This Data Processing Agreement ("DPA") forms part of the agreement between Impacturi (the "Processor", "we", "us") operated by Clickonic Ltd, and the organisation subscribing to the Impacturi platform (the "Controller", "you", "your organisation").
This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Impacturi platform. "Processing" has the meaning given in the UK GDPR. "Data Subject" means the individual to whom the Personal Data relates. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope and purpose of processing
The Processor processes Personal Data solely to provide the Impacturi platform services, specifically:
- Storing and displaying donor records (names, organisations, contact details, donation amounts and history)
- Generating impact pages and reports using donor and donation data
- Providing CRM integration services (importing donor data from external systems)
- Recording page view analytics (anonymised where possible)
- Sending platform notifications to subscribed users
3. Categories of data subjects and personal data
Data subjects:
- Charity staff and administrators (platform users)
- Corporate donor contacts
- Individual donors (where charity uploads individual donor data)
Categories of personal data:
- Names and job titles
- Email addresses and phone numbers
- Organisation names and addresses
- Donation amounts, types, and dates
- Testimonials and quotes (where provided by the Controller)
- CRM identifiers and external system references
No special category data (as defined in Article 9 of UK GDPR) is processed.
4. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that all persons authorised to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 7)
- Not engage a sub-processor without the prior written authorisation of the Controller (see Section 6)
- Assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection)
- Assist the Controller in meeting its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, impact assessments, prior consultation)
- At the choice of the Controller, delete or return all Personal Data on termination of the service, and delete existing copies unless required by law to retain them
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
5. Obligations of the Controller
The Controller shall:
- Ensure it has a lawful basis for processing the Personal Data it uploads to the platform
- Ensure Data Subjects have been informed about the processing in accordance with Articles 13 and 14 of the UK GDPR
- Ensure the accuracy of Personal Data provided to the Processor
- Notify the Processor promptly of any Data Subject rights requests received directly
6. Sub-processors
The Controller provides general written authorisation for the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|
| Supabase Inc. | Database hosting, authentication, file storage | EU region |
| Vercel Inc. | Application hosting and content delivery | Global (edge network) |
| Stripe Inc. | Subscription payment processing | US / EU |
| OpenAI Inc. | AI writing assistant (impact story generation) | US |
The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. If the Controller reasonably objects, the Processor will work with the Controller to find an alternative solution.
7. Technical and organisational security measures
The Processor implements the following measures:
- Encryption at rest: All database records are encrypted using AES-256 via the hosting provider (Supabase)
- Encryption in transit: All connections use TLS 1.2 or higher
- Access control: Row-level security (RLS) enforced at the database layer. Each charity can only access its own data. No cross-tenant data access is possible
- Authentication: User authentication via Supabase Auth with secure password hashing (bcrypt)
- Staff access: Platform administrators do not have routine access to customer data. Access is only granted in exceptional circumstances with the Controller's knowledge
- Backups: Automated database backups managed by the hosting provider
- Monitoring: Application error logging and uptime monitoring
8. Personal data breach notification
The Processor will notify the Controller without undue delay (and in any case within 72 hours) after becoming aware of a Personal Data breach. The notification will include:
- The nature of the breach, including where possible the categories and approximate number of Data Subjects and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
- The name and contact details of the Processor's point of contact
9. Data subject rights
The Processor will assist the Controller in fulfilling its obligation to respond to Data Subject requests. Where a Data Subject contacts the Processor directly, the Processor will redirect the request to the Controller without undue delay.
The Controller can fulfil most Data Subject rights directly through the platform (viewing, editing, and deleting donor records). For data portability requests, the platform provides CSV export functionality.
10. International data transfers
Where Personal Data is transferred outside the UK (for example, to sub-processors located in the United States), such transfers are protected by appropriate safeguards including:
- UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses with the UK Addendum, as maintained by the relevant sub-processor
- The sub-processor's own data protection certifications and policies
11. Duration and termination
This DPA remains in effect for the duration of the Controller's subscription to the Impacturi platform. On termination:
- The Controller may request export of all their data via CSV before account closure
- The Processor will delete all Personal Data within 30 days of account termination, unless required by law to retain it
- The Processor will confirm deletion in writing on request
12. Audit rights
The Controller has the right to audit the Processor's compliance with this DPA. The Processor will cooperate with reasonable audit requests, subject to reasonable notice and confidentiality obligations. Audits will be conducted during normal business hours and will not unreasonably disrupt the Processor's operations.
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the main service agreement between the parties.
14. Contact
For any questions about this DPA or to request a signed copy, contact:
Dermot Dennehy
Clickonic Ltd
dermot@clickonic.co