Our policies & practices

Goodstack Data Processing Agreement

Effective Date: November 15, 2024

This Data Processing Agreement (including any terms set forth in a schedule, appendix or addendum hereto, “DPA”), dated as of the effective date of the Service Agreement (“Effective Date”), is by and between the customer identified in the Service Agreement (“Customer”), and We Are Percent Limited t/a Goodstack (“Vendor”).  Customer and Vendor may be referred to herein together as the “Parties”, and each may be referred to herein as a “Party”. To the extent that the Parties have entered into a prior agreement governing the processing of personal data (the “Prior Agreement”), the Parties understand and agree that this DPA shall supersede and replace such Prior Agreement. For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, Customer and Vendor hereby agree as follows:

1. Definitions.  

   1. “Applicable Laws” means, collectively, all now existing or hereinafter enacted or amended laws, rules, regulations (including, without limitation, self-regulatory obligations), and/or sanctions programs applicable to a Party’s performance hereunder and/or obligations with respect to data protection. 

   2. “CCPA” means the California Consumer Privacy Act of 2018 (Title 1.81.5 of the Civil Code of the State of California), together with all effective regulations adopted thereunder (in each case, as amended from time to time).

   3. “Customer Data” has the meaning assigned to it in Section 2.1(a). 

   4. “Controller” means (i) under and in the context of European Data Protection Law, the data “controller” (as defined by GDPR), (ii) under and in the context of CCPA, the “business” (or third party) (each, as defined by CCPA), and (iii) under and in the context of any other privacy or data protection law, rule, or regulation applicable to a Party’s performance hereunder, a “controller”, “business”, or corresponding term denoting a substantially similar definition, role, and obligations under such law, rule or regulation.

   5. “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (and each successor regulation, directive or other text of the foregoing, in each case as amended from time to time).

   6. “European Data Protection Law” means each of EU GDPR, UK GDPR, and the Federal Data Protection Act of 19 June 1992 (Switzerland) (as the same may be superseded by the Swiss Data Protection Act 2020 and as amended from time to time).

   7. “GDPR” means, as applicable, (i) the EU GDPR and/or (ii) the UK GDPR.

   8. “Personal Data” means any information that constitutes (a) “personal information” (as defined by, and in the context of, CCPA), (b) “personal data” (as defined by, and in the context of, European Data Protection Law), and/or (c) “personal data,” “personal information,” or other term denoting a substantially similar definition and obligations under, and in the context of, any other Applicable Laws, in each case that is (i) made available or otherwise provided by Customer to Vendor or by Vendor to Customer in connection with the Services and/or (ii) collected or accessed by Vendor under a Service Agreement(s) via a pixel, cookie, tag, or similar technology on any of Customer’s digital properties.

   9. “Process” means any operation or set of computer operations performed on Personal Data, including, but not limited to, collection, recording, organization, structuring, storage, access, adaptation, alteration, retrieval, consultation, use, transfer, transmit, sale, rental, disclosure, dissemination, making available, alignment, combination, deletion, erasure, or destruction.

   10. “Processor” means (i) under and in the context of European Data Protection Law, the data “processor” (as defined by GDPR), (ii) under and in the context of CCPA, a “service provider” (as defined by CCPA), and (iii) under and in the context of any other privacy or data protection law, rule, or regulation applicable to a Party’s performance hereunder, a “processor”, “service provider”, or corresponding term denoting a substantially similar definition, role, and obligations under such law, rule or regulation.

   11. “Security Incident” means (i) any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Customer Data or (ii) any other event that constitutes a “security breach”, “personal data breach”, or substantially similar term with respect to Customer Data under an Applicable Law(s).

   12. “Service Agreements ” or “Agreement

       ” means, collectively, the agreements and/or terms of service (including, as applicable, each of the Statements of Work/SOWs/Service Orders/Order Forms and exhibits thereunder) between Customer and Vendor.

   13. “Services” means, collectively, the products and/or services provided by Vendor to Customer under the Service Agreements.

   14. “Sub-Processor” means a contractor, subcontractor, consultant, third-party service provider, or agent engaged by Vendor for further Processing of Customer Data.

   15. “UK GDPR” has the meaning ascribed thereto in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018 (as amended from time to time).

   16. “Vendor Data” has the meaning assigned to it in Section 2.1(a). 

