• Regulamin użytkownika Tools for Humanity

  • Polityka przechowywania danych biometrycznych

  • Polityka prywatności Tools for Humanity

  • Polityka plików cookie Tools for Humanity

  • Wnioski Organów Ścigania

  • Developer Rewards Terms and Conditions

  • Tools for Humanity Arbitration Agreement

  • ZAŁĄCZNIK I – Podstawy prawne/cele przetwarzania danych przez Tools for Humanity

Data Processing Agreement

Wersja: 1.4Obowiązuje od 17 marca 2026
This Data Processing Agreement with its schedules (“DPA”) is incorporated into and forms part of the agreement (“Agreement”) between you as Contractor or Vendor (henceforth, “Vendor”) and Tools for Humanity Corporation, a Delaware based corporation (“Company”). In the event of a conflict between the Agreement and this DPA, the terms of the DPA will apply.

How this DPA Applies

Pursuant to the Agreement, Vendor may from time to time process Personal Data (as defined below) for which Company may be a “Data Controller” as defined by Applicable Data Protection Law (defined below), including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”). When processing such Personal Data, you may be a “Data Processor” as defined by Applicable Data Protection Law.
Because such processing may, from time to time, require the maintenance and implementation of appropriate technical and organizational safeguards, and because such processing may, from time to time, involve the transfer of Personal Data from the European Union to the United States, Company and Vendor agree to execute this DPA in order to ensure that adequate safeguards are established with respect to the protection of Personal Data.
The subject matter and duration of the processing are governed by the underlying Agreement. The rights and obligations of the controller are determined in this DPA in connection with the attached Standard Contractual Clauses and the Agreement.

Terms

1. Definitions.

All capitalized words not defined below will have the meaning set forth in the Agreement.
1.1 “Applicable Data Protection Law” means privacy and data protection laws, regulations, and decisions by a supervisory authority or other governmental entity applicable to Company or Vendor, respectively.
1.3 “Customer Personal Data” means all Personal Data that Vendor receives and processes on the basis of this DPA .
1.2 “DPA Effective Date” means the Effective Date of the Agreement.
1.3 “Personal Data” means all data which is (i) defined as ‘personal data’ or ‘sensitive data’ in the GDPR and (ii) provided by Company to Vendor and accessed, stored, or otherwise processed by Vendor pursuant to the Agreement.
1.4 “Processing”, “Data Controller,” “Data Subject,” “Supervisory Authority,” and “Data Processor” have the same meanings set forth in the GDPR.
1.5 “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.
1.6 “Security Practices Summary” means summary documentation of Vendor’s security practices (including without limitation third-party security attestations and certifications, as applicable) that Vendor makes generally available to its customers, as updated by Vendor from time to time. A copy of the Security Practices Summary, current as of the DPA Effective Date, is incorporated into Appendix 2 of Schedule 1 of this DPA.
1.7 “Subprocessor” means third-party subcontractors that Vendor retains from time to time to provide services to Vendor necessary for Vendor to perform its obligations under the Agreement and that process personal data on behalf of Vendor.

2. Applicability.

This DPA applies regardless of when Vendor or Company fall under the GDPR’s scope or the UK GDPR’s scope of application.

