Legal
Data Processing Agreement
Last Modified 28 April 2026 · ChipIn LLC · 221 Main St Ste N, Nashua, NH 03060 · legal@chipinpro.com
This Data Processing Agreement ("DPA") is between ChipIn LLC, a New Hampshire limited liability company ("ChipIn," "we," "us," or "our"), and the organization or individual who has accepted the ChipIn Terms of Service (collectively, the "Customer" or "you"). This DPA is incorporated into and forms part of the ChipIn Terms of Service ("Terms"). In the event of any conflict between this DPA and the Terms, this DPA prevails with respect to the processing of personal data.
This DPA sets out the obligations and rights of the parties under applicable Data Protection Laws in connection with ChipIn's processing of End User personal data on behalf of the Customer.
1. Definitions
Terms not defined in this DPA have the meanings given to them in the Terms. The following definitions apply in this DPA:
"Data Controller" means the entity that determines the purposes and means of processing Personal Data. In the context of this DPA, the Customer is the Data Controller for End User Personal Data.
"Data Processor" means the entity that processes Personal Data on behalf of the Data Controller. In the context of this DPA, ChipIn is the Data Processor.
"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data and privacy, including without limitation: the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); the UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR"); the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"); and any other applicable national, state, or local data protection laws, in each case as amended or replaced from time to time.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA, including End Users.
"Data Subject Request" means a request from a Data Subject to exercise their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
"End Users" means the individuals who interact with your events through the Platform, including, but not limited to, participants, donors, sponsors, bidders, and other attendees.
"End User Personal Data" means Personal Data submitted by or collected from End Users through Customer-hosted event microsites on the Platform, as further described in Annex 1.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data transmitted, stored, or otherwise processed.
"Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
"SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries adopted by the European Commission under GDPR, currently set out in Commission Implementing Decision (EU) 2021/914.
"Subprocessor" means any third-party processor engaged by ChipIn to process End User Personal Data in connection with providing the Platform.
2. Roles of the Parties
2.1 Customer as Data Controller.
The Customer is the Data Controller for End User Personal Data. The Customer determines what data is collected from End Users, for what purposes, and under what legal basis. The Customer is responsible for compliance with all Data Protection Laws applicable to its collection and use of End User Personal Data, including providing End Users with required privacy notices and obtaining any necessary consents.
2.2 ChipIn as Data Processor.
ChipIn is the Data Processor. ChipIn processes End User Personal Data only on behalf of the Customer and only in accordance with the Customer's documented instructions, as set out in this DPA and the Terms, or as otherwise required by applicable law.
2.3 Independent processing.
Where ChipIn processes personal data for its own purposes as a Data Controller — for example, account data relating to Customer administrators — that processing is governed by ChipIn's Privacy Policy and not by this DPA.
3. Customer Obligations
3.1 Lawful processing.
The Customer represents and warrants that all End User Personal Data provided to ChipIn for processing has been collected lawfully and in compliance with applicable Data Protection Laws, and that ChipIn is authorized to process it in accordance with this DPA. This includes ensuring that a valid lawful basis exists for all processing carried out under Customer's instructions.
3.2 Accuracy and notice.
The Customer is responsible for ensuring that End User Personal Data is accurate and that End Users have been provided with appropriate notice about how their data will be processed, including any processing carried out by ChipIn as Data Processor.
3.3 Instructions.
The Customer's primary instructions to ChipIn are set out in this DPA and the Terms. The Customer may issue additional written instructions where required; ChipIn will follow such instructions to the extent they are lawful and operationally practicable. If ChipIn believes any instruction would violate applicable Data Protection Laws, it will notify the Customer promptly.
4. ChipIn Obligations as Data Processor
4.1 Process only on instructions.
ChipIn will process End User Personal Data only on the documented instructions of the Customer and only for the purposes described in Annex 1, except where required to do so by applicable law. Where law requires processing beyond Customer's instructions, ChipIn will inform the Customer of that requirement before processing, unless prohibited from doing so by law.
4.2 Confidentiality.
ChipIn will ensure that all personnel authorized to process End User Personal Data are subject to appropriate confidentiality obligations, whether by contract or statutory duty.
4.3 Security.
ChipIn has implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process.
4.4 Assistance with Data Subject Requests.
Taking into account the nature of the processing, ChipIn will provide the Customer with reasonable technical assistance to fulfill the Customer's obligations to respond to Data Subject Requests. The Customer is solely responsible for determining the validity and scope of any Data Subject Request and for responding to Data Subjects. If ChipIn receives a Data Subject Request directly from an End User, ChipIn will inform the End User that their request must be directed to the Customer, and will notify the Customer promptly.
