Data Processing Agreement (DPA)
Version 1.0 | Effective April 21, 2026
This Data Processing Agreement ("DPA") is entered into between:
BenefitsSafe, located at 1969 Harrington Ave, Oakland, CA 94601 ("BenefitsSafe," "we," "us," or "Processor"), and
the Nonprofit identified in the applicable Order Form or online signup ("Customer," "you," or "Controller").
This DPA supplements, and is incorporated into, the BenefitsSafe Terms of Service (the "Agreement"). It governs BenefitsSafe's processing of Personal Data on Customer's behalf. Where a conflict exists between this DPA and the Agreement with respect to data protection, this DPA controls.
If Customer does not have an executed DPA on file, this DPA is deemed accepted when Customer accepts the Terms of Service. A countersigned copy is available on request from privacy@benefitssafe.com.
1. Definitions
Capitalized terms not defined here have the meaning in the Agreement.
- Applicable Data Protection Law — any data protection, privacy, or security law applicable to the Processing of Personal Data under this DPA, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq.) ("CCPA"), the Colorado Privacy Act, the Virginia CDPA, the Connecticut CTDPA, the Utah UCPA, and comparable state laws, as each may be amended.
- Controller — the entity that determines the purposes and means of Processing Personal Data. As between the parties, Customer is the Controller of Personal Data uploaded to or generated by Customer on the platform, including Beneficiary data.
- Processor — the entity that Processes Personal Data on behalf of a Controller. BenefitsSafe is the Processor.
- Sub-processor — any third party engaged by BenefitsSafe to Process Personal Data on Customer's behalf.
- Personal Data — any information relating to an identified or identifiable natural person that Customer uploads to, or generates on, the platform, including Beneficiary name, date of birth, Social Security Number, address, benefit-program enrollment (SSI, SSDI, Medi-Cal, CalFresh, ABLE, IHSS), transaction history, and Nonprofit staff contact details.
- Sensitive Personal Data — Personal Data revealing (i) Social Security Number or government identifier, (ii) financial account information, (iii) precise geolocation, (iv) health or benefit-program enrollment status, or (v) any other category treated as "sensitive," "special," or "Sensitive Personal Information" under Applicable Data Protection Law.
- Processing — any operation performed on Personal Data, including collection, recording, storage, consultation, disclosure, erasure, or destruction.
- Data Subject — the identified or identifiable natural person to whom Personal Data relates (e.g., a Beneficiary or a Nonprofit staff member).
- Security Incident — any confirmed or reasonably suspected unauthorized access to, acquisition of, disclosure of, alteration of, or loss of Personal Data Processed under this DPA.
- Standard Contractual Clauses or SCCs — the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, including the UK Addendum issued by the Information Commissioner's Office ("UK Addendum") where UK data is involved.
2. Roles and Scope
2.1 Roles
For all Personal Data Processed under this DPA:
- Customer is the Controller (or, where Customer Processes on behalf of a third-party Controller such as a funder, Customer is the Processor and BenefitsSafe is the Sub-processor — in which case Customer warrants it has authority to engage BenefitsSafe on those terms).
- BenefitsSafe is the Processor.
For BenefitsSafe's own business data (marketing, billing, internal analytics of pseudonymized usage), BenefitsSafe is the Controller and the Privacy Policy governs.
