Data Processing Agreement

Effective Date: April 9, 2026

Who this is for: This Data Processing Agreement (DPA) governs the processing of personal data by VolunteerFlow on behalf of organizations subject to GDPR, CCPA, or similar data protection regulations. It is entered into pursuant to GDPR Article 28.

This Data Processing Agreement ("DPA") is entered into between the nonprofit organization using VolunteerFlow (the "Controller") and PowerHouseTech LLC, a New York limited liability company doing business as VolunteerFlow (the "Processor"), and is incorporated into and governed by the VolunteerFlow Terms of Service.

1. Definitions

Controller: The nonprofit organization determining the purposes and means of processing volunteer Personal Data.
Processor: VolunteerFlow, processing Personal Data on behalf of the Controller in accordance with instructions.
Data Subject: Any individual to whom Personal Data relates, including volunteers, staff, and administrative contacts.
Personal Data: Information relating to identified or identifiable individuals, including names, emails, phones, dates of birth, emergency contacts, volunteer hours, background check results, training certifications, waivers, messages, and files.
Processing: Any operation on Personal Data such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or erasure.
Sub-Processor: Any entity processing Personal Data on behalf of the Controller under a contract with substantially equivalent data protection obligations.
GDPR: The European Union General Data Protection Regulation (EU 2016/679).
CCPA: The California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.).

2. Scope and Purpose

VolunteerFlow processes Personal Data solely for providing the VolunteerFlow SaaS platform and related services as described in the Terms of Service. VolunteerFlow shall not use Personal Data for any other purpose without prior written consent of Controller.

Controller warrants that it has a lawful basis under applicable privacy laws to collect and process the Personal Data, and that all required notices have been provided to Data Subjects. VolunteerFlow shall process Personal Data only in accordance with: (a) documented instructions in the Terms of Service; (b) written organization-specific instructions; and (c) applicable laws.

3. Types of Personal Data Processed

VolunteerFlow processes the following categories of Personal Data on behalf of Controller:

Volunteer identity information (names, emails, phones, addresses, dates of birth)
Emergency contact information
Volunteer activity and hours records
Applications and submissions
Training and certification records
Background check results
Waiver and consent records
Communication records (messages, SMS)
File uploads and attachments

Data Subjects include: volunteers, organization staff and administrators, and administrative contacts.

4. Sub-Processors

Controller consents to the following sub-processors. Each is bound by a written agreement imposing substantially equivalent data protection obligations. VolunteerFlow shall provide Controller with at least 30 days' prior written notice before engaging any new sub-processor.

Sub-Processor	Purpose
Supabase	Cloud database hosting, storage, and API services
Stripe	Payment processing and billing management
PayPal	Payment processing and billing management
Twilio	SMS messaging and telephone communications
Checkr	Background check processing and verification
Sentry	Error tracking, performance monitoring, and session replay
Vercel	Application hosting, deployment, and analytics

5. Controller Obligations

Controller is responsible for:

Ensuring a lawful basis under GDPR, CCPA, and applicable laws for collecting and processing Personal Data
Providing required notices to Data Subjects regarding collection, processing, and sharing of Personal Data, including notice of VolunteerFlow's role as Processor
Obtaining all necessary consents from Data Subjects and maintaining documentation
Compliance with all statutory notice requirements

6. Processor Obligations

VolunteerFlow shall:

Ensure all persons authorized to access Personal Data are subject to binding confidentiality obligations
Process Personal Data only in accordance with documented instructions of Controller
Upon receipt of Data Subject rights requests, promptly notify Controller and provide reasonable assistance
Not use Personal Data for any purpose other than providing the Services
Manage sub-processors in accordance with this DPA

7. Security Measures

VolunteerFlow implements appropriate technical and organizational security measures to protect Personal Data, including:

bcrypt password hashing; httpOnly JWT cookies
IP allowlisting; rate limiting; multi-factor authentication availability
HTTPS transport encryption; database encryption at rest
Comprehensive access logging and audit trails
Supabase enterprise-grade security including compliance certifications and penetration testing

VolunteerFlow maintains incident response procedures and shall notify Controller promptly of any known or suspected security incidents affecting Personal Data.

