Data Processing Addendum (DPA)
Instrumento.io — GDPR Article 28 Controller-Processor Agreement
Effective date: January 1, 2025 · Version 1.0.0
Template notice: This document is a template and must be reviewed by qualified legal counsel and a Data Protection Officer before execution. See
.docs/legal/README.md
Parties
This Data Processing Addendum ("DPA") is entered into between:
Controller: The Customer identified in the Instrumento.io Terms of Service ("Customer" or "Controller").
Processor: Instrumento.io, a company operating the impact measurement platform at instrumento.io ("Instrumento" or "Processor").
This DPA supplements and is incorporated into the Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding data processing, this DPA controls.
1. Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1) |
| Processing | Any operation performed on Personal Data, as defined in GDPR Art. 4(2) |
| Data Subject | The natural person to whom Personal Data relates |
| Sub-processor | Any third party engaged by Processor to process Personal Data on Controller's behalf |
| GDPR | EU Regulation 2016/679 (General Data Protection Regulation) |
| SCCs | Standard Contractual Clauses adopted by the European Commission |
| Security Incident | Any confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data |
2. Subject Matter and Duration
The Processor processes Personal Data on behalf of the Controller for the purpose of providing the Instrumento.io impact measurement platform as described in the Terms of Service. Processing continues for the duration of the subscription and for 30 days thereafter, after which Personal Data is deleted unless a longer retention period is required by law.
3. Nature and Purpose of Processing
| Aspect | Details |
|---|---|
| Nature | Storage, retrieval, analysis, and display of program data; generation of reports and dashboards |
| Purpose | Enabling nonprofits to collect, measure, and report on social impact data |
| Types of Personal Data | Beneficiary names and identifiers, survey responses, attendance records, contact information, program participation data |
| Categories of Data Subjects | Program beneficiaries, organization staff, volunteers, survey respondents |
4. Obligations of the Processor
The Processor shall:
4.1 Instructions. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. The Processor shall inform the Controller if, in its opinion, an instruction infringes GDPR or other applicable data protection law.
4.2 Confidentiality. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:
- Pseudonymization and encryption of Personal Data;
- Ongoing confidentiality, integrity, availability, and resilience of processing systems;
- Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- Regular testing and evaluation of the effectiveness of technical and organizational measures.
4.4 Sub-processors. Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller. The Processor maintains a list of authorized Sub-processors at instrumento.io/legal/subprocessors. The Controller provides general authorization for the Sub-processors listed therein. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, giving the Controller the opportunity to object.
4.5 Data Subject Rights. Assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III of GDPR, taking into account the nature of the processing.
4.6 Security Assistance. Assist the Controller in ensuring compliance with the obligations pursuant to GDPR Arts. 32–36 (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and information available to the Processor.
4.7 Deletion or Return. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data.
4.8 Audit. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Art. 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor may require reasonable advance notice (at least 30 days) and may charge reasonable costs for audit assistance.
5. Sub-processors
The Controller grants general authorization to engage the Sub-processors listed at instrumento.io/legal/subprocessors. The Processor shall:
- Impose data protection obligations on each Sub-processor equivalent to those set out in this DPA;
- Remain fully liable to the Controller for the performance of the Sub-processor's obligations;
- Notify the Controller at least 30 days before adding or replacing a Sub-processor.
6. International Transfers
Where processing involves a transfer of Personal Data to a third country outside the EEA, the Processor shall ensure that such transfer is subject to appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914);
- UK International Data Transfer Agreements (IDTAs) for UK transfers;
- Adequacy decisions where applicable.
7. Security Incident Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Security Incident affecting Personal Data processed under this DPA. Notification shall include, to the extent known:
- Nature of the Security Incident;
- Categories and approximate number of Data Subjects affected;
- Categories and approximate number of Personal Data records affected;
- Likely consequences of the Security Incident;
- Measures taken or proposed to address the Security Incident.
8. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Where both parties are responsible for damage caused by processing in breach of GDPR, liability shall be apportioned according to each party's responsibility.
9. Governing Law
This DPA is governed by the laws specified in the Terms of Service, except that where GDPR applies, the DPA shall be interpreted in accordance with GDPR requirements.
10. Execution
This DPA is incorporated into and forms part of the Terms of Service. By accepting the Terms of Service, the Controller agrees to the terms of this DPA. No separate signature is required unless a custom DPA is requested in writing.
For custom DPA requests, contact: [email protected]
Annex I — Description of Processing
Subject matter: Impact measurement and reporting for nonprofit organizations.
Duration: As set out in Section 2.
Nature and purpose: As set out in Section 3.
Types of personal data: Beneficiary names, identifiers, contact information, survey responses, attendance records, program participation data, and any other data submitted by the Controller.
Categories of data subjects: Program beneficiaries, organization staff, volunteers, and survey respondents.
Annex II — Technical and Organizational Security Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all data in transit |
| Encryption at rest | AES-256 for data stored in databases and object storage |
| Access control | Role-based access control (RBAC); principle of least privilege |
| Authentication | Multi-factor authentication available; OAuth 2.0 |
| Audit logging | All data access and modifications logged with timestamp and actor |
| Vulnerability management | Regular dependency scanning; penetration testing |
| Incident response | Documented incident response plan; 72-hour breach notification |
| Data minimization | Collect only data necessary for the stated purpose |
| Pseudonymization | Available for beneficiary data upon request |
| Backup and recovery | Daily automated backups; tested recovery procedures |
| Employee training | Annual data protection training for all staff with data access |
| Vendor management | DPAs in place with all Sub-processors |