2.2 Scope of Processing (Annex I to GDPR SCCs)
| Item | Description |
|---|---|
| Subject matter | BenefitsSafe's provision of the grant-disbursement platform under the Agreement. |
| Duration | From Customer's first upload of Personal Data until 90 days after termination of the Agreement, subject to legal retention in Section 9. |
| Nature and purpose | Hosting, processing, analyzing, securing, and disclosing Personal Data as necessary to (a) operate the platform, (b) issue and service Virtual Cards through Stripe Issuing and partner banks, (c) apply compliance rules to expenses, (d) provide reporting and audit trails, and (e) comply with legal obligations. |
| Type of Personal Data | Nonprofit staff identifiers; Beneficiary identifiers (name, DOB, address); Beneficiary SSN (last 4 stored; full SSN transmitted to Stripe for KYC but not stored by BenefitsSafe); benefit-program enrollment; income and asset declarations; bank-account tokens; transaction records; device and log data. |
| Categories of Data Subjects | Nonprofit staff and invited users (admins, staff, CPAs, auditors, attorneys, grant officers, compliance officers, support agents, billing admins); Beneficiaries; Vendor contacts. |
| Sensitive Data | SSN (Sensitive PI under CCPA and "special category" or high-risk under other laws); benefit enrollment status (potentially "health data" under GDPR Art. 9 where tied to Medi-Cal or IHSS); financial account data. |
| Frequency | Continuous during the subscription term. |
| Retention | Per Section 9 and the retention schedule in the Privacy Policy. |
3. Processor Obligations
BenefitsSafe will:
- Process only on documented instructions from Customer, including as described in the Agreement, this DPA, and Customer's use of the platform configuration. Any Processing outside Customer's instructions will occur only where required by law, in which case BenefitsSafe will notify Customer in advance unless the law prohibits such notice on important grounds of public interest.
- Apply the technical and organizational measures described in Annex II (Section 4 below) to protect Personal Data.
- Ensure personnel authorized to Process Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
- Assist Customer in responding to Data Subject requests (see Section 6) and in conducting data-protection impact assessments and prior consultations with supervisory authorities, where required.
- Notify Customer of Security Incidents without undue delay and in any case within 24 hours of confirmation (Section 7).
- Delete or return Personal Data at Customer's choice at the end of the Agreement (Section 9).
- Make available to Customer all information necessary to demonstrate compliance with this DPA, and allow audits as set out in Section 8.
- Process only for the purposes of providing the platform; we do not "sell" or "share" Personal Data as defined by CCPA, do not combine Customer Personal Data with data from other sources for unrelated purposes, and do not use Customer Personal Data for advertising.
Under CCPA §1798.140(ag) and related provisions, BenefitsSafe certifies that it understands these restrictions and will comply with them.
4. Data Security (Annex II to GDPR SCCs)
BenefitsSafe maintains technical and organizational measures appropriate to the risk, including:
4.1 Access Controls
- Role-based access control in the application across 12 distinct roles, enforced at API routes via an
auth-guardconvention linter. - Multi-factor authentication available for all user accounts; required for nonprofit_admin, platform_admin, billing_admin, and BenefitsSafe staff.
- Principle of least privilege on AWS IAM; no blanket administrator credentials in day-to-day operations.
- Session expiry after 1 hour of inactivity; session fingerprinting to detect cookie theft.
4.2 Encryption
- In transit: TLS 1.2 or higher, with HTTP Strict Transport Security (HSTS) max-age 2 years and preload-list enrollment.
- At rest: AES-256 via AWS KMS for databases, backups, and object storage.
4.3 Application Security
- Content Security Policy with
frame-ancestors 'none'and Cross-Origin-Opener-Policysame-origin. - All HTTP inputs validated with schema validation (Zod) before reaching the database; all database queries parameterized via the Prisma ORM.
- Rate limiting on authentication and financial endpoints.
- Circuit-breaker and timeout budgets on outbound payment-API calls to prevent cascading failures.
- Weekly dependency-vulnerability scans; critical-severity advisories remediated within 7 days, high-severity within 30 days.
4.4 Infrastructure
- Hosted on AWS in US-West (Oregon) with backup in US-East (Virginia).
- Automated database backups with 35-day retention.
- Separation of production, staging, and development environments; no production data in non-production environments.
- Immutable audit logging in a dedicated table, retained 2 years.
4.5 Personnel
- Background checks for BenefitsSafe personnel with access to production data, where permitted by law.
- Mandatory security and privacy training on hire and annually.
- Written confidentiality obligations for all personnel and contractors.
- Revocation of access within 24 hours of role change or departure.