2. Data Processing Obligations.  

   1. General.  

      1. Each Party shall comply with its obligations relating to Personal Data under this DPA and under Applicable Laws at its own cost. With respect to Personal Data that Vendor obtains from data subjects that have a direct contractual relationship with Vendor (“Vendor Data”), (i) Vendor is a Controller and (ii) Customer is an independent Controller. With respect to Personal Data that Vendor processes pursuant to the instructions of Customer (including pursuant to the applicable Service Agreement) in order to provide the Services and that is not otherwise Vendor Data (“Customer Data”), (i) Customer is a Controller and (ii) Vendor is a Processor.

      2. With regard to each Party’s employees engaged in Processing Personal Data, the Party shall ensure that such employees are informed of the confidential nature of the Personal Data and are subject to appropriate confidentiality obligations sufficient to comply with the terms of the applicable Service Agreement(s) and this DPA, which confidentiality obligations shall survive following termination of this DPA for at least as long as the period(s) required by the applicable Service Agreement(s) and this DPA.

      3. Customer will have sole responsibility for the legality of Customer Data and the means by which Customer obtained the Customer Data, including, without limitation, obtaining appropriate consent to collect the Customer Data and share such data with Vendor in accordance with Applicable Laws.

      4. Vendor will have sole responsibility for the legality of Vendor Data and the means by which Vendor obtained the Vendor Data, including, without limitation, obtaining appropriate consent to collect the Vendor Data and share such data with Customer in accordance with Applicable Laws.

   2. Customer Data SCCs.

      If Vendor Processes Customer Data relating to an EEA, United Kingdom, or Switzerland data subject (including, without limitation, the transfer of such Customer Data from the EEA, United Kingdom, or Switzerland to a third country not providing an adequate level of protection) outside of the EEA, United Kingdom, and Switzerland, the Processing will be further governed by Schedule I to this Agreement, with Customer as data exporter and Vendor as data importer (together with all Appendixes and Annexes thereto, and as the same may be amended, supplemented, or otherwise modified from time to time, “Customer Data SCCs”), which is incorporated by reference into this DPA solely with respect to Customer Data relating to EEA, United Kingdom and/or Switzerland data subjects.  If there is any conflict between (x) the terms and conditions of either this DPA or the applicable Service Agreement(s), on the one hand, and (y) the terms and conditions of the Customer Data SCCs, on the other hand, then, with respect to Customer Data relating to an EEA, United Kingdom and/or Switzerland data subject(s), the terms and conditions of the Customer Data SCCs will prevail and control.  Vendor may only transfer Customer Data relating to an EEA, United Kingdom, or Switzerland data subject outside the EEA, United Kingdom, and Switzerland in compliance with Applicable Laws and the Customer Data SCCs.

   3. Vendor Data SCCs.

       If Customer Processes Vendor Data relating to an EEA, United Kingdom, or Switzerland data subject (including, without limitation, the transfer of such Vendor Data from the EEA, United Kingdom, or Switzerland to a third country not providing an adequate level of protection) outside of the EEA, United Kingdom, and Switzerland, the Processing will be further governed by Schedule II, with Vendor as data exporter and Customer as data importer (together with all Appendixes and Annexes thereto, and as the same may be amended, supplemented, or otherwise modified from time to time, “Vendor Data SCCs”), which is incorporated by reference into this DPA solely with respect to Vendor Data relating to EEA, United Kingdom and/or Switzerland data subjects.  If there is any conflict between (x) the terms and conditions of either this DPA or the applicable Service Agreement(s), on the one hand, and (y) the terms and conditions of the Vendor Data SCCs, on the other hand, then, with respect to Vendor Data relating to an EEA, United Kingdom, and/or Switzerland data subject(s), the terms and conditions of the Vendor Data SCCs will prevail and control.  Customer may only transfer Vendor Data relating to an EEA, United Kingdom, or Switzerland data subject outside the EEA, United Kingdom, and Switzerland in compliance with Applicable Laws and the Vendor Data SCCs.

   4. CCPA.  Without limiting any of the restrictions on or obligations of Vendor under this DPA, under any of the Service Agreements, or under Applicable Laws, with respect to Customer Data relating to a California “consumer” (as defined by CCPA) or household (“CCPA Personal Data”):

      1. Customer shall be disclosing such CCPA Personal Data under the applicable Service Agreement(s) to Vendor for a “business purpose” (as defined by CCPA), and Vendor shall Process such CCPA Personal Data solely on behalf of Customer and only as necessary to perform such business purpose for Customer; and

