Skip to main content

Data Processing Addendum

Data Processing Addendum for organisations using Impactful Connect.

Effective Date: 19 March 2026

This Data Processing Addendum ("DPA") forms part of the Impactful Connect Terms of Service ("Connect Terms") between the Organisation ("Controller") and Enjoy Development Limited ("Processor", "Impactful", "we", "us", "our"), a company incorporated in England and Wales under company number 11274660, whose registered office is at Vicarage Court, 160 Ermin Street, Swindon, England, SN3 4NE.

This DPA sets out the terms on which the Processor processes Organisation Data on behalf of the Controller in connection with the Impactful Connect platform, in compliance with Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018").

1. Definitions

In this DPA, the following definitions apply:

  • "Controller" – the Organisation that determines the purposes and means of processing Organisation Data, as defined in the Connect Terms.
  • "Processor" – Enjoy Development Limited, trading as Impactful, which processes Organisation Data on behalf of the Controller.
  • "Organisation Data" – all personal data that the Controller uploads, submits, or otherwise makes available through the Impactful Connect platform, including but not limited to volunteer records, participant information, activity data, and any other personal data processed by the Processor on behalf of the Controller.
  • "Personal Data Breach" – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Organisation Data transmitted, stored, or otherwise processed, as defined in Article 4(12) of the UK GDPR.
  • "Sub-processor" – any third party engaged by the Processor to process Organisation Data on behalf of the Controller.
  • "Data Subject" – an identified or identifiable natural person to whom Organisation Data relates.
  • "UK GDPR" – the United Kingdom General Data Protection Regulation, as retained in domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
  • "DPA 2018" – the Data Protection Act 2018.
  • "IDTA" – the International Data Transfer Agreement issued by the Information Commissioner's Office under section 119A of the DPA 2018.
  • "UK Addendum" – the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner's Office under section 119A of the DPA 2018.

2. Scope and Application

2.1. This DPA applies to the processing of Organisation Data by the Processor on behalf of the Controller in connection with the Controller's use of the Impactful Connect platform, as described in the Connect Terms.

2.2. This DPA is incorporated into and forms part of the Connect Terms. In the event of any conflict between this DPA and the Connect Terms, the provisions of this DPA shall prevail with respect to matters of data processing.

2.3. This DPA does not apply to personal data for which Impactful acts as an independent controller, including data collected through the Impactful mobile app from individual users, website analytics data, and data collected through contact forms. The processing of such data is governed by the Impactful Connect Privacy Policy and the Impactful Privacy Policy.

3. Details of Processing

3.1. The details of the processing carried out by the Processor on behalf of the Controller are set out in Annex 1 to this DPA and include the subject matter, duration, nature, purpose, types of personal data, and categories of data subjects.

3.2. The Processor shall process Organisation Data only for the purposes described in Annex 1 and in accordance with the Controller's documented instructions, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless the law prohibits such information on important grounds of public interest).

4. Obligations of the Processor

4.1. Processing on Instructions

The Processor shall process Organisation Data only on documented instructions from the Controller, including with regard to transfers of Organisation Data to a third country, unless required to do so by applicable law. The Connect Terms, this DPA, and any written instructions provided by the Controller through the Platform constitute the Controller's documented instructions.

4.2. Instruction Infringement

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the UK GDPR, the DPA 2018, or any other applicable data protection law.

4.3. Confidentiality

The Processor shall ensure that all persons authorised to process Organisation Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall ensure that access to Organisation Data is limited to those personnel who need access to fulfil the Processor's obligations under this DPA and the Connect Terms.

4.4. Security Measures

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the UK GDPR. The specific measures implemented by the Processor are set out in Annex 2 to this DPA. These measures include, as appropriate:

  • the pseudonymisation and encryption of Organisation Data;
  • the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • the ability to restore the availability and access to Organisation Data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

4.5. Data Subject Requests

The Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).

4.6. Assistance with Compliance

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with:

  • security of processing (Article 32);
  • notification of a Personal Data Breach to the supervisory authority (Article 33);
  • communication of a Personal Data Breach to Data Subjects (Article 34);
  • data protection impact assessments (Article 35);
  • prior consultation with the supervisory authority (Article 36).

4.7. Deletion and Return

On termination or expiry of the Connect Terms, the Processor shall, at the Controller's choice, delete or return all Organisation Data to the Controller and delete all existing copies, unless applicable law requires storage of the Organisation Data. The specific terms for deletion and return are set out in Section 11 of this DPA.

4.8. Demonstrating Compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as set out in Section 10 of this DPA.

5. Sub-processing

5.1. The Controller provides general written authorisation for the Processor to engage the Sub-processors listed in Annex 3 to this DPA. The current list of approved Sub-processors is set out in Annex 3.