3. Processing of Personal Data.

With respect to the processing of Personal Data, Vendor will:
3.1 process Personal Data only in accordance with Applicable Data Protection Law;
3.2 act only upon instructions from Company, including Company's instructions to correct, amend, delete or to stop processing Personal Data;
3.3 take all measures required to implement and maintain appropriate technical and organizational measures to ensure a level of security for Personal Data consistent with Applicable Data Protection Law, asdescribed in the Security Practices Summary and updated from time to time; provided that Vendor will not materially degrade the level of security in effect as of the DPA Effective Date;
3.4 disclose Personal Data only to those of Vendor’s personnel who have a “need-to-know” in order to fulfill Vendor’s obligations under the Agreement and who are subject to written confidentiality agreements that obligate them to use and protect such Personal Data as required under the Agreement and this DPA, and for no other purpose;
3.5 promptly notify Company upon Vendor’s or its Subprocessors’ receipt of any request, dispute or claim directly from a Data Subject (including, without limitation, requests related to the exercise of that Data Subject’s rights under Applicable Data Privacy Law with respect to Personal Data), and refrain from responding to such request, dispute or claim unless Company has provided written consent to such response to Vendor;
3.6 notify Company without undue delay (and in no case later than the statutory maximum for notification under Applicable Data Protection Law) if Vendor or its Subprocessors reasonably suspect or have reason to know of any accidental or unlawful destruction or accidental loss, alteration, or unauthorized disclosure or access of Personal Data that presents a material risk to the rights of data subjects (a “Data Breach”) or of any processing of Personal Data in a manner inconsistent with the terms of the Agreement and this DPA, and to provide reasonable assistance to Vendor with respect to any Data Breach (including without limitation cooperating with Company with respect to notification of Supervisory Authorities and communicating to Data Subjects regarding a Data Breach);
3.7 provide reasonable assistance to Company where processing performed by Vendor is relevant to a data protection impact assessment being conducted by Vendor;
3.8 promptly notify Company upon Vendor’s or its Subprocessors’ receipt of any request for disclosure of Personal Data from a Supervisory Authority, government entity or court of law of a competent jurisdiction, or pursuant to a subpoena (unless otherwise prohibited by law);
3.9 promptly notify Company upon Vendor’s or its Subprocessors’ determination that it can no longer meet its obligation to provide the level of protection to Personal Data required under the Agreement and this DPA;
3.10 take reasonable and appropriate steps to stop and remediate unauthorized processing, upon notice by Company, in the event Company has determined that Vendor is no longer processing data in accordance with the Agreement and this DPA.

4. Standard Contractual Clauses.

As of the DPA Effective Date, and with respect to all Personal Data Processed by Vendor pursuant to the Agreement that is subject to the GDPR, Vendor will comply with the obligations of the “data importer” and the obligations of the “data exporter” in the Standard Contractual Clauses.
Pursuant to Clause 5(h) of the Standard Contractual Clauses:
4.1 Company acknowledges and agrees that Vendor may retain Subprocessors for the purposes of providing services under the Agreement and hereby provides general authorization of the use of Subprocessors as described herein. In addition, Company hereby provides general authorization of the use of those Subprocessors engaged by Vendor as of the DPA Effective Date.
4.2 Upon request from Company, Vendor will provide Company a list of its then-current Subprocessors (the “Subprocessor List”). Company will have 10 business days after receipt of the Subprocessor List to provide written notice to Vendor of any objections Company has with respect to one or more Subprocessors. Vendor will have a commercially reasonable time after the receipt of any such objection to either (i) provide clarification to Company regarding the Subprocessor’s processing activities, security profile, and compliance with Applicable Data Protection Law, and thereafter receive Company’s authorization to use such Subprocessor (such authorization not to be unreasonably withheld) or (ii) make reasonable changes to Vendor’s processing in order to accommodate the objection, and gain Company’s approval of such changes. If Vendor is unable to comply with (i) or (ii), Company may terminate any services provided by Vendor to Company that involve processing by Subprocessors to which Company has provided written objections.
4.3 Vendor agrees to ensure that all Subprocessors are bound by contractual data protection obligations at least as stringent as those in this Agreement and will hold each processor fully liable to the controller for Subprocessors’ performance of such data protection obligations. Pursuant to Clause 5(j) of the Standard Contractual Clauses:
4.3.1 Company agrees that the copies of the Subprocessor agreements may be provided only upon reasonable request, and only once annually (unless requested by a Supervisory Authority).
4.3.2 Company agrees that such copies may be provided in summary form or, upon reasonable request from Company, in a form with all commercial information and clauses unrelated to data privacy and security redacted by Vendor.
4.4 Pursuant to Clauses 5(f), Clause 11, and Clause 12(2), an “audit” as described therein will be carried out as follows:
4.4.1 Upon written request by Company, and subject to the confidentiality obligations of the Agreement, Vendor will make available to Company the security information Vendor generally makes available to its auditors.
4.4.2 In the event an on-site review is required by a Supervisory Authority or is otherwise reasonably requested by Company, Company and Vendor will mutually agree on the scope, timing, and duration of such on-site review. On-site audits will be carried out at Company’s expense.
4.5Pursuant to Clause 12(1) of the Standard Contractual Clauses, certification of deletion of Personal Data will be conducted only upon Company’s request.