4.6 Incident Response
- Documented incident-response plan (see incident-response-plan.md) covering detection, containment, eradication, recovery, and post-incident review.
- On-call rotation and alerting integrated with Better Stack.
- Tabletop exercises conducted at least annually.
4.7 Framework Alignment
- Aligned with the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover).
- SOC 2 Type 2 audit is on our roadmap; status is published at benefitssafe.com/security.
- Card data handled by Stripe, which maintains PCI DSS Level 1 certification; bank credentials handled by Plaid, which is SOC 2 Type 2 certified.
Customer acknowledges that the measures described above may evolve over time and that BenefitsSafe may replace them with alternative measures of equivalent or greater protection. Material reductions in security posture will be notified to Customer.
5. Sub-processors
5.1 Authorization
Customer provides a general authorization for BenefitsSafe to engage the Sub-processors listed in Appendix A, and additional Sub-processors as necessary to provide the platform.
5.2 Obligations on Sub-processors
BenefitsSafe will ensure that each Sub-processor is bound by written contractual terms that impose data-protection obligations substantially equivalent to those in this DPA, and BenefitsSafe remains liable to Customer for the acts and omissions of its Sub-processors.
5.3 Changes
BenefitsSafe maintains the list in Appendix A. Before adding or replacing a Sub-processor, we will update Appendix A and notify Customer by email to the privacy contact on file, at least 30 days in advance (shorter period allowed where an urgent security or operational need requires it, with explanation). Customer may object on reasonable data-protection grounds within the notice period. If Customer objects and the parties cannot reach a commercially reasonable solution within 30 days, Customer may terminate the affected subscription for cause and receive a pro rata refund of pre-paid fees.
5.4 Cross-border Sub-processors
Where a Sub-processor receives Personal Data originating from the EEA, UK, or Switzerland, the transfer is governed by Section 10.
6. Data Subject Rights
6.1 Allocation
Customer is primarily responsible for responding to Data Subject requests under Applicable Data Protection Law (GDPR Articles 15-22, CCPA §§1798.100-125, and equivalents). BenefitsSafe provides self-service tools (Beneficiary data export, deletion workflow, correction UI) so Customer can fulfill most requests without Processor assistance.
6.2 Processor Assistance
Where Customer needs additional assistance from BenefitsSafe to respond to a request (e.g., restoring data from backup, confirming deletion across all systems), BenefitsSafe will use commercially reasonable efforts to assist within 10 business days. For complex requests requiring engineering work, BenefitsSafe may charge time-and-materials at rates disclosed in advance.
6.3 Direct Requests to BenefitsSafe
If BenefitsSafe receives a Data Subject request directly, we will:
- Not respond to the substance of the request (other than acknowledging receipt).
- Forward the request to Customer's privacy contact within 5 business days.
- Honor the request only on Customer's documented instruction, unless law requires us to act directly.
6.4 Government Requests
If BenefitsSafe receives a binding legal demand for Customer Personal Data (subpoena, court order, warrant, or statutory demand), we will:
- Carefully examine the demand's legality and scope.
- Where legally permitted, notify Customer promptly so Customer may seek a protective order or other remedy before BenefitsSafe produces data.
- Challenge overbroad or unlawful demands, at Customer's reasonable expense.
- Produce only the minimum data strictly required, and document each production in an audit log available to Customer.
7. Security Incident Notification
7.1 Timing
BenefitsSafe will notify Customer's primary privacy contact of a confirmed Security Incident within 24 hours of confirmation.
7.2 Content
The notification will include, to the extent known:
- Nature and scope of the Incident (what happened, how discovered).
- Categories and approximate number of Data Subjects affected.
- Categories and approximate number of Personal Data records affected.
- Likely consequences.
- Measures taken or proposed to address the Incident and mitigate effects.
- Contact point for further information.
If full details are not yet known, BenefitsSafe will provide an initial notification with available information and supplement promptly thereafter.