      2. Vendor shall not: (i) “sell” (as defined by CCPA) CCPA Personal Data; or (ii) retain, use, or disclose CCPA Personal Data (x) for any purpose (including a “commercial purpose” (as defined by CCPA)) other than for the specific purpose of performing for Customer the services specified in the particular Service Agreement(s) or (y) outside of the direct business relationship between Vendor and Customer; Vendor certifies that it understands the restrictions set forth in this Section 2.3(b) and shall comply with them; and

      3. Notwithstanding anything to the contrary in this DPA (including, for purposes of clarification and without limitation, clauses (a) and (b) of this Section 2.3), in no event shall Vendor process any CCPA Personal Data in such a manner as would constitute (i) a sale (as defined by CCPA) of CCPA Personal Data by Customer to Vendor or (ii) on or after January 1, 2023, the sharing (as defined under CCPA (as amended by the California Privacy Rights Act of 2020)) of CCPA Personal Data by Customer with Vendor; and

      4. If directed by Customer with regard to a particular California consumer or household, Vendor shall delete the CCPA Personal Data of such consumer or household.

   5. Changes in Applicable Laws.

       If, due to any change in Applicable Laws, a Party reasonably believes that (a) Vendor ceases to be able to provide a Service(s) in whole or in part (e.g, with respect to a particular jurisdiction) and/or Customer ceases to be able to use a Service(s) in whole or in part under the then-current terms and conditions of the applicable Service Agreement(s) and this DPA, each Party may terminate the applicable Service Agreement(s) (in whole or, if reasonably practicable, in part).

3. Security.  

   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risks. Such measures will include reasonable administrative, physical, and technical security controls (including those required by Applicable Laws) that prevent the collection, use, disclosure, or access to Personal Data and Customer confidential information that the Service Agreements do not expressly authorize, including maintaining a comprehensive information security program that safeguards Personal Data and Customer confidential information. These security measures include, but are not limited to: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. 

   2. When assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

4.  Supplementary Measures and Safeguards.

   1. Assistance; Risk Assessment.

      1. Vendor shall assist Customer to ensure compliance with Applicable Laws in connection with the Processing of Customer Data.

   2. Orders.

      Vendor shall notify Customer in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Customer Data. Customer shall have the right to defend such action in lieu of and/or on behalf of Vendor. Customer may, if it so chooses, seek a protective order. Vendor shall reasonably cooperate with Customer in such defense.

5. Notifications.

   1. Security Incidents. 

      Vendor has and will maintain a security incident response plan that includes procedures to be followed in the event of a Security Incident. Vendor will provide Customer with written notice promptly after discovering a Security Incident (including those affecting Vendor or its Sub-Processors), including any information that Customer is required by law to provide to an applicable regulatory agency or to the individuals whose personal data was involved in the Security Incident.

   2. Data Subject Requests.

      Vendor shall (i) promptly notify Customer about any request under Applicable Law(s) with respect to Customer Data received from or on behalf of the applicable data subject and (ii) reasonably cooperate with Customer’s reasonable requests in connection with data subject requests with respect to Customer Data. Vendor shall assist Customer, through appropriate technical and organizational measures, to fulfill its obligations with respect to requests of data subjects seeking to exercise rights under Applicable Law with respect to Customer Data.

   3. Vendor shall not have Customer Data Processed by a Sub-Processor unless such Sub-Processor is bound by a written agreement with Vendor that includes data protection obligations at least as protective as those contained in this DPA and the applicable Service Agreement(s) and that meet the requirements of Applicable Laws. Vendor is and shall remain fully liable to Customer for any failure by any Sub-Processor to fulfill Vendor’s data protection obligations under Applicable Laws.

   4. Vendor provides a list of all Sub-Processors who access Customer Data, available at:

      https://trust.goodstack.io/ (the “Website”). Customer specifically authorizes and instructs Vendor to engage the Sub-Processors listed on the Website as of the Effective Date. Vendor will notify Customer of any changes to the Sub-Processors listed on the Website and grant Customer the opportunity to object to such change. Upon Customer’s request, Vendor will provide all information necessary to demonstrate that the Sub-Processors will meet all requirements pursuant to Section 6.1. In the case Customer objects to any Sub-Processor, Vendor can choose to either not engage the Sub-Processor or to terminate this DPA with thirty (30) days’ prior written notice.

   5. Third-party providers that maintain IT systems whereby access to Customer Data is not needed but can technically also not be excluded do not qualify as Sub-Processors within the meaning of this Section 6. They can be engaged based on regular confidentiality undertakings and subject to Vendor’s reasonable monitoring.

