Data Processing Agreement
Last updated: 2026-03-08
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller ("Controller"): The organization (association, nonprofit, or other entity) using the Cirko Platform ("Tenant").
- Data Processor ("Processor"): Cirko [to be completed — legal form], registered under number [to be completed], with registered office at [address to be completed].
This DPA forms an integral part of the Terms of Service and applies automatically when the Controller uses the Platform to process personal data of its volunteers, beneficiaries, donors, or managers.
2. Definitions
- Personal Data — Any information relating to an identified or identifiable natural person processed through the Platform on behalf of the Controller.
- Data Subjects — Volunteers, beneficiaries, donors, and managers whose data is processed.
- Sub-processor — A third-party entity engaged by the Processor to process Personal Data on behalf of the Controller.
- Data Breach — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- DSAR — Data Subject Access Request under applicable data protection law.
3. Scope & Categories of Data Processed
The Processor processes the following categories of Personal Data on behalf of the Controller:
3.1 Volunteer data
Name, email, phone, postal address, geographic coordinates (latitude/longitude), avatar, skills (self-declared and admin-assigned), availability schedule, mission history, missions completed count, reliability score (0–5), notification preferences, push tokens, CGU acceptance records.
3.2 Beneficiary data
Name, email, phone, postal address, geographic coordinates (latitude/longitude), campaign assignments, delivery history, custom labels (defined by Controller), CGU acceptance records.
3.3 Donor data
First name, last name, company name and SIREN (corporate donors), email, phone, full postal address, donor type (personal/enterprise), donation amounts, installment schedule, payment status, Stripe customer ID, GDPR and marketing consent status, IP address, Turnstile score, CERFA receipt numbers and PDFs.
3.4 Manager data
Name, email, phone, role, notification preferences.
4. Purpose of Processing
Processing is carried out exclusively for the following purposes, as instructed by the Controller through use of the Platform:
- Campaign management (creation, scheduling, task generation)
- Volunteer matching and scoring (automated proposals based on proximity, equity, reliability, seniority)
- Task assignment and pipeline management
- Donation collection and installment management (via Controller's Stripe account)
- Tax receipt (CERFA) generation and storage
- Communication (email notifications via Resend, SMS via Twilio, push notifications via Expo)
- Reporting and analytics dashboards for the Controller
- AI-assisted campaign management (chat assistant, if enabled by Controller's plan)
- Data export upon Controller's request (CSV/JSON)
5. Processor Obligations
The Processor shall:
- Instructions — Process Personal Data only on documented instructions from the Controller. If the Processor believes an instruction infringes applicable data protection law, it will inform the Controller.
- Confidentiality — Ensure that all persons authorized to process Personal Data are bound by confidentiality obligations (contractual or statutory).
- Security — Implement appropriate technical and organizational measures (see Section 6).
- Sub-processors — Engage sub-processors only with prior authorization and subject to equivalent data protection obligations (see Section 7).
- Assistance with DSARs — Assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) within reasonable timeframes.
- Compliance assistance — Assist the Controller with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities as required under GDPR Articles 35–36.
- Data breach notification — Notify the Controller of any Data Breach without undue delay (see Section 8).
- Data return/deletion — At the end of the service, return or delete all Personal Data at the Controller's choice (see Section 9).
- Audit & compliance — Make available all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 10).
- Data minimization — Process only the minimum Personal Data necessary for each stated purpose. Transient processing (e.g., job queues via Redis/BullMQ) retains data only for the duration of the job execution.
6. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption in transit (TLS 1.2+) and at rest
- AES-256-GCM encryption for sensitive fields (Controller's Stripe API keys)
- Multi-tenant data isolation via Row-Level Security (RLS) at the database level — each query is automatically filtered by tenant_id
- HTTP security headers (Helmet.js: Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options)
- Bot protection on public forms (Cloudflare Turnstile)
- Rate limiting on all public endpoints
- Input validation and sanitization on all API endpoints
- Role-based access control (RBAC) with tenant isolation middleware
- Magic link authentication (no passwords stored)
- CORS policy restricting origins to authorized domains
- Error monitoring with data minimization (Sentry — PII scrubbing enabled)
- Secure file storage (Supabase Storage with tenant-scoped paths)
7. Sub-processors
The Controller authorizes the Processor to engage the following sub-processors. The Processor ensures each sub-processor is bound by data protection obligations no less protective than those in this DPA.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | All Platform data | EU/US |
| Stripe Inc. | Donation payment processing | Donor name, email, payment data | US |
| Resend Inc. | Email delivery | Recipient email, name, content | US |
| Twilio Inc. | SMS delivery | Phone number, SMS content | US |
| Cloudflare Inc. | CDN, bot protection (Turnstile) | IP address, request metadata | Global |
| Functional Software (Sentry) | Error monitoring | Error logs, stack traces (PII scrubbed) | US |
| Vercel Inc. | Application hosting | Request data, server logs | US |
| Anthropic PBC | AI chat assistant (Claude API) | Chat messages, Tenant context | US |
| Redis (via hosting provider) | Job queues (BullMQ) | Task IDs, job payloads (transient) | US/EU |
Note regarding Stripe: Donation payments are processed via the Controller's own Stripe account. Cirko facilitates the connection but does not act as payment intermediary. Stripe's processing of donor payment data is governed by the Controller's agreement with Stripe.