7.3 Cooperation
BenefitsSafe will provide reasonable cooperation in Customer's investigation and response, including data for any required regulatory filings (GDPR Art. 33 — 72-hour supervisory-authority notification; California Civil Code §1798.82; and state breach-notification laws).
7.4 Responsibility for Notice to Data Subjects
Customer, as Controller, is responsible for notifying affected Data Subjects where required by law. BenefitsSafe will provide draft notice text and cooperate on remediation (e.g., credit-monitoring offers where appropriate).
7.5 No Admission of Liability
A notification of a Security Incident does not constitute an admission of fault or liability by BenefitsSafe.
8. Audit Rights
8.1 Audit Materials
BenefitsSafe will make available to Customer, on reasonable written request:
- Current SOC 2 Type 2 report (when available) or, in the interim, a letter describing BenefitsSafe's security program aligned with the NIST Cybersecurity Framework. SOC 2 Type 2 audit is planned for completion in Q3 2026.
- Penetration-test executive summaries, once available. BenefitsSafe's first third-party penetration test is scheduled for post-launch (target: Q3 2026); in the interim, BenefitsSafe shares the results of internal security reviews and dependency vulnerability scans on request.
- Copies of Sub-processor DPAs on request (confidentiality-redacted where required).
- The current list of Sub-processors (Appendix A), also published at benefitssafe.com/subprocessors.
8.2 On-site Audit
Not more than once per calendar year (or more often if a Security Incident or regulator requires), Customer or its qualified third-party auditor (subject to a customary confidentiality agreement) may conduct an audit of BenefitsSafe's data-protection practices relevant to the services, during normal business hours and with at least 30 days' prior written notice. The audit will:
- Be scoped to data-protection obligations under this DPA.
- Not disrupt BenefitsSafe's operations or the confidentiality of other customers' data.
- Be at Customer's cost, except that BenefitsSafe will bear its own internal-personnel costs up to 16 hours per audit.
8.3 Regulator Audits
Notwithstanding Section 8.2, BenefitsSafe will cooperate with mandatory audits by supervisory authorities (EU DPAs, UK ICO, California Privacy Protection Agency) conducted under their statutory authority.
9. Data Retention and Deletion
9.1 During Term
BenefitsSafe retains Personal Data in accordance with the retention schedule in the Privacy Policy.
9.2 On Termination
Within 30 days of termination or expiration of the Agreement:
- BenefitsSafe will make Personal Data available for Customer export in JSON and CSV formats through the platform.
- On Customer's written request, BenefitsSafe will instead return Personal Data via secure transfer.
- Unless Customer requests return or continued access, after the 30-day window BenefitsSafe will proceed to deletion per Section 9.3.
9.3 Deletion
Within 90 days after termination, BenefitsSafe will delete Customer Personal Data from active systems. Backup copies are aged out of AWS backups within the following 35-day rotation window. BenefitsSafe will provide a written certification of deletion on Customer's request.
9.4 Legal Retention Exceptions
BenefitsSafe may retain Personal Data beyond the above periods only to the extent required by law (e.g., IRS financial-records 7-year rule, 26 CFR §1.6001-1; unresolved litigation holds; regulatory investigations). Retained data will continue to be subject to the security and confidentiality obligations of this DPA until deletion.
10. International Data Transfers
10.1 US Processing
BenefitsSafe processes Personal Data in the United States.
10.2 Transfer Mechanism for EEA/UK/Swiss Data
For Personal Data originating in the European Economic Area, United Kingdom, or Switzerland, the parties agree that:
- Where BenefitsSafe or a Sub-processor is certified under the EU-US Data Privacy Framework (and UK/Swiss extensions), transfers may be made in reliance on that certification.
- In all other cases, the Standard Contractual Clauses are incorporated into this DPA, as follows:
- Module 2 (Controller to Processor) applies where Customer is the Controller.
- Module 3 (Processor to Sub-processor) applies where Customer is itself a Processor acting on behalf of a third-party Controller.
