<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1858399261104064&amp;ev=PageView&amp;noscript=1">
Get a Consultation

Data Processing Agreement

Effective Date: May 9, 2025

This Data Processing Agreement (this “DPA”) forms a part of the Master Professional Services (the “Agreement”) entered into by and between Pennington & Company Fundraising LLC (“Company”) and you (each, a “Party” or together, the “Parties”). Any capitalized terms used in this DPA but not defined shall have the respective meanings given to them in the Agreement. The Parties enter into this DPA to comply with applicable Data Protection Laws (as defined below).

  1. Certain Defined Terms. Capitalized terms used in this DPA but not otherwise defined in this DPA or the Agreement have the following meanings:
    1. Applicable Law” means all laws, rules, regulations, rulings, decrees, directives, or other requirements of any governmental authority, and all current industry self-regulatory principles that (a) apply to this DPA and the Services; (b) relate to the Parties’ rights and obligations in this DPA and the Services; or (c) apply to the collection, processing, and storage of Personal Data.
    2. Data Protection Laws” means all Applicable Laws, self-regulatory rules and guidelines, and your policies relating to or impacting the processing, privacy, or security of Personal Information, including the California Privacy Rights Act of 2020.
    3. Personal Information” means information processed by Company on behalf of you through the Services that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly to, a natural person. “Personal Information” does not include Usage Data.
    4. Usage Data” means data and information related to your and your users’ use of the Services through system logging and other tools that automatically collect information on events that occur through use of the Services.
  2. Scope. This DPA only applies to the extent that Company processes Personal Information on behalf of you in the course of providing the Services. This DPA does not apply to the processing of Personal Health Information (as defined in Data Protection Laws). In the event Company processes Personal Health Information on behalf of you, the Parties will enter into a Business Associate Agreement (as defined in Data Protection Laws) that will govern such processing. To the extent Usage Data is considered Personal Information under applicable Data Protection Laws, Company is the “controller” or “business” with respect to such Usage Data.
  3. Compliance with Laws. Each Party shall comply with its obligations under applicable Data Protection Laws. You may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information by Company. If applicable Data Protection Laws related to the processing of Personal Information change, Company may make any necessary amendments to this DPA.
  4. Instructions. Company shall process your Personal Information in accordance with your documented lawful instructions as set forth in this DPA and the Agreement and as otherwise necessary to provide the Services (together “Processing Instructions”). You will ensure that your Processing Instructions comply with Applicable Laws. If, in Company’s opinion, your Processing Instructions violate applicable Data Protection Laws, Company will notify you. Company, may without penalty, refuse further processing of Personal Information under this DPA that it believes to be in violation of any Applicable Law, including any applicable Data Protection Laws.
  5. Use of Personal Information. Company may process Personal Information to provide the Services and as otherwise provided in the Agreement and this DPA. Company shall not:
    1. sell, share (as such terms are defined under applicable Data Protection Laws) or otherwise disclose any Personal Information to any third party other than its duly authorized subcontractors for purposes of performing the Services;
    2. collect, retain, use, or otherwise disclose or process Personal Information, including Personal Information, for any purpose other than as necessary to provide the Services specified in the Agreement or outside of the direct business relationship between Company and you; provided that Company may retain, use and disclose Personal Information obtained during the course of providing Services to retain and employ a Subprocessor (as defined below), for internal purposes to build or improve the quality of its services, to detect data security incidents or protect against fraudulent or illegal activity, or as otherwise permitted by Data Protection Laws; or
    3. combine Personal Information with Personal Information Company receives from, or on behalf of, another person or persons, or which Company collects from its own interactions with an individual, in each case except as expressly agreed by you and permitted by Applicable Laws.

Company certifies that it understands the restrictions in this Section 5 and will comply with them.

 

  1. Security. Company will implement and maintain appropriate technical and organizational security measures designed to preserve the security and confidentiality of Personal Information processed through the Services. Company may update its security measures, provided that any updates shall not materially diminish the overall security of Personal Information or the Services.
  2. Subprocessors. You generally authorize Company to engage third parties to assist in the processing of Personal Information on behalf of you (each, a “Subprocessor”), including the Subprocessors listed on Schedule 1 to this DPA. Company shall require that each person processing Personal Information on its behalf be subject to a duty of confidentiality with respect to such Personal Information. If Company engages a Subprocessor, Company shall provide notice to you of that engagement by way of updating Schedule 1. You shall have thirty (30) days to object to such engagement by providing written notice to Company as provided in the Agreement.
  3. Disposition of Personal Information Upon Termination. Upon termination of the Agreement, Company will promptly delete all Personal Information in its custody or control, except for Personal Information retained in Company’s backup files, if any, which will be deleted in the ordinary course of Company’s business in accordance with its standard data retention schedules.
  4. Third Party Communications. Company shall promptly notify you if it receives any communication from a third party (from an individual, a governmental or otherwise) which relates to the processing of Personal Information, or to either Party’s compliance with Data Protection Laws, and shall refer such third party to you.
  5. Compliance and Audit.
    1. Company shall provide all information reasonably necessary to demonstrate compliance with this DPA.
    2. Company shall allow you or an auditor appointed by you to, not more than once every twelve (12) months unless required by Applicable Law, carry out audits or other security assessment (“Security Assessment”) relating to the processing of Personal Information by Company. The scope of any Security Assessment shall be mutually agreed by the Parties in advance. You shall be solely responsible for all costs related to any Security Assessment, including all costs incurred by Company in connection with cooperating with such Security Assessment.
    3. Company may, but is not required to, retain a qualified and independent assessor to perform an annual audit of the physical, technical, administrative, and organizational safeguards put in place by Company that relate to the protection of the security, confidentiality, or integrity of Personal Information using an appropriate and industry accepted control standard or framework and assessment procedure, or documentation of certification of compliance with, industry-accepted information security standards (“Third Party Audit”).
    4. You agree to first review any available Third Party Audit prior to conducting any Security Assessment.
  6. Personal Information Breach. Company will notify you without undue delay of any unauthorized access to, or disclosure or acquisition of, to Personal Information. Company will provide you with information regarding the extent of data exposure, including the number and identity of affected individuals, if known, and the status of remediation efforts.
  7. Conflict. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail.
  8. Limitation of Liability. Notwithstanding anything to the contrary in the Agreement or this DPA and to the maximum extent permitted by Applicable Law, each Party’s liability, in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall remain subject to the limitations on liability section of the Agreement.
  9. Survival. The obligations placed upon each Party under this DPA will survive so long as Company processes Personal Information on behalf of you.

Schedule 1

Subprocessors

 

Company hereby identifies the following Subprocessors:

 

Subprocessor

Role / Purpose

Location

Amazon Web Services

Cloud-based solution for computation, storage, and data solutions.

AWS US-East Region

HubSpot

Customer relationship management tool, including email marketing.

US

 

 
501 Gateway
Drive Lawrence, KS 66049
785-843-1661

© 2025 Pennington & Company