5. CCPA clause

Vendor will not (i) sell Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the services for Company; (iii) retain, use, or disclose Personal Data for a commercial purpose other than providing the services for Company; or (iv) retain, use, or disclose Personal Data outside of the direct business relationship between Vendor and Company.

6. UK-GDPR

6.1 In relation to transfers of Data protected by the UK GDPR, the EU SCCs will apply to such transfers in accordance with Section 4 above with the following modifications:
6.1.1 The EU SCCs shall be deemed amended as specified by the UK Addendum, which shall be deemed executed between Company and the Vendor;.
6.1.2 Any conflict between the terms of the EU SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum;
6.1.3 For the purposes of the UK Addendum, Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in the Annexes of this DPA; and
6.1.4 Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”.
6.2 It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses or the UK Addendum and, accordingly, if and to the extent any provision of the Agreement (including this DPA) conflict with the Standard Contractual Clauses or UK Addendum, the latter shall prevail.

7. Miscellaneous.

7.1 This DPA shall remain in full force and effect until the earlier of:
7.1.1 the expiration or termination of the Agreement; or
7.1.2 the mutual agreement of the parties to terminate.
7.2 In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will apply.

Schedule I

A. List Of Parties

Data exporter(s):
Name: Tools for Humanity Corporation and Tools for Humanity GmbH
Address: As specified in the Agreement
Contact person’s name, position and contact details: As specified in the Agreement.
Activities relevant to the data transferred under the Standard Contractual Clauses: The data importer provides Services to the data exporter in accordance with the Agreement.
Signature and date: As of the effective date of the Agreement.
Role (controller/processor): Controller
Data importer(s):
Name: Vendor as specified in the Agreement.
Address: As specified in the Agreement.
Contact person’s name, position and contact details: As specified in the Agreement.
Activities relevant to the data transferred under the Standard Contractual Clauses: The data importer provides Services to the data exporter in accordance with the Agreement.
Signature and date: As of the effective date of this Agreement
Role (controller/processor): Processor

B. Description Of Transfer

Categories of data subjects whose personal data is transferred:
  • Users of the Exporter’s applications or services
  • Customers and prospective customers of the Exporter
  • Employees, contractors, or representatives of the Exporter
  • Business partners or vendors of the ExporterCategories of personal data transferred (may include):Identification and contact data (e.g., name, email address)
  • Professional information (e.g., job title, business contact details)
  • Usage, content and log data (e.g., interaction data, timestamps)
  • Technical data (e.g., IP address, device identifiers, browser or operating system information)
  • Approximate location data (e.g., location derived from IP address)
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data is intended to be transferred
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Data will be transferred on a continuous basis until it is deleted in accordance with the terms of the Agreement.
Nature of the processing
The data importer will process Customer Personal Data to provide, secure and monitor the Services in accordance with the Agreement.
Purpose(s) of the data transfer and further processing
The data importer will transfer Customer Personal Data to provide, secure and monitor the Services in accordance with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the Agreement until deletion in accordance with the provisions of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As specified above.

C. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13 of the Standard Contractual Clauses
The Bavarian Data Protection Supervisory Authority (BayLDA)

Schedule II

Technical And Organisational Measures Including Technical And Organisational Measures To Ensure The Security Of The Data

Vendor maintains a comprehensive, written information security program that contains administrative, technical, and physical safeguards that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing of personal information as well as the associated risks, are appropriate to (a) the type of information that Vendor will store as personal information; and (b) the need for security and confidentiality of such information. Vendor’s security program is designed to:
  • Protect the confidentiality, integrity, and availability of personal information in Vendor’s possession or control or to which Vendor has access;
  • Protect against any anticipated threats or hazards to the confidentiality, integrity, and availability of personal information;
  • Protect against unauthorized or unlawful access, use, disclosure, alteration, or destruction of personal information;
  • Protect against accidental loss or destruction of, or damage to, personal information; and
  • Safeguard information as set forth in any local, state or federal regulations by which Vendor may be regulated.
Without limiting the generality of the foregoing, Vendor’s security program includes:
  1. Security Awareness and Training. Mandatory employee security awareness and training programs, which include:
    1. Training on how to implement and comply with its information security program; and
    2. Promoting a culture of security awareness.
  2. Access Controls. Policies, procedures, and logical controls:
    1. To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;
    2. To prevent those workforce members and others who should not have access from obtaining access; and
    3. To remove access in a timely basis in the event of a change in job responsibilities or job status.
  3. Physical and Environmental Security. Controls that provide reasonable assurance that access to physical servers at the data centers housing personal information is limited to properly authorized individuals and that environmental controls are established to detect, prevent and control destruction due to environmental extremes.
  4. Security Incident Procedures. A security incident response plan that includes procedures to be followed in the event of any security breach of any application or system directly associated with the accessing, processing, storage or transmission of personal information.
  5. Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage personal information or production systems that contain personal information.
  6. Audit Controls. Technical or procedural mechanisms put in place to promote efficient and effective operations, as well as compliance with policies.
  7. Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of personal information and to protect it from disclosure, improper alteration, or destruction.
  8. Storage and Transmission Security. Security measures to guard against unauthorized access to personal information that is being transmitted over a public electronic communications network or stored electronically.
  9. Secure Disposal. Policies and procedures regarding the secure disposal of tangible property containing personal information, taking into account available technology so that such data cannot be practicably read or reconstructed.
  10. Assigned Security Responsibility. Assigning responsibility for the development, implementation, and maintenance of its information security program, including:
    1. Designating a security official with overall responsibility; and
    2. Defining security roles and responsibilities for individuals with security responsibilities.
  11. Testing. Regularly testing the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified.
  12. Monitoring. Network and systems monitoring, including error logs on servers, disks and security events for any potential problems. Such monitoring includes:
    1. Reviewing changes affecting systems handling authentication, authorization, and auditing;
    2. Reviewing privileged access to Vendor production systems processing personal information; and
    3. Engaging third parties to perform network vulnerability assessments and penetration testing on a regular basis.
  13. Change and Configuration Management. Maintaining policies and procedures for managing changes Vendor makes to production systems, applications, and databases processing personal information. Such policies and procedures include:
    1. A process for documenting, testing and approving the patching and maintenance of the Vendor Service;
    2. A security patching process that requires patching systems in a timely manner based on a risk analysis; and
    3. A process for Vendor to utilize a third party to conduct web application level security assessments. These assessments generally include testing, where applicable, for:
      1. Cross-site request forgery
      2. Services scanning
      3. Improper input handling (e.g. cross-site scripting, SQL injection, XML injection, cross-site flashing)
      4. XML and SOAP attacks
      5. Weak session management
      6. Data validation flaws and data model constraint inconsistencies
      7. Insufficient authentication
      8. Insufficient authorization
  14. Program Adjustments. Vendor monitors, evaluates, and adjusts, as appropriate, the security program in light of:
    1. Any relevant changes in technology and any internal or external threats to Vendor or the personal information;
    2. Security and data privacy regulations applicable to Vendor; and
    3. Vendor's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to inform.

TFHDPA20260316