Data Processing Agreement

1. Definitions

• "Controller" means the charity or organisation that uses Alma and determines the purposes and means of processing donor personal data
• "Processor" means Alma, which processes personal data on behalf of the Controller
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in UK GDPR
• "Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and erasure
• "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller

2. Scope & purpose of processing

The Processor processes personal data solely to provide the Alma Service, which includes:

• Capturing and storing Gift Aid declarations via the kiosk
• Managing donor records in the Donation Hub
• Generating HMRC-formatted exports for Gift Aid claims
• Tracking GASDS (Small Donations Scheme) entries
• Processing card payments via Stripe (where applicable)
• Sending transactional emails (donation receipts, notifications)
• Providing analytics and reporting on donation data

3. Categories of data subjects

• Donors who make Gift Aid declarations via the kiosk or admin panel
• Charity administrators and team members who use the Donation Hub

4. Types of personal data processed

• Donor: full name, home address, phone number, email address, donation amounts, payment method, Gift Aid eligibility, electronic signature
• Administrator: name, email address, role, login credentials, activity logs

5. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorised to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (see Section 7)
• Not engage a sub-processor without prior written authorisation from the Controller (see Section 8)
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
• Assist the Controller in ensuring compliance with data protection impact assessments and prior consultation obligations
• Delete or return all personal data at the end of the service agreement, at the Controller's choice, subject to legal retention requirements
• Make available all information necessary to demonstrate compliance and allow for audits

6. Obligations of the Controller

The Controller shall:

• Ensure there is a valid legal basis for the processing of personal data
• Provide appropriate privacy notices to donors before data is collected
• Ensure the accuracy of personal data provided to the Processor
• Comply with all applicable data protection laws in their use of the Service
• Notify the Processor promptly of any data subject requests that require the Processor's assistance

7. Security measures

The Processor implements the following technical and organisational measures to protect personal data:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Password hashing with bcrypt (salted)
• Optional two-factor authentication (TOTP)
• Role-based access control (Admin / Viewer roles)
• Daily automated database backups with 7-day retention
• Comprehensive audit logging of all user actions
• Secure session management with configurable timeout
• Infrastructure hosted on SOC 2 compliant platforms (Vercel, Supabase/AWS)

For full details, see our Security page.

8. Sub-processors

The Controller authorises the use of the following sub-processors:

The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. Each sub-processor is bound by data protection obligations no less protective than those in this DPA.

9. Data breach notification

In the event of a personal data breach, the Processor shall:

• Notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach
• Provide sufficient information to enable the Controller to fulfil its obligation to notify the ICO within 72 hours (where required)
• Cooperate with the Controller in investigating and mitigating the breach
• Document the breach, including its effects and the remedial actions taken

10. International transfers

Where personal data is transferred outside the UK or EEA (e.g. to sub-processors in the US), the Processor ensures appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs), Standard Contractual Clauses (SCCs), or reliance on adequacy decisions. The Processor will inform the Controller of the specific safeguard mechanism used for each transfer.

11. Data retention & deletion

Upon termination of the Service agreement:

• The Controller may export all data using the built-in export tools before account closure
• The Processor will delete or anonymise all personal data within 90 days of account closure, unless retention is required by law
• Gift Aid declaration records may be retained for the minimum period required by HMRC (6 years from the end of the relevant tax year)
• The Processor will confirm deletion in writing upon request

12. Audit rights

The Controller has the right to audit the Processor's compliance with this DPA. Audits shall be conducted with reasonable notice (minimum 30 days), during normal business hours, and at the Controller's expense. The Processor will cooperate fully and provide access to relevant records, systems, and personnel.

13. Governing law

This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.

14. Contact

To request a signed copy of this DPA or discuss data protection matters, please contact us at: