Data Processing Addendum.

Capitalized terms not defined here have the meaning given in the Organization Subscription Terms or the Terms of Service.

• “Personal Information” means any information that identifies, relates to, describes, or could reasonably be linked with an identified or identifiable natural person, as defined under California Civil Code § 1798.140 and other applicable U.S. state privacy law.
• “Process,” “Processing” means any operation performed on Personal Information, including collection, use, storage, disclosure, transfer, modification, or deletion.
• “Customer Data” means Personal Information that Customer or its volunteers, donors, or other constituents submit to or generate through the Service.
• “Sub-processor” means a third party engaged by Provider to Process Customer Data.
• “Service Provider,” “Contractor,” “Business” have the meanings given in California Civil Code § 1798.140.

For Customer Data, Customer is the “Business” (or equivalent role under applicable law) and Provider is the “Service Provider” or “Contractor.” Provider Processes Customer Data only on Customer's documented instructions and only as necessary to provide the Service or as required by applicable law.

For Service Generated Data and Aggregated Data described in Provider's Privacy Policy, Provider is a Business in its own right.

This Addendum applies to all Processing of Customer Data by Provider in the course of providing the Service. The subject matter, duration, nature, and purpose of Processing, the types of Personal Information, and the categories of data subjects are set out in Schedule A.

Provider Processes Customer Data only on Customer's documented instructions, including the instructions set out in this Addendum, the Organization Subscription Terms, the Privacy Policy, and any reasonable written instructions Customer provides through the Service or in writing. If Provider believes a Customer instruction violates applicable law, Provider will inform Customer.

Provider ensures that personnel authorized to Process Customer Data have committed to confidentiality or are under a statutory obligation of confidentiality and that access is limited to those who need it to perform the Service.

Provider implements and maintains commercially reasonable technical and organizational measures to protect Customer Data against unauthorized or unlawful Processing, accidental loss, destruction, alteration, or disclosure. Current measures include:

• Transport-layer encryption (TLS 1.2 or higher) for data in transit.
• Encryption at rest for primary databases and blob storage.
• Cryptographic hashing of verification records for tamper evidence.
• Role-based access controls and audit logging.
• Regular review of access privileges and least-privilege principles.
• Authentication via Firebase with optional Google OAuth for volunteers and coordinators.
• Rate limiting and abuse detection at the application layer.
• Secure software development lifecycle and dependency review.
• Secure deletion of media containing Customer Data on decommissioning consistent with NIST SP 800-88 guidelines (when implemented; until then, secure deletion in accordance with sub-processor capabilities).

Customer authorizes Provider to engage Sub-processors to Process Customer Data, subject to the conditions in this Section. Provider's current Sub-processors are listed in our Privacy Policy (Section 8). Provider may engage additional Sub-processors and will provide Customer at least thirty (30) days' advance notice through the Service or by email. If Customer reasonably objects to a new Sub-processor on data-protection grounds, Customer may terminate the affected portion of the Service on written notice and receive a pro-rata refund of any prepaid unused fees.

Provider remains responsible for the acts and omissions of its Sub-processors with respect to Customer Data. Provider enters into written agreements with each Sub-processor that impose data-protection obligations no less protective than those in this Addendum.

Provider will, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures (insofar as possible) to fulfill Customer's obligation to respond to verifiable consumer requests under California Civil Code § 1798.100 et seq. and analogous provisions of other applicable law (rights to know, access, correct, delete, port, and limit Processing). If Provider receives a request directly from a data subject who identifies as a Customer's constituent, Provider will promptly notify Customer and direct the data subject to Customer.

Provider will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a confirmed Personal Information breach affecting Customer Data. The notification will, to the extent then known, describe (a) the nature of the breach, including the categories and approximate number of records and data subjects affected; (b) the likely consequences; (c) the measures taken or proposed to address the breach and mitigate adverse effects; and (d) a contact for further information. Provider will reasonably cooperate with Customer's efforts to investigate, mitigate, and remediate the breach.

Customer may audit Provider's compliance with this Addendum no more than once per calendar year, on at least thirty (30) days' prior written notice, at Customer's expense, during normal business hours, and subject to reasonable confidentiality obligations. Audits must not unreasonably interfere with Provider's business operations and must be scoped to the Service.

Provider may satisfy this audit right by making available third-party audit reports (such as a SOC 2 Type II report, when available) and responding in good faith to a security questionnaire. Audits beyond what those reports cover require mutual agreement on scope and cost.

Provider Processes Customer Data only in the United States. Provider does not transfer Customer Data to any country outside the United States without Customer's prior written consent. If Customer permits transfers outside the United States in the future, the parties will execute Standard Contractual Clauses or other approved transfer mechanisms as required by applicable law.

On termination of the Service for any reason, Provider will make Customer Data available for export for ninety (90) days as set out in the Organization Subscription Terms. After that period, Provider will delete or anonymize Customer Data, except (a) Service Generated Data and Aggregated Data, which remain subject to Provider's Privacy Policy; (b) backup copies retained for up to ninety (90) days for disaster recovery; and (c) information Provider is required to retain to comply with applicable law.

Provider will not:

• Sell or share (as those terms are defined under California Civil Code § 1798.140) Customer Data.
• Retain, use, or disclose Customer Data outside the direct business relationship with Customer or for any commercial purpose other than performing the Service.
• Combine Customer Data with personal information Provider receives from another customer or collects from its own interactions with the data subject, except (i) to perform a business purpose for Customer, or (ii) as part of Aggregated Data described in the Privacy Policy.
• Use Customer Data, in identifiable form, to train any artificial intelligence or machine learning model. Provider may use Aggregated Data (de-identified, as defined in the Privacy Policy) to train, evaluate, and improve the systems described in the Privacy Policy, including systems that power any analytics, dashboard, benchmarking, or insights products that Provider may develop and offer.

Each party's liability under this Addendum is subject to the limitations and exclusions in the consumer-facing Terms of Service (Section 12) and the Organization Subscription Terms. Nothing in this Addendum waives liabilities that cannot be limited by contract under applicable law, including California Civil Code § 1668.

In the event of a conflict between this Addendum and another agreement between the parties, this Addendum prevails with respect to data-protection obligations. In all other respects, the order of precedence is as set out in the Organization Subscription Terms.

Subject matter. Provision of the Kindness Counts verified volunteer-hours platform to Customer.

Duration.The term of Customer's paid subscription, plus the data-export grace period and any backup retention period described in the Privacy Policy.

Nature and purpose. Hosting, processing, and transmitting Customer Data to provide volunteer registration, event management, multi-factor check-in verification, confidence scoring, independent corroboration, reporting, and related Service functions.

Types of Personal Information. Identifiers (name, email, phone), authentication credentials, date of birth (for the 18+ requirement), profile photos (where provided), event registration and attendance records, GPS coordinates captured at check-in and check-out, verification timestamps, cryptographic verification hashes, confidence scores, corroboration associations, and (where Customer enables background checks) the eligibility status returned from a consumer reporting agency. The underlying source data collected by the consumer reporting agency for a background check is held by the agency, not by Provider.

Categories of data subjects.Customer's volunteers, coordinators, staff with Service access, and (where Customer enables relevant features) donors or other constituents whose information Customer imports.