4.5 Assistance with compliance obligations.
ChipIn will provide the Customer with reasonable assistance in meeting the Customer's obligations under applicable Data Protection Laws with respect to: security of processing; notification of Personal Data Breaches; data protection impact assessments; and prior consultation with supervisory authorities. Such assistance is limited to information about ChipIn's own data processing activities and technical measures that is within ChipIn's possession, and does not require ChipIn to incur material cost, engage third-party professionals, or provide advice beyond what is reasonably within the scope of a data processor.
4.6 No sale of End User data.
ChipIn will not sell, rent, or otherwise disclose End User Personal Data to any third party for that party's own commercial purposes.
4.7 Notification of unlawful instructions.
If ChipIn becomes aware that a Customer instruction would violate applicable Data Protection Laws, ChipIn will notify the Customer in writing without undue delay. ChipIn is not required to follow an instruction that would constitute a violation of applicable law.
5. Subprocessors
5.1 General authorization.
The Customer grants ChipIn general authorization to engage Subprocessors to assist in providing the Platform. ChipIn's current Subprocessors are listed at chipinpro.com/legal/subprocessors.
5.2 Notice of changes.
ChipIn will update the Subprocessors page at chipinpro.com/legal/subprocessors when adding or replacing Subprocessors. The Customer's continued use of the Platform after any Subprocessor change constitutes their acceptance of such change. If the Customer has a reasonable data protection objection to a new Subprocessor and notifies ChipIn in writing within 14 days of the update, the Customer's sole remedy is to terminate the Terms on written notice. ChipIn has no obligation to accommodate objections or alter its infrastructure decisions, and will have no liability arising from such termination.
5.3 Subprocessor obligations.
ChipIn will impose data protection obligations on each Subprocessor substantially equivalent to those in this DPA. To the extent required by applicable Data Protection Laws, ChipIn remains responsible to the Customer for Subprocessor compliance with those obligations.
6. Personal Data Breaches
6.1 Notification to Customer.
ChipIn will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting End User Personal Data. The notification will include, to the extent known at the time:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records involved;
- The name and contact details of ChipIn's data protection contact;
- The likely consequences of the Personal Data Breach; and
- The measures taken or proposed to address the breach and mitigate its effects.
Where complete information is not available at the time of initial notification, ChipIn will provide further information in phases as it becomes available.
6.2 Customer's notification obligations.
The Customer is solely responsible for determining whether and when to notify supervisory authorities and Data Subjects of a Personal Data Breach, and for meeting all applicable notification deadlines under applicable Data Protection Laws. ChipIn is not responsible for the Customer's compliance with supervisory authority notification requirements.
6.3 Remediation.
ChipIn will take reasonable steps to contain, investigate, and remediate any Personal Data Breach affecting End User Personal Data and will keep the Customer informed of material developments.
6.4 Records.
ChipIn will maintain a record of Personal Data Breaches involving End User Personal Data and the measures taken in response. The Customer may request access to this record upon written request.
7. International Data Transfers
7.1 Transfers from the EEA or UK.
To the extent that ChipIn processes End User Personal Data originating from the European Economic Area or the United Kingdom, and transfers that data to a country not recognized as providing an adequate level of protection under applicable Data Protection Laws, ChipIn will ensure that such transfers are made pursuant to an appropriate safeguard under Chapter V of the GDPR or equivalent provisions of UK GDPR.
7.2 Standard Contractual Clauses.
For transfers of EEA Personal Data, the parties agree that the SCCs (Module Two: Controller to Processor, or Module Three: Processor to Processor, as applicable) are hereby incorporated into this DPA by reference. In the event of any conflict between the SCCs and this DPA, the SCCs will prevail to the extent of the conflict with respect to EEA transfers. The parties agree to the following completion of the SCCs:
- Clause 7 (Docking clause): not applicable
- Clause 9 (Use of subprocessors): Option 2 (general written authorization) applies, with a 30-day notice period for changes
- Clause 11 (Redress): the optional language is not included
- Clause 17 (Governing law): the law of Ireland applies to the SCCs
- Clause 18 (Choice of forum): the courts of Ireland have jurisdiction under the SCCs
7.3 Transfers to Subprocessors.
ChipIn will ensure that any transfer of End User Personal Data to a Subprocessor located in a country without adequate data protection laws is subject to appropriate transfer mechanisms, including back-to-back SCCs or equivalent safeguards.
8. Compliance Information
8.1 Information on request.
ChipIn will provide the Customer with information reasonably necessary to demonstrate compliance with this DPA upon written request. Such information is limited to details about ChipIn's own data processing activities and technical measures within ChipIn's possession, and does not require ChipIn to engage third-party auditors, incur material cost, or provide access to ChipIn's systems or facilities.
