Version 1.0
Data processing addendum
Draft for legal review. Not yet in effect.
This addendum is part of the terms of service. It governs how SOBO Consulting LLC processes personal information contained in your Customer Data. Each section opens with a plain-language summary in a quote block; if a summary and the section below it conflict, the section governs.
1. What this is, and the roles
Your nonprofit decides why donor and participant data is collected and what happens to it. We just run the software. In legal terms, you're the controller (or "business"), we're the processor (or "service provider").
This DPA applies to personal information that you or your users submit to BloomOS as Customer Data ("Personal Information"). For that data, Customer is the controller (under the CCPA, the "business") and SOBO is the processor (the "service provider"). SOBO's handling of account, billing, and site data it controls is covered by the privacy policy, not this DPA.
2. What we process
The kinds of data, the kinds of people, and how long: spelled out here instead of hidden in an annex.
Subject matter and duration. Hosting and processing of Customer Data to provide the Service, for the term of the agreement plus the deletion window in section 10.
Nature and purpose. Storage, organization, retrieval, display, transmission, export, and, where you invoke them, the AI-assisted features described at how BloomOS uses AI. Nothing else.
Categories of individuals. Your donors and prospects; grant and foundation contacts; your staff, board members, and volunteers; program participants and their guardians, which may include minors for youth-serving organizations.
Categories of data. Names and contact details; giving history and pledge records; relationship notes and interactions; employment and affiliation details; for program participants, enrollment and attendance records; and any other personal information you choose to store. BloomOS is not designed for and you agree not to store: government identification numbers, full payment card numbers, or protected health information as defined by HIPAA.
3. Our instructions are yours
We touch your data only to run BloomOS for you. If the law ever forces us to do something else, we tell you first unless we legally can't.
We'll process Personal Information only on your documented instructions, which are: the agreement, this DPA, your and your users' use of the Service's features, and any further written instructions you give that are consistent with the agreement. If we believe an instruction violates applicable law, we'll tell you and may pause that instruction. If law requires us to process otherwise, we'll inform you before doing so unless the law prohibits it.
4. Confidentiality of personnel
The people who can touch your data are bound to keep it confidential. Today that's one named person, and we've told you who.
We ensure that every person we authorize to process Personal Information is bound by confidentiality obligations. Who has production access, and under what circumstances it's used, is published in the security overview, which we keep current.
5. Security
The technical measures aren't buried in an annex you'll never read. They're published, in plain English, at a page we have to keep true.
We implement and maintain appropriate technical and organizational measures to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Those measures are described in the security overview, which constitutes Annex II to this DPA. We may update the measures over time, provided the changes don't materially reduce the overall protection of Personal Information during a subscription term.
6. Subprocessors
The list is public and complete. New ones come with 30 days' notice. If you object for a real data protection reason and we can't resolve it, you can leave with a refund.
You authorize the subprocessors listed at subprocessors, which constitutes Annex III to this DPA and is the current, complete list. We'll update that page and email your primary contact at least 30 days before any new subprocessor processes Personal Information. If you have a reasonable objection on data protection grounds, notify us within the 30 days and we'll work with you to resolve it; if we can't, you may terminate the affected services and receive a prorated refund of prepaid, unused fees. We remain responsible for our subprocessors' performance and impose data protection obligations on them no less protective than this DPA.
7. Individuals' requests
If a donor or participant exercises a privacy right, the request is yours to answer. The product gives you the tools; if you get stuck, we help within 5 business days.
Taking into account the nature of the processing, we'll assist you in responding to requests from individuals exercising rights under applicable privacy law (access, deletion, correction, portability). The Service's export, search, and deletion functions are the primary means of assistance. If we receive such a request directly, we'll redirect the individual to you and won't respond substantively except to do that. If you need help executing a request and can't do it through the product, we'll assist within 5 business days per your data.
8. Breach notification
If your data is involved in a security incident, you hear from us within 72 hours, with specifics, and we don't make you do the diagnosis.
We'll notify you without undue delay and in any case within 72 hours of becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Personal Information. The notice will describe the nature of the breach, the categories and approximate volume of data and individuals concerned, the likely consequences, the measures taken or proposed, and a contact point. We'll provide timely updates as we learn more and reasonable cooperation with your own notification obligations. Notification isn't an admission of fault.
9. Deletion and return
When you leave: 30 days to export, then deletion, backups gone within 7 more days. Same schedule we publish. On request, we certify it in writing.
Upon termination, we'll delete Personal Information per the published schedule at your data: 30 days of read-only access and export, then permanent deletion from production, with encrypted backups rolling off within 7 further days. Earlier deletion is available on written request. We'll provide written certification of deletion on request. We may retain information where required by law, and only for as long as required, under continued protection of this DPA.
10. Audits and information
We're one person, so we can't host your auditors for a week. What you get instead: published documentation, honest answers to questionnaires, and the audit trail in the product.
We'll make available the information reasonably necessary to demonstrate compliance with this DPA: the published security overview and subprocessors pages, written responses to your reasonable security questionnaires (no more than once per year, within 15 business days), and the Service's own audit log for activity within your account. Given SOBO's size, we don't accommodate on-site audits; if applicable law requires an audit right beyond the above, it will be exercised through a mutually agreed third-party summary report at your expense, no more than once per year, with 30 days' notice, and without access to other customers' data.
11. California: service provider terms
The specific promises the CCPA wants in writing: we don't sell your data, we don't share it for advertising, and we don't use it outside this contract.
To the extent the California Consumer Privacy Act, as amended, applies: SOBO is a service provider; we won't sell or share Personal Information; we won't retain, use, or disclose it for any purpose other than performing under the agreement or as the CCPA permits; we won't combine it with personal information we receive from other sources except as the CCPA permits; and we'll notify you if we determine we can no longer meet these obligations, in which case you may direct us to stop and remediate any unauthorized use. We certify that we understand these restrictions and will comply with them.
12. If GDPR applies
Most of our customers are US nonprofits. If yours has European data subjects, tell us and we'll put the EU's standard clauses in place.
The parties don't anticipate processing subject to the GDPR or UK GDPR. If you determine that such processing will occur, notify us; the parties will execute the European Commission's Standard Contractual Clauses (Module Two, controller to processor) or the UK addendum as applicable, which will be incorporated into this DPA, with the annexes populated from sections 2, 5, and 6.
13. Order of precedence and liability
This DPA wins over the terms on data protection questions. It doesn't create a separate pot of liability; the cap in the terms is the cap.
On the subject of processing Personal Information, this DPA controls over the terms of service. This DPA doesn't limit or expand the liability provisions of the terms; liability under this DPA is subject to section 15 of the terms of service, including its carve-outs.
Questions about this DPA: privacy@bloomos.org.