6. Sub-Processors.

7. Deletion.

   Vendor shall, at the request of Customer: (i) delete or return all Customer Data to Customer after such Customer Data is no longer necessary for the provision of the Services, and (ii) delete existing copies of such Customer Data.

8. Documentation.

   1. or shall, upon Customer’s request, provide Customer (a) comprehensive documentation of Vendor’s technical and organizational security measures, (b) any and all third-party audits and certifications available with respect to such security measures, and (c) and all other information reasonably necessary to demonstrate compliance with the Vendor’s obligations under this DPA and/or under Applicable Laws.

9. Term; Termination. 

   This DPA shall remain in effect until (a) all Service Agreements have terminated and (b) all obligations that Vendor has under the Service Agreements and under Applicable Laws with respect to Personal Data, and all rights that Customer has under the Service Agreements and under Applicable Laws with respect to Personal Data, have terminated.  Notwithstanding termination of this DPA, any provisions hereof that by their nature are intended to survive, shall survive termination.

10. Miscellaneous.

    1. Any notice made pursuant to this DPA will be in writing and will be deemed delivered on (a) the date of delivery if delivered personally, (b) five (5) calendar days (or upon written confirmed receipt) after mailing if duly deposited in registered or certified mail or express commercial carrier, or (c) one (1) calendar day (or upon written confirmed receipt) after being sent by email, addressed to Customer at the address or email address on record with Vendor in Customer’s account information, or addressed to Vendor at the address or email address set forth below, or to such other address or email address as may be hereafter designated by either Party:

        

       Data Protection Officer, We Are Percent Limited t/a Goodstack, 7 Bell Yard, London, England, WC2A 2JR

       dpo@goodstack.io

    2. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the applicable Service Agreements, unless required otherwise by Applicable Laws.

    3. Neither Party may assign or transfer any part of this DPA without the written consent of the other Party; provided, however, that this DPA, collectively with all Service Agreements, may be assigned without the other Party’s written consent by either Party to a person or entity who acquires, by sale, merger or otherwise, all or substantially all of such assigning Party’s assets, stock or business.  Subject to the foregoing, this DPA shall bind and inure to the benefit of the Parties, their respective successors and permitted assigns.  Any attempted assignment in violation of this Section 12.3 shall be void and of no effect.

    4. This DPA is the Parties’ entire agreement relating to its subject and supersedes any prior or contemporaneous agreements on that subject; provided , however

       , that, notwithstanding the foregoing but subject to the last sentence of this Section 10.4, nothing in this DPA shall be deemed to supersede any of the Service Agreements. Vendor may modify the terms of this DPA if, as reasonably determined by Vendor, such modification is (i) reasonably necessary to comply with Applicable Laws or any other law, regulation, court order or guidance issued by a governmental regulator or agency; and (ii) does not: (a) result in a degradation of the overall security of the Services, (b) expand the scope of, or remove any restrictions on, Vendor’s processing of Personal Data, and (c) otherwise have a material adverse impact on Customer’s rights under this DPA. Any other amendments must be executed by both of the Parties and expressly state that they are amending this DPA.  Failure to enforce any provision of this DPA shall not constitute a waiver.  If any provision of this DPA is found unenforceable, it and any related provisions shall be interpreted to best accomplish the unenforceable provision’s essential purpose.  The headings contained in this DPA are for reference purposes only and shall not affect in any way the meaning or interpretation of this DPA.  In the event of a conflict between the terms and conditions of this DPA and the terms and conditions of any Service Agreement, the terms and conditions of this DPA shall govern.

SCHEDULE I 

Customer Data SCCs

1. Definitions

   1. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in this Schedule I.

   2. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the DPA Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in this Schedule I.

2. With respect to Customer Data transferred from the European Economic Area, the EU SCCs will apply and form part of this Schedule I, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the EU SCCs. For purposes of the EU SCCs, they will be deemed completed as follows:

   1. Because Customer is a Controller and Vendor is a Processor of the Customer Data, Module 2 applies.

   2. Clause 7 (the optional docking clause) is not included.

   3. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable. 

   4. Under Clause 17 (Governing law), the Parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights).  The Parties select the law of Ireland.

   5. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland.

   6. Annexes I, II and III of the EU SCCs are set forth in Exhibit A to this Schedule I.

   7. By entering into this DPA, the Parties are deemed to be signing the EU SCCs.

3. With respect to Customer Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this Schedule I and take precedence over the rest of this Schedule I as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the UK SCCs. For purposes of the UK SCCs, they will be deemed completed as follows:

   1. Table 1 of the UK SCCs:

      1. The Parties’ details are the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Exhibit A.

      2. The Key Contacts are the contacts set forth in Exhibit A.

   2. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 are the EU SCCs as executed by the Parties pursuant to this Schedule I.