9. Data Retention and Return
9.1 Retention during the term.
ChipIn will retain End User Personal Data for as long as necessary to provide the Platform to the Customer and as otherwise required by applicable law.
9.2 On termination.
Following termination of the Terms, if the Customer submits a written request for data return or deletion within 30 days of the termination date, ChipIn will use reasonable efforts to make End User Personal Data available for download in a standard format, or to confirm deletion, within a reasonable time and in a manner of ChipIn's choosing. If the Customer does not submit a written request within 30 days of termination, ChipIn may delete all End User Personal Data at its discretion with no further obligation to the Customer.
Where termination results from the Customer's breach of the Terms, ChipIn has no obligation to facilitate data export and may delete all End User Personal Data immediately and without notice.
Backup copies of End User Personal Data are deleted in the ordinary course of ChipIn's backup retention practices and are not subject to targeted deletion on request.
9.3 Exceptions.
ChipIn is not required to delete Personal Data to the extent that retention is required by applicable law, including legal hold obligations, regulatory requirements, or applicable limitation periods. In such cases, ChipIn will continue to protect the retained data in accordance with this DPA and will not process it for any other purpose.
10. Liability
10.1 Incorporation of Terms.
The limitations of liability set out in the Terms apply to this DPA. Neither party's liability under this DPA will exceed the aggregate cap established in the Terms.
10.2 Regulatory fines.
The Customer is not entitled to recover from ChipIn any fines or penalties imposed on the Customer by a supervisory authority or regulatory body, on any legal basis whatsoever.
11. Term and Termination
This DPA is effective from the date the Customer accepts the Terms and remains in force for as long as the Terms are in effect. Termination of the Terms automatically terminates this DPA, subject to the survival of obligations in Sections 6.4 (breach records), 9 (retention and return), 10 (liability), and any other provisions that by their nature should survive termination.
12. Governing Law
This DPA is governed by the laws of the State of New Hampshire, without regard to its conflict of law principles, except that the SCCs are governed by the law specified in those clauses as noted in Section 7.2.
13. General
13.1 Order of precedence.
In the event of a conflict between this DPA and the Terms, this DPA prevails with respect to the subject matter of data processing. In the event of a conflict between this DPA and the SCCs, the SCCs prevail with respect to international transfers of EEA Personal Data.
13.2 Amendments.
ChipIn may update this DPA to reflect changes in Data Protection Laws or platform operations, on 30 days' written notice. If a change is required by law with immediate effect, ChipIn will notify the Customer and the change will take effect immediately.
13.3 Entire agreement on data processing.
This DPA, together with the Terms, constitutes the entire agreement between the parties with respect to the processing of End User Personal Data by ChipIn on behalf of the Customer.
Annex 1 — Details of Processing
| Subject matter | Provision of the ChipIn event management platform, including registration, donation, auction, communication, and microsite tools. |
| Nature of processing | Collection, storage, retrieval, display, transmission, and deletion of End User Personal Data as required to operate the Platform on the Customer's behalf. |
| Purpose | Enabling the Customer to manage charitable fundraising events and campaigns, including processing event registrations, donations, auction bids, sponsor information, and related communications. |
| Duration | For the term of the Terms of Service, plus any post-termination retention required by law or elected by the Customer under Section 9.2 of this DPA. |
| Categories of Data Subjects | End Users: event participants, donors, sponsors, auction bidders, and other individuals who interact with the Customer's events through the Platform. |
| Categories of Personal Data | Name; email address; phone number; mailing address; payment metadata (transaction amounts, dates, and identifiers — not card numbers); custom field responses as configured by the Customer; donation amounts and dedication or donor wall messages; auction bid history and item interests; event registration details; and any other information submitted by End Users through Customer-configured event pages. |
| Sensitive data | The Platform is not designed to collect sensitive categories of personal data (as defined under GDPR Art. 9). The Customer is responsible for ensuring that no sensitive data is collected through custom fields without appropriate legal basis and safeguards. |
| Frequency of transfer | Continuous, as End Users interact with Customer's events. |
| Retention period | Deleted in the ordinary course following termination. Customer must submit a written data request within 30 days of termination to trigger data return or deletion confirmation. Backup copies expire in the ordinary course of ChipIn's backup retention practices. |
Annex 2 — Approved Subprocessors
The current list of Subprocessors approved to process End User Personal Data is maintained at chipinpro.com/legal/subprocessors and is incorporated into this DPA by reference. ChipIn will update that page when adding or replacing Subprocessors in accordance with Section 5.2.