DonorsBase-logo
FeaturesEvery feature, in every plan — no add-ons.PricingScales by donors, never per-seat.IntegrationsStripe, PayPal, Authorize.Net, QuickBooks.
Start free in minutesUp to 50 donors, all three gateways, no credit card required.Create your account
For charitiesDonor CRM, receipts, and tax summaries.For non-profitsCampaigns, recurring giving, and reporting.For donorsA simple, branded way to give and re-give.Donor portalSelf-service giving history and receipts.
BlogPlaybooks on fundraising and donor retention.Help centerStep-by-step guides to set up and run DonorsBase.FAQAnswers on setup, pricing, and security.AboutWhy we built DonorsBase.Contact usQuestions, custom plans, or migration help — we reply within one business day.
Log inSign Up
Home
FeaturesPricingIntegrations
For charitiesFor non-profitsFor donorsDonor portal
BlogHelp centerFAQAboutContact us
Log inSign Up
DonorsBase logo← Back to home

Data Processing Agreement

Effective date: July 5, 2026

1. Scope and Relationship

This Data Processing Agreement ("DPA") forms part of the DonorsBase Terms & Conditions between Orthoplex Solutions ("Processor," "DonorsBase," "we," "us") and the organization using the Services ("Controller," "Customer," "you"). This DPA applies when DonorsBase processes Personal Data on Customer's behalf in connection with the Services.

Customer is the controller (or business, under CCPA/CPRA) of donor and constituent Personal Data. DonorsBase acts as processor (or service provider) processing such data only on Customer's documented instructions as described in these Terms, the Privacy Policy, and Customer's use of the Services.

2. Subject Matter and Duration

Subject matter: Processing of Personal Data to provide donor management, fundraising, receipt, reporting, and related Services.

Duration:For the term of Customer's account plus any retention period described in the Terms, Privacy Policy, or applicable law.

Nature and purpose: Hosting, storage, organization, retrieval, transmission, and display of Personal Data to operate the Services Customer configures.

Categories of data subjects: Donors, constituents, Customer personnel, and other individuals whose data Customer uploads or collects through the Services.

Types of Personal Data: Names, contact details, giving history, communication preferences, and other fields Customer chooses to collect. Payment card data is processed directly by Payment Processors and is not stored by DonorsBase.

3. Customer Instructions

DonorsBase will process Personal Data only on Customer's instructions, including as necessary to provide the Services, maintain security, comply with law, or as documented in these Terms. Customer instructs DonorsBase to process Personal Data to deliver account functionality Customer enables (donation forms, receipts, reports, integrations, and similar features).

Customer is responsible for ensuring its instructions comply with applicable data protection laws and that it has a lawful basis for processing.

4. Processor Obligations

DonorsBase will:

  • process Personal Data only as documented in this DPA and the Terms;
  • ensure personnel authorized to process Personal Data are bound by confidentiality obligations;
  • implement appropriate technical and organizational security measures;
  • assist Customer, where reasonably possible, with data subject requests and impact assessments;
  • notify Customer without undue delay upon becoming aware of a confirmed Personal Data breach affecting Customer Personal Data in our control;
  • delete or return Customer Personal Data upon termination as described in the Terms, except where retention is required by law.

5. Subprocessors

Customer authorizes DonorsBase to engage Subprocessors to support the Services. Current categories of Subprocessors include:

  • Cloud infrastructure (hosting and storage);
  • Email delivery (transactional messages);
  • Analytics and monitoring (service reliability and security);
  • Payment Processors (Stripe, PayPal, Authorize.net), which may act as independent controllers for payment data.

We impose data protection obligations on Subprocessors through contract substantially similar to this DPA where applicable. We will notify Customer of material new Subprocessors by updating this page or via email. Customer may object on reasonable data protection grounds within 30 days of notice; if we cannot accommodate the objection, Customer may terminate affected Services.

6. International Transfers

Personal Data may be processed in Canada, the United States, and other countries where we or our Subprocessors operate. Where required by applicable law, DonorsBase will implement appropriate safeguards for cross-border transfers, which may include Standard Contractual Clauses, UK International Data Transfer Addendum, or equivalent mechanisms upon request.

7. Security Measures

We maintain measures including TLS encryption in transit, access controls, hashed credentials, role-based permissions, logging, and vendor review. Details are described in our Privacy Policy and security documentation. Customer is responsible for securing its accounts, devices, and integrations.

8. Security Incidents

Upon confirming a Personal Data breach affecting Customer Personal Data in our systems, we will notify Customer without undue delay and provide information reasonably available to support Customer's regulatory obligations. Customer is responsible for assessing whether notification to Donors or authorities is required and for making those notifications.

9. Audits and Information

Upon reasonable written request, DonorsBase will provide information necessary to demonstrate compliance with this DPA. Customer may conduct audits no more than once per year with 30 days' notice, subject to confidentiality and minimal disruption, or accept third-party audit summaries we make available.

10. CCPA / CPRA Service Provider Terms

To the extent CCPA/CPRA applies, DonorsBase is a service provider. We will not sell or share Personal Data, will process it only for specified business purposes, and will not combine it except as permitted by law. Customer may take reasonable steps to ensure we use Personal Data consistently with Customer's obligations.

11. Liability

Liability arising from this DPA is subject to the limitation of liability, limitation period, indemnification, and dispute resolution provisions in the DonorsBase Terms & Conditions.

12. Contact

For data protection inquiries, contact us at support@donorsbase.com.

Terms & ConditionsPrivacy PolicySystem statusQuestions? support@donorsbase.com

DonorsBase-logo

Donor management, donations, and stewardship — built for charities and nonprofits, with every feature in every plan.

Product

  • Features
  • Pricing
  • Integrations
  • FAQ

Solutions

  • For charities
  • For non-profits
  • For donors

Resources

  • Blog
  • Help center
  • Get started
  • About

Legal

  • Privacy
  • Terms
  • Data Processing
  • Security & compliance
  • System status
© 2026 DonorsBase. All rights reserved.
PrivacyTermsData ProcessingSecurity & complianceSystem status