   3. Table 3 of the UK SCCs: Annex 1A, 1B, II and III are set forth in Exhibit A.

   4. Table 4 of the UK SCCs: Either party may terminate the Service Agreements as set forth in Section 19 of the UK SCCs.

   5. By entering into this DPA, the Parties are deemed to be signing the UK SCCs and their applicable Tables and Appendix Information

4. With respect to Customer Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the EU SCCs will apply and will be deemed to have the following differences to the extent required by the Swiss Federal Act on Data Protection (“FADP”):

   1. References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.

   2. The term “member state” in the EU SCCs will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.

   3. References to Personal Data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.

   4. Under Annex I(C) of the EU SCCs (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.

EXHIBIT A TO SCHEDULE 1

Annexes to Customer Data SCCs

ANNEX I

LIST OF PARTIES

Data exporter(s): 

Name: Entity identified as “Customer” in the DPA and Agreement.

Address: See the Agreement.

Contact person’s name, position and contact details: See the Agreement.

Activities relevant to the data transferred under these Clauses: To provide Customer with the Services (as defined in the DPA), namely, donation services.

Signature and date: See the Agreement.

Role (controller/processor): Controller.

Data importer(s): 

Name: We Are Percent Limited t/a Goodstack (“Vendor”)

Address:

We Are Percent Limited t/a Goodstack

7 Bell Yard, London, England, WC2A 2JR

Contact person’s name, position and contact details: Tom Shields, Data Protection Officer, dpo@goodstack.io.

Activities relevant to the data transferred under these Clauses: To provide Customer with the Services (as defined in the DPA), namely, donation services.

Role (controller/processor): Processor.

DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer employees, end users of Customer, representatives of Charities and other Applicants (both as defined in the Service Agreement) (collectively, “Users”).

Categories of personal data transferred

First name, last name, email address, mailing address.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuously, for the duration of the Services pursuant to the Agreement.

Nature of the processing

Vendor will process the Personal Data as necessary to provide the Services pursuant to the Service Agreements, and Customer will process the Personal Data as necessary to receive the Services.

Purpose(s) of the data transfer and further processing

For Vendor to provide the Services to Customer pursuant to the Service Agreements and for Customer to receive the Services pursuant to the Service Agreements. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As long as necessary to provide the Services pursuant to the Agreement. Charity and Applicant data will be retained until Customer requests deletion, unless the Service Agreements permit Vendor to retain such information for purposes other than as a Processor on behalf of Customer.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

To provide the Services pursuant to the Agreement.

COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The Supervisory Authority where the Data Exporter is located.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Vendor uses a combination of policies as per our ISMS which adheres to the ISO27001 standard and the following technical controls to safeguard at multiple levels:

• MDM – to control what is run on employees laptops

• Malware protection – to limit the damage of malware and continuously scan

• Password managers – to ensure strong, unique passwords are being used

• Least privileged access – to provide access on as needed basis, with regular reviews

• 2fa – to provide protection, should passwords be leaked

• WAF – firewall to block malicious requests and prevent DDoS

• VPC – Virtual Private Clouds with public and private subnets to limit what is accessible to machines internally and external from the internet

  • Route tables – to limit what is accessible between subnets 

  • Network ACL – to limit what can enter a subnet

• Security groups – to limit what ports and IPs are accessible on a host

• IDS – to alert to suspicious activity

• Encryption in transit – to prevent man in the middle attacks and ensure confidentiality across a network

• Encryption at rest – to limit the risk of direct access to storage

• Security scan – security scans are performed during build pipelines

• Security training – every employee has general security training which is renewed annually. Developers also have OWASP training.

All the above are reviewed for compliance at policy review sessions annually and scheduled audits confirm configurations are intact.

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

Please see: https://trust.goodstack.io/

SCHEDULE II

Vendor Data SCCs

1. Definitions

   1. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in this Schedule II.

   2. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the DPA Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in this Schedule II.

   3. Because Vendor and Customer are both Controllers, Module 1 applies.

   4. Clause 7 (the optional docking clause) is not included.

   5. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable. 

   6. Under Clause 17 (Governing law), the Parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights).  The Parties select the law of Ireland.

   7. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland.