5.2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors by providing at least 30 days' prior written notice (by email to the address associated with the Controller's account or through the Platform), thereby giving the Controller the opportunity to object to such changes.

5.3. If the Controller objects to a new or replacement Sub-processor on reasonable data protection grounds within 14 days of receiving notice, the Processor shall use reasonable efforts to make available to the Controller a change in the service or recommend a commercially reasonable alternative. If the Processor is unable to provide such an alternative, either party may terminate the affected portion of the Connect Terms with respect to the processing that requires the use of the objected-to Sub-processor.

5.4. Where the Processor engages a Sub-processor, it shall impose on that Sub-processor, by way of a written contract, the same data protection obligations as are set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the UK GDPR.

5.5. The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's obligations under such contract. Where a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain liable to the Controller for the acts and omissions of the Sub-processor.

6. International Transfers

6.1. The Controller acknowledges that certain Sub-processors listed in Annex 3 are located outside the United Kingdom. The Processor shall not transfer Organisation Data to a country outside the United Kingdom unless appropriate safeguards are in place in accordance with Articles 46 to 49 of the UK GDPR.

6.2. For transfers of Organisation Data to Sub-processors in the United States, the Processor relies on one or more of the following transfer mechanisms:

  • the International Data Transfer Agreement ("IDTA") issued by the Information Commissioner's Office; and/or
  • the UK Addendum to the European Commission's Standard Contractual Clauses ("UK Addendum to EU SCCs").

6.3. The Processor shall ensure that each Sub-processor processing Organisation Data outside the United Kingdom is bound by appropriate safeguards and that the level of protection afforded to Organisation Data is not undermined by such transfers.

6.4. On request, the Processor shall provide the Controller with copies of the relevant transfer mechanism documentation, which may be redacted to remove commercially sensitive information not relevant to the data protection safeguards.

7. Data Subject Requests

7.1. The Processor shall promptly notify the Controller if it receives a request from a Data Subject in relation to Organisation Data, including requests for access, rectification, erasure, restriction, portability, or objection. The Processor shall not respond to any such request directly unless authorised to do so by the Controller or required by applicable law.

7.2. The Processor shall assist the Controller in responding to Data Subject requests by providing relevant information and taking such steps as are reasonably necessary to enable the Controller to fulfil its obligations under Chapter III of the UK GDPR.

7.3. If a Data Subject contacts the Processor directly regarding Organisation Data, the Processor shall redirect the Data Subject to the Controller without undue delay.

8. Personal Data Breach

8.1. The Processor shall notify the Controller without undue delay, and in any event within 24 hours of becoming aware of a Personal Data Breach affecting Organisation Data.

8.2. The notification shall include, to the extent available:

  • a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;
  • the name and contact details of the Processor's point of contact from whom further information may be obtained;
  • a description of the likely consequences of the Personal Data Breach;
  • a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.3. Where it is not possible to provide all the information referred to in clause 8.2 at the same time, the Processor shall provide the information in phases without further undue delay.

8.4. The Processor shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

9. Data Protection Impact Assessments

9.1. The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments ("DPIAs") and prior consultations with the Information Commissioner's Office or any other supervisory authority that are required under Articles 35 and 36 of the UK GDPR, taking into account the nature of the processing and the information available to the Processor.

9.2. Such assistance may include providing information about the Processor's processing activities, technical and organisational measures, and any other information reasonably required by the Controller to carry out the DPIA.

10. Audit Rights

10.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the UK GDPR.

10.2. The Controller (or a third-party auditor appointed by the Controller) may conduct audits and inspections of the Processor's data processing activities and facilities to verify compliance with this DPA, subject to the following conditions:

  • the Controller shall provide at least 30 days' prior written notice of any audit or inspection;
  • audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's business operations;
  • audits shall be limited to no more than once per calendar year, unless an additional audit is required by a supervisory authority or is reasonably necessary following a Personal Data Breach;
  • the Controller and any third-party auditor shall be bound by appropriate confidentiality obligations with respect to any information obtained during the audit;
  • the Controller shall bear the costs of any audit or inspection, unless the audit reveals a material breach of this DPA by the Processor.

10.3. The Processor may satisfy audit requests by providing the Controller with relevant certifications, audit reports, or summaries prepared by qualified independent third-party auditors, where available.

11. Return and Deletion

11.1. Upon termination or expiry of the Connect Terms, or upon the Controller's written request, the Processor shall, at the Controller's election:

  • return all Organisation Data to the Controller in a commonly used, machine-readable format; or
  • delete all Organisation Data, including all copies, from the Processor's systems and those of its Sub-processors.

11.2. The Processor shall complete the return or deletion of Organisation Data within 30 days of the date of termination, expiry, or receipt of the Controller's written request (whichever is later).