8. VolunteerFlow Staff Access

Controller acknowledges and consents to VolunteerFlow support staff accessing organization data for technical support and issue resolution. All staff access is logged and monitored. Staff with data access are subject to binding confidentiality agreements. Support impersonation may be used to diagnose and resolve technical issues, with all activity logged with supporting ticket information.

Controller may request an audit log report showing all staff access to Controller's data. VolunteerFlow shall provide such audit logs within 30 business days.

9. Data Breach Notification

VolunteerFlow shall notify Controller without undue delay and no later than 72 hours after discovering a Personal Data breach affecting Controller's data. Notification shall include: description of the breach and affected data, likely consequences, measures taken or proposed, and contact information for the responsible official.

VolunteerFlow shall provide information necessary for Controller to determine whether Data Subject or regulatory authority notification is required.

10. Data Retention and Deletion

VolunteerFlow shall retain Personal Data for the duration of the service agreement and any legally required retention period thereafter, unless Controller directs otherwise in writing.

Upon termination or expiration of the service agreement, VolunteerFlow shall, at Controller's election:

Within 30 days: provide access to export all Personal Data in a standard portable format; or
Within 90 days: permanently delete all Personal Data from active systems using secure deletion methods

Personal Data shall be deleted from backup systems within 180 calendar days of termination. Upon completion, VolunteerFlow shall provide written certification of deletion.

11. Data Subject Rights Assistance

Upon receipt of Data Subject access, deletion, portability, or correction requests, VolunteerFlow shall promptly notify Controller and provide reasonable assistance to enable Controller to fulfill the request within applicable legal timeframes (typically 30 days under GDPR). Assistance is provided at no additional charge except for requests requiring substantial development costs.

12. International Data Transfers

Controller acknowledges that VolunteerFlow uses Supabase as its primary hosting provider. Personal Data may be stored on servers located in the United States. For controllers subject to GDPR, VolunteerFlow relies on Standard Contractual Clauses (SCCs) for international data transfers. VolunteerFlow shall execute Data Processing Addenda incorporating SCCs as necessary.

13. GDPR Article 28 Compliance

This DPA is entered into pursuant to GDPR Article 28 and incorporates the mandatory clauses required by that Article. To the extent the Services involve processing of Personal Data of individuals located in the European Union, VolunteerFlow acts as a Processor under GDPR Article 28, and this DPA shall govern that processing relationship.

14. CCPA and Service Provider Compliance

To the extent the Services involve processing of Personal Data of California residents, VolunteerFlow is a Service Provider under CCPA Section 1798.100(d). As a Service Provider, VolunteerFlow shall not retain, use, or disclose Personal Data except as necessary to perform the Services; shall not sell Personal Data; and shall not combine Personal Data received from Controller with Personal Data from other sources.

15. Audit Rights

Controller may request audit information regarding VolunteerFlow's compliance with data protection obligations. VolunteerFlow shall provide audit information within 30 business days of request. VolunteerFlow may satisfy audit requests by providing a current, comprehensive third-party audit report (such as SOC 2 Type II) conducted by an independent auditor.

16. Term and Termination

This DPA is effective as of the date it is accepted by Controller and shall remain in effect for the duration of the service agreement. Upon termination, VolunteerFlow shall cease processing Personal Data and shall return or delete all Personal Data as directed by Controller in accordance with Section 10.

17. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of New York, without regard to its conflict of law provisions.

18. Contact

For questions regarding this DPA, data protection practices, or privacy concerns, contact:
Email: legal@volunteerflow.us

This DPA should be read together with our Privacy Policy and Terms of Service.

Effective as of April 9, 2026.