Appendix B;
(iv) Part 1: Table 3 – Annex II to such UK Addendum shall be deemed to be the same as Appendix C; 
(v) Part 1: Table 3 – Annex III to such UK Addendum shall be deemed to be the same as Appendix A; and
(vi) Parties agree to not complete Part 1: Table 4.

(c) In relation to Transfer of Personal Data protected by Swiss FADP and in accordance with the statement of the Swiss FDPIC of 27 August 2021, the EU SCCs shall be completed as in 13(a) above with additional revision as follows:
(i) the term “Member State” cannot be interpreted to exclude Data Subjects in Switzerland from exercising their rights under FADP;
(ii) in Clause 13, the Swiss FDPIC shall be the competent supervisory authority insofar as the data transfer is governed by the FADP with parallel supervision together with the EU competent supervisory authority; 
(ii) in Clause 17, the law of the EU country specified shall be the governing law; and
(iii) in Clause 18, the courts of the EU country as specified shall be the choice of forum, but this shall not exclude individuals in Switzerland from the possibility of bringing a claim in their place of habitual residence in Switzerland, in accordance with Clause 18(c).
(d) In the event that the SCCs are at any time no longer deemed to provide adequate protection to Personal Data transferred to Third Country Recipients, the parties shall enter into and/or adopt such alternative data transfer solution to replace the SCCs as is required by the European Commission or the appropriate Regulator to comply with Applicable Data Protection Law.

(e) Subject to terms required by Applicable Data Protection Law, the term of this DPA shall be for the period in which the Agreement remains in force (“DPA Term”) and shall not be terminated prior to the end of the DPA Term unless there is a material breach of this DPA or the parties agree in writing. 

Appendix A, B, C and D (UK Addendum)