1. Parties and Roles
This Data Processing Addendum ("DPA") forms part of the agreement between A Step Ahead Media, doing business as All In One Nonprofit ("we", the "Processor"), and the customer organization that uses the Service (the "Customer", the "Controller"). It governs our processing of personal data that the Customer submits to or generates within the Service.
For the personal data of the Customer's own constituents (donors, members, volunteers, board members, and similar), the Customer is the controller and All In One Nonprofit is the processor. The Customer is responsible for having a lawful basis to collect and use that data and for the accuracy of any instructions it gives us.
2. Definitions
Terms such as "personal data", "processing", "controller", "processor", "data subject", and "personal data breach" have the meanings given in applicable data protection laws, including the EU and UK GDPR and the California Consumer Privacy Act as amended (CCPA/CPRA), to the extent they apply.
3. Scope and Details of Processing
- Subject matter: our provision of the All In One Nonprofit apps and related services.
- Duration: for the term of the Customer's account, plus the limited retention period in our Data Retention Schedule.
- Nature and purpose: hosting, storing, organizing, and helping the Customer manage and generate documents about its constituents and operations, including optional AI-assisted drafting.
- Categories of data subjects: the Customer's donors, members, volunteers, board members, staff, applicants, and other contacts the Customer chooses to enter.
- Categories of personal data: contact and profile details, giving and membership history, notes, and any files the Customer uploads. The Customer should not enter special-category data unless necessary, and is responsible for any it chooses to enter.
4. Processor Obligations
- Process personal data only on the Customer's documented instructions, including this DPA and the Customer's use of the Service, unless required by law (in which case we will inform the Customer where legally permitted).
- Ensure that personnel authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational security measures (Section 5).
- Not sell personal data and not use it for our own advertising. Customer constituent data is processed only to provide the Service.
- Assist the Customer, taking into account the nature of processing, with data subject requests and with the Customer's own security, breach-notification, and impact-assessment obligations.
5. Security Measures
We maintain reasonable technical and organizational measures appropriate to the risk, including: encryption of data in transit (HTTPS/TLS); access controls and authenticated sessions scoped per user and organization; hosting on reputable infrastructure (see Section 6); and segregation of customer data by account and organization. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.
6. Subprocessors
The Customer authorizes All In One Nonprofit to engage the subprocessors listed at buildyourclub.com/subprocessors to help provide the Service. We impose data-protection obligations on each subprocessor that are no less protective than this DPA. We will maintain the subprocessor list current and, where required, give the Customer advance notice of new subprocessors (generally at least 30 days where feasible) so the Customer can object on reasonable data-protection grounds.
7. Data Subject Rights
The Service provides features that let the Customer access, correct, export, and delete constituent records directly. Taking into account the nature of the processing, we will provide reasonable assistance if the Customer needs help responding to a verified data subject request that it cannot fulfill through the Service itself.
8. Personal Data Breach Notification
If we become aware of a personal data breach affecting Customer personal data, we will notify the Customer without undue delay (and, where feasible, within 72 hours of confirming the breach), provide the information reasonably available to help the Customer meet its own notification obligations, and take reasonable steps to mitigate and remediate.
9. International Transfers
The Service is operated from the United States, and our subprocessors may process data in the United States and the European Union. Where personal data of individuals in the EEA or UK is transferred, the parties will rely on a lawful transfer mechanism, such as the Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated by reference where they apply.
10. Return and Deletion
The Customer may export its data at any time through the Service. On termination or closure of the account, we will delete Customer personal data in accordance with our Data Retention Schedule (generally within 90 days), except where retention is required by law (for example, payment and tax records).
11. Audits
On reasonable written request, and no more than once per year unless required by a supervisory authority or following a breach, we will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality.
12. General
This DPA supplements and forms part of the agreement between the parties. If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls. This DPA is governed by the laws of the State of Florida, consistent with the main agreement. If any provision is unenforceable, the remainder stays in effect.
13. Contact
A Step Ahead Media, DBA All In One Nonprofit
Email: [email protected]
Website: buildyourclub.com