The Processor will inform the Controller of any intended addition or replacement of sub-processors at least 30 days in advance, giving the Controller the opportunity to object. If the Controller objects on reasonable data protection grounds and no resolution is found, the Controller may terminate the affected service.
8. Data Breach Notification
The Processor will notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Data Breach affecting the Controller's Personal Data. The notification will include:
- Nature of the breach and categories/types of data affected
- Approximate number of Data Subjects affected
- Description of likely consequences
- Measures taken or proposed to mitigate the breach
- Contact point for further information
The Processor will cooperate with the Controller in investigating the breach and fulfilling notification obligations to supervisory authorities and Data Subjects.
9. Data Return & Deletion
Upon termination or expiry of the service (Subscription), the Processor will:
- Provide a complete data export in structured, machine-readable formats (JSON and/or CSV) upon the Controller's request, at no additional charge
- Delete all Controller Personal Data within 30 days of termination, unless retention is required by applicable law (e.g., tax records: 10 years)
- Provide written confirmation of deletion upon request
- Ensure that sub-processors also delete or return the Controller's data within the same timeframe
Data subject to legal retention obligations will be archived securely with restricted access and deleted at the end of the applicable retention period.
10. Audit Rights
The Controller has the right to verify the Processor's compliance with this DPA. The Processor will:
- Make available all information necessary to demonstrate compliance with obligations under this DPA and applicable data protection law
- Allow and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller, upon reasonable notice (at least 30 days)
- Provide audit reports, certifications, or summaries of independent assessments upon request
Audits shall be conducted during normal business hours, with reasonable scope, and shall not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of any audit unless the audit reveals a material breach by the Processor.
11. Automated Processing & Scoring
The Platform performs automated volunteer matching and scoring on behalf of the Controller. This processing involves:
- Calculating match scores based on geographic proximity (using lat/lng coordinates), equity, reliability, and seniority
- Generating ranked proposals for task assignments
- Maintaining reliability scores based on mission completion/cancellation history
This automated processing produces proposals only — final assignment decisions require human review by a Controller manager or admin. The Controller is responsible for informing Data Subjects about profiling and ensuring a legal basis under GDPR Article 22. The scoring weights are fully configurable by the Controller.
12. International Transfers
Where Personal Data is transferred to sub-processors located outside the EEA, the Processor ensures appropriate safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- EU-US Data Privacy Framework (where applicable)
- Adequacy decisions (e.g., Israel — Commission Decision 2011/61/EU)
The Processor will provide copies of relevant transfer safeguards upon the Controller's request.
13. Controller Obligations
The Controller warrants that:
- It has a lawful basis for processing the Personal Data of its volunteers, beneficiaries, and donors
- It has provided appropriate privacy notices to its Data Subjects
- It has obtained necessary consents where required (e.g., CERFA fiscal consent, marketing consent)
- Its instructions to the Processor comply with applicable data protection law
- It will promptly inform the Processor of any Data Subject request that requires the Processor's assistance
14. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law that cannot be limited under applicable law.
15. Term & Termination
This DPA takes effect when the Controller begins using the Platform and remains in force for the duration of the Controller's Subscription. It terminates automatically when the Processor no longer processes Personal Data on behalf of the Controller, subject to the data return/deletion obligations in Section 9.
16. Governing Law
This DPA is governed by the same law that governs the Terms of Service. Disputes shall be resolved in accordance with the dispute resolution mechanism set out therein.
17. Contact
Data Protection Officer: legal@cirko.app
Legal inquiries: legal@cirko.app