- Where UK data is transferred, the UK Addendum issued by the ICO applies together with the SCCs.
- The optional docking clause (Clause 7) is adopted.
- For Clause 9 (Sub-processors), Option 2 (general written authorization) applies, with a 30-day notice period.
- For Clause 11 (redress), the optional independent-dispute-resolution language is not selected.
- For Clause 17 (governing law), the law of the Republic of Ireland applies.
- For Clause 18 (jurisdiction), the courts of Ireland have exclusive jurisdiction.
- Annexes I, II, and III are populated by the provisions of this DPA (Section 2.2, Section 4, and Appendix A, respectively).
10.3 Transfer Impact Assessment
Customer acknowledges that BenefitsSafe has performed a transfer impact assessment consistent with the Schrems II decision (C-311/18) and has implemented supplementary technical and organizational measures where appropriate, including encryption at rest and in transit, access controls, and a published policy on responding to government requests. A summary of that assessment is available on request.
11. Liability
11.1 Under the Agreement
The limitations of liability in Section 13 of the Terms of Service apply to claims arising out of this DPA, except:
- The cap does not apply to claims arising from a party's gross negligence, willful misconduct, or fraud.
- The cap does not apply to liabilities that cannot be limited under Applicable Data Protection Law (e.g., GDPR Art. 82 direct liability of a Processor to a Data Subject may not be waivable).
11.2 Joint and Several Liability to Data Subjects
Where the GDPR applies, the parties acknowledge that they may be jointly and severally liable to Data Subjects under GDPR Art. 82. As between the parties, each bears responsibility in proportion to its fault, and the indemnification obligations in Section 14 of the Terms of Service continue to apply.
11.3 Fines
Administrative fines imposed by a supervisory authority are borne by the party whose acts or omissions caused the violation, subject to indemnification in the Terms of Service.
12. Term and Termination
This DPA takes effect on the Effective Date and continues for the duration of the Agreement, plus the retention and deletion periods in Section 9 and any surviving obligations (confidentiality, Section 10 transfer safeguards, audit-response for data retained under legal holds).
Termination of the Agreement automatically terminates this DPA, except for surviving obligations.
13. Miscellaneous
13.1 Precedence
In case of conflict between this DPA and the Agreement on data-protection issues, this DPA prevails. In case of conflict between this DPA and the SCCs, the SCCs prevail on the matters they govern.
13.2 Severability
If any provision of this DPA is held invalid, the remaining provisions continue in full force.
13.3 Amendments
Amendments must be in writing. BenefitsSafe may update Appendix A (Sub-processors) in accordance with Section 5.3. BenefitsSafe may also update this DPA to reflect changes required by law or regulatory guidance, with 30 days' notice; if the change materially reduces Customer's rights, Customer may terminate the affected subscription for cause.
13.4 Counterparts and Electronic Signatures
This DPA may be executed in counterparts and by electronic signature, each of which constitutes an original.
13.5 HIPAA Business Associate Agreement
If Customer's use of the platform involves Protected Health Information as defined under the Health Insurance Portability and Accountability Act, Customer must request and execute BenefitsSafe's HIPAA Business Associate Agreement before uploading PHI. Contact privacy@benefitssafe.com. In the absence of an executed BAA, Customer warrants it will not upload PHI to the platform.
13.6 Notices
Notices under this DPA to BenefitsSafe go to privacy@benefitssafe.com with a copy to legal@benefitssafe.com. Notices to Customer go to the privacy contact on file.
Appendix A — List of Sub-processors
As of the Effective Date, BenefitsSafe engages the following Sub-processors:
| Sub-processor | Role | Data Processed | Location | Transfer Mechanism | Link |
|---|---|---|---|---|---|
| Stripe, Inc. (Stripe Payments, Stripe Issuing, Stripe Connect, Stripe Treasury, Stripe Billing) | Payment processing, card issuance, KYC, subscription billing, Nonprofit ACH onboarding | Beneficiary identity, card transactions, Nonprofit bank + billing data | United States | DPF + SCCs (Module 3) | stripe.com/privacy · stripe.com/legal |
| Sutton Bank (card-issuing bank via Stripe Issuing) | FDIC-insured card issuer | Cardholder identity (via Stripe) | United States | Regulated US bank | Governed by Stripe Issuing terms |
| Evolve Bank & Trust (card-issuing bank via Stripe Issuing) | FDIC-insured card issuer | Cardholder identity (via Stripe) | United States | Regulated US bank | Governed by Stripe Issuing terms |
| Amazon Web Services, Inc. | Hosting, database (Aurora PostgreSQL), object storage (S3), KMS | All platform data (encrypted at rest) | US-West (Oregon) primary, US-East (Virginia) backup | DPF + SCCs | aws.amazon.com/privacy · aws.amazon.com/compliance/gdpr-center |
| Vercel, Inc. | Application hosting + edge delivery | HTTP request metadata, deployment logs, encrypted env vars | United States | SCCs | vercel.com/legal/privacy-policy |
| Cloudflare, Inc. | DNS + proxy for app.benefitssafe.com; Cloudflare Workers for cron scheduling | HTTP request metadata (IP, user-agent, URL path) | United States (global edge) | SCCs | cloudflare.com/privacypolicy |
| Postmark (ActiveCampaign) | Transactional email | Email address, user name, message content | United States | SCCs | postmarkapp.com/privacy-policy |
| Sentry (Functional Software, Inc.) | Error and performance monitoring | Pseudonymized traces, user ID, URL path | United States | DPF | sentry.io/privacy |
| Upstash, Inc. | Rate limiting, ephemeral cache (Redis), background job queue (QStash) | Pseudonymized request keys, counters, queued job payloads | United States | SCCs | upstash.com/trust/privacy.pdf |
| Better Stack (Logtail) | Centralized application logs | Application logs with redacted PII | United States / EU | SCCs | betterstack.com/privacy |
| Anthropic, PBC | Compliance Assistant AI (Claude); no SSN or card-number access | Question text, compliance context | United States | SCCs | anthropic.com/legal/privacy |
| Composio, Inc. | Workflow automation for org-level integrations that the Nonprofit elects to enable | Workflow-trigger metadata and payloads supplied by the Nonprofit | United States | SCCs | composio.dev/privacy |
| Google LLC (Google OAuth) | Optional Google sign-in for Nonprofit staff | Email, name, profile image, Google account ID | United States | DPF | policies.google.com/privacy |
| Microsoft Corporation (Microsoft Entra ID) | Optional Microsoft sign-in for Nonprofit staff | Email, name, Microsoft account ID | United States | DPF | privacy.microsoft.com |
OFAC sanctions screening is performed by calling the US Department of the Treasury's public SDN search API; the Treasury is not a commercial subprocessor.
The current list is maintained at benefitssafe.com/subprocessors.
Appendix B — Standard Contractual Clauses
By entering into this DPA, the parties incorporate by reference the Standard Contractual Clauses at Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and, where UK data is involved, the UK International Data Transfer Addendum issued by the Information Commissioner's Office (ico.org.uk).
Module selection, annex population, and optional clauses are as described in Section 10.2 of this DPA.
On request, BenefitsSafe will sign a standalone copy of the SCCs referencing this DPA's annexes.
Signature
For BenefitsSafe: Name: Styner Stiner Title: Founder Date: April 21, 2026 Signature: ____________________________________
For Customer: Organization: __________________________________ Name: _________________________________________ Title: _________________________________________ Date: _________________________________________ Signature: ____________________________________
Where Customer accepts this DPA by click-through acceptance of the Terms of Service, electronic acceptance is binding under the US E-SIGN Act and comparable laws, and no separate signature is required.
Version History
| Version | Effective Date | Summary |
|---|---|---|
| 1.0 | April 21, 2026 | Initial publication. |