11.3. The Processor shall certify the deletion of Organisation Data in writing upon the Controller's request.

11.4. The Processor may retain Organisation Data to the extent required by applicable law, provided that the Processor shall ensure the confidentiality of such data and shall process it only for the purposes required by law. The Processor shall inform the Controller of any such retention requirement.

12. Liability

12.1. The Processor's liability under this DPA is subject to the limitations and exclusions of liability set out in the Connect Terms.

12.2. Nothing in this DPA shall limit or exclude either party's liability for fraud, death or personal injury caused by negligence, or any other liability that cannot be limited or excluded by applicable law.

13. Term

13.1. This DPA shall come into effect on the date the Controller accepts the Connect Terms and shall continue in force for as long as the Processor processes Organisation Data on behalf of the Controller.

13.2. The provisions of this DPA that by their nature should survive termination (including but not limited to Sections 8, 10, 11, and 12) shall survive the termination or expiry of this DPA and the Connect Terms.

14. General

14.1. This DPA shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.

14.2. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

14.3. This DPA may be amended only by the Processor providing at least 30 days' prior written notice to the Controller. Continued use of the Platform after such notice constitutes acceptance of the amended DPA.

14.4. Notices under this DPA shall be sent by email to legal@impactfulhub.com (for notices to the Processor) or to the email address associated with the Controller's account (for notices to the Controller).

Annex 1 – Details of Processing

Subject matter of processingThe provision of the Impactful Connect platform, enabling organisations to manage their profiles, publish volunteering opportunities and activities, track volunteer engagement, and access analytics.
Duration of processingFor the duration of the Connect Terms, plus any retention period required by applicable law or as set out in Section 11 of this DPA.
Nature of processingCollection, storage, organisation, structuring, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, and destruction of Organisation Data as necessary to provide the Platform services.
Purpose of processingTo enable the Controller to manage its presence on the Impactful platform, publish and manage volunteering opportunities and activities, track volunteer engagement and participation, generate analytics and reports, and communicate with volunteers and participants.
Types of personal data
  • Names of Authorised Users and organisation contacts
  • Email addresses of Authorised Users and organisation contacts
  • Job titles and roles within the organisation
  • Organisation name, address, and contact details
  • Volunteer and participant names
  • Volunteer and participant engagement and activity records
  • Activity descriptions, locations, and schedules
  • Images and media uploaded by the Controller
  • Any other personal data included in content uploaded by the Controller
Categories of data subjects
  • Authorised Users of the Controller's account
  • Employees, staff, and representatives of the Controller
  • Volunteers and participants who engage with the Controller's opportunities and activities through the Impactful platform

Annex 2 – Technical and Organisational Security Measures

The Processor implements the following technical and organisational measures to protect Organisation Data, in accordance with Article 32 of the UK GDPR:

Access Control

  • Row-Level Security (RLS) policies enforced at the database level to ensure strict data isolation between organisations
  • Authentication via Firebase Authentication with secure session management
  • Role-based access controls within the Platform
  • Principle of least privilege applied to all internal access to production systems

Encryption

  • All data in transit encrypted using TLS 1.2 or higher
  • All data at rest encrypted using AES-256 encryption
  • Database connections encrypted via SSL/TLS

Infrastructure Security

  • Hosting on Supabase (built on AWS infrastructure) with enterprise-grade physical and network security
  • Automated backups with point-in-time recovery
  • Rate limiting and DDoS protection
  • Regular security updates and patching of platform dependencies

Monitoring and Incident Response

  • Error tracking and performance monitoring via Sentry
  • Logging of access and processing activities for audit and incident investigation purposes
  • Defined incident response procedures for identifying, containing, and remediating security incidents

Organisational Measures

  • Confidentiality obligations imposed on all personnel with access to Organisation Data
  • Data protection awareness and training for personnel involved in the processing of Organisation Data
  • Regular review and assessment of the effectiveness of security measures
  • Documented procedures for the secure disposal and deletion of Organisation Data

Annex 3 – List of Approved Sub-processors

The following Sub-processors are approved by the Controller as at the effective date of this DPA:

Sub-processorLocationPurposeSafeguards for International Transfers
Supabase Inc.United StatesDatabase hosting, storage, and Row-Level SecurityIDTA and/or UK Addendum to EU SCCs
Firebase (Google LLC)United StatesAuthentication for portal accessIDTA and/or UK Addendum to EU SCCs
Sentry (Functional Software Inc.)United StatesError tracking and performance monitoringIDTA and/or UK Addendum to EU SCCs

This list may be updated by the Processor in accordance with Section 5 of this DPA. The Controller will be notified of any changes at least 30 days in advance.

Contact

For questions about this Data Processing Addendum, please contact us at legal@impactfulhub.com.

Enjoy Development Limited
Company number: 11274660
Vicarage Court, 160 Ermin Street, Swindon, England, SN3 4NE