   8. Annexes I and II of the EU SCCs are set forth in Exhibit A to this Schedule II.

   9. By entering into this DPA, the Parties are deemed to be signing the EU SCCs.

2. With respect to Vendor Data transferred from the European Economic Area, the EU SCCs will apply and form part of this Schedule II, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the EU SCCs. For purposes of the EU SCCs, they will be deemed completed as follows:

3. With respect to Vendor Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this Schedule II and take precedence over the rest of this Schedule II as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the UK SCCs. For purposes of the UK SCCs, they will be deemed completed as follows:

   1. Table 1 of the UK SCCs:

      1. The Parties’ details are the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Exhibit A.

      2. The Key Contacts are the contacts set forth in Exhibit A.

   2. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 are the EU SCCs as executed by the Parties pursuant to this Schedule II. 

   3. Table 3 of the UK SCCs: Annex 1A, 1B, and II are set forth in Exhibit A.

   4. Table 4 of the UK SCCs: Either party may terminate the Service Agreements as set forth in Section 19 of the UK SCCs.

   5. By entering into this Schedule II, the Parties are deemed to be signing the UK SCCs and their applicable Tables and Appendix Information.

4. With respect to Vendor Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the EU SCCs will apply and will be deemed to have the following differences to the extent required by the Swiss Federal Act on Data Protection (“FADP”):

   1. References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.

   2. The term “member state” in the EU SCCs will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.

   3. References to Personal Data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.

   4. Under Annex I(C) of the EU SCCs (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.

EXHIBIT A TO SCHEDULE II

Annexes to Vendor Data SCCs

ANNEX I

LIST OF PARTIES

Data exporter(s): 

Name: We Are Percent Limited t/a Goodstack

Address: 7 Bell Yard, London, England, WC2A 2JR

Contact person’s name, position and contact details: 

Tom Shields, Data Protection Officer

We Are Percent Limited t/a Goodstack

7 Bell Yard, London, England, WC2A 2JR

dpo@goodstack.io

Activities relevant to the data transferred under these Clauses: To provide Customer with the Services (as defined in the DPA).

Role (controller/processor): Controller

Data importer: 

Name: As specified in the Service Agreements.

Address:  As specified in the Service Agreements.

Activities relevant to the data transferred under these Clauses: Receipt of Services (a defined in the DPA).

Role (controller/processor): Controller

DESCRIPTION OF TRANSFER 

Categories of data subjects whose personal data is transferred

Customer employees, end users of Customer, representatives of Charities and other Applicants (both as defined in the Service Agreement).

Categories of personal data transferred

First name, last name, email address, mailing address

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

     N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuously, for the duration of the Service Agreements.

Nature of the processing

Vendor will process the Personal Data as necessary to provide the Services pursuant to the Service Agreements, and Customer will process the Personal Data as necessary to receive the Services.

Purpose(s) of the data transfer and further processing

For Vendor to provide the Services to Customer pursuant to the Service Agreements and for Customer to receive the Services pursuant to the Service Agreements.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Vendor Data will be retained for the length of time necessary to provide and benefit from the Services under these Service Agreements, or as otherwise required by applicable law.

COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13.

The parties will follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. 

1. General Security Measures

   Customer will comply with industry-standard security measures (including with respect to personnel, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, and incident response measures necessary to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of personal data), as well as with all applicable data privacy and security laws, regulations and standards.  

2. Information Security Program

   Customer shall establish, implement, and maintain an information security program that includes technical and organizational security and physical measures as well as policies and procedures to protect Vendor Data against accidental loss; destruction or alteration; unauthorized disclosure or access; or unlawful destruction.

3. Human Resources Security

   Customer shall maintain a policy that defines requirements around enforcing security measures as they relate to employment status changes. This includes performing background checks, acknowledging and complying with Customer’s security policies, and utilizing onboarding and termination checklists for employees and third parties.

4. Data Classification & Protection

   Customer shall maintain policies and procedures for data classification and protection, along with requirements for the classification of data containing personal data in consideration of applicable laws, regulations, and contractual obligations. Customer shall also maintain requirements on data encryption and rules for transmission of data along with requirements on how access to these data should be governed.

5. Physical and Environmental Security

   Customer shall maintain policies and procedures for physical and environmental security and ensure that critical information services be protected from interception, interference, or damage

6. Access Control

   Customer shall maintain access control measures designed to limit access to Customer’s facilities, applications, systems, network devices, and operating systems to a limited number of personnel who have a business need for such access. Customer shall ensure such access is removed when no longer required and shall conduct access reviews periodically.