Donor Insights

Legal

Data Processing Addendum

Effective form pending final legal review. The provider entity is shown as Pray, Inc. d/b/a Donor Insights pending legal's confirmation of the exact wording; all other text follows the source document.

This Data Processing Addendum (“DPA”) amends and forms part of the written agreement between Customer and Pray, Inc. d/b/a Donor Insights (“Donor Insights”) (collectively, “the parties”) for the provision of services to Customer (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

1Definitions

In this DPA:

  1. “Data Protection Law” means all laws that apply to the Processing of Personal Data under the Agreement, including the laws and regulations of the United States and its states, as amended from time to time, to the extent such laws and regulations apply to the relevant party.
  2. “Personal Data” means any information that reasonably relates, directly or indirectly, to an identified or identifiable natural person that Donor Insights may Process on Customer’s behalf in performing the services under the Agreement.
  3. “Processing” (including its cognate "Process”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  4. “Security Incident” means a security breach leading to the unauthorized or unlawful access by a third party, or confirmed unlawful destruction, loss or alteration, of Personal Data.
  5. “Services” means the services that Donor Insights provides to Customer under the Agreement.

2Data Protection

When Donor Insights Processes Personal Data, it will:

  1. Process the Personal Data to provide the Services under the Agreement and this DPA;
  2. assist Customer, taking into account the nature of the Processing and the information available to Donor Insights, in complying with Customer's obligations to respond to requests concerning Personal Data from individuals under applicable Data Protection Law;
  3. implement and maintain appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk, which include the technical and organizational measures required by applicable Data Protection Law;
  4. only entrust the Processing of Personal Data to personnel who have undertaken to comply with confidentiality requirements; and
  5. on termination of the Agreement, as instructed by Customer, delete or return the Personal Data, except where continued retention of Personal Data is in accordance with applicable law or Donor Insights’ policies, in which case Donor Insights shall retain such Personal Data in accordance with this DPA.

Donor Insights will not (a) “sell” or “share” (as defined in Data Protection Law) the Personal Data; (b) retain, use, combine, or disclose the Personal Data for any purpose other than as permitted under this DPA and in accordance with the Agreement; or (c) retain, use, or disclose the Personal Data other than in the context of the direct relationship with Customer in accordance with the Agreement.

3Customer Responsibilities

Customer is responsible for the lawfulness of Personal Data processing under or in connection with the services. Customer will (i) provide all required notices and obtain all required consents, permissions and rights necessary under applicable Data Protection Law for Donor Insights to lawfully Process Personal Data for the purposes contemplated by the Agreement; (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) comply with all Data Protection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Donor Insights; and (iv) ensure its processing instructions comply with applicable laws (including applicable Data Protection Law).

4Subprocessing

  1. Customer agrees that Donor Insights may use the third-party suppliers to Process Personal Data on its behalf for the provision of the services under the Agreement (each a “Subprocessor”).
  2. Donor Insights will ensure that any Subprocessors to which it transfers Personal Data enter into written agreements with Donor Insights requiring that the Subprocessor abide by terms substantially similar to those contained in this DPA.
  3. Donor Insights will remain liable for any breaches of this DPA caused by its Subprocessors.

5Assistance and Notifications

Unless prohibited by Data Protection Law, Donor Insights must inform Customer if Donor Insights:

  1. receives a request, complaint or other inquiry regarding the Processing of Personal Data;
  2. receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body;
  3. is subject to a legal obligation that requires Donor Insights to Process Personal Data in contravention of Customer’s instructions; or
  4. is otherwise unable to comply with Data Protection Law or this DPA.

Upon becoming aware of a Security Incident, Donor Insights will inform Customer without undue delay and will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfil its data breach reporting obligations under applicable Data Protection Law.

6Audit

  1. Donor Insights will make available to Customer at Customer’s request reasonable information which is necessary to demonstrate compliance with this DPA as requested by Customer.
  2. To the extent Donor Insights makes available to Customer confidential summary reports ("Audit Report") prepared by third-party security professionals, upon request from Customer, Donor Insights may provide such Audit Report in satisfaction of audit rights accorded to Customer pursuant to Data Protection Law.
  3. If Customer can demonstrate that it requires additional information, beyond the Audit Report, then Customer may request, at Customer's cost, Donor Insights to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other Donor Insights Customers or suppliers, Donor Insights’ technical and organizational measures, or any trade secrets; and (ii) be performed upon not less than thirty (30) days’ notice, during regular business hours and in such a manner as not to unreasonably interfere with Donor Insights’ normal business activities.

7General

  1. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Personal Data.
  2. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
  3. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.
  4. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.