Zakatable
Privacy Terms Refund DPA Back to home
How to sign: This is the standard DPA we offer to enterprise customers. To sign, download or print this page, complete Schedule A and the signature block, and email a signed PDF to [email protected]. We will countersign and return a fully executed copy.

Data Processing Agreement

Version: June 15, 2026

This Data Processing Agreement ("DPA") supplements the Zakatable Terms of Service (the "Agreement") between Bright Thoughts Technologies, LLC ("Processor", operator of the Zakatable platform) and the customer identified on the signature page ("Controller"). Where the Agreement and this DPA conflict on data-protection matters, this DPA controls.

This DPA reflects the parties' agreement on the processing of personal data in connection with the Agreement, in compliance with:

  • the EU General Data Protection Regulation 2016/679 ("GDPR");
  • the UK Data Protection Act 2018 and UK GDPR;
  • the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA");
  • other applicable data-protection laws as they apply to the Processing.

1. Definitions

Terms not defined here have the meaning given in the GDPR (where the GDPR applies), or in the equivalent applicable law. In addition:

  • "Customer Data" means personal data submitted to the Services by Controller or its authorized users.
  • "Data Subjects" means the individuals to whom Customer Data relates — for Zakatable this typically includes Controller's staff, members, volunteers, donors, and applicants for assistance.
  • "Processing" has the meaning in Article 4(2) GDPR.
  • "Services" means the Zakatable platform as described in the Agreement.
  • "Sub-processor" means any third party engaged by Processor to Process Customer Data on Processor's behalf.

2. Roles of the parties

For Customer Data processed under the Services:

  • Controller is the data controller (or, where applicable, the "business" under CCPA/CPRA).
  • Processor is the data processor (or, where applicable, the "service provider" under CCPA/CPRA) acting on Controller's documented instructions.

The parties acknowledge that Processor may also act as an INDEPENDENT controller for limited operational data (account login records, billing records, security logs) as described in Processor's Privacy Policy. This DPA does NOT cover that independent-controller processing.


3. Processing details (Schedule A)

The subject matter, duration, nature and purpose of Processing, the types of Customer Data, and the categories of Data Subjects are set out in Schedule A at the end of this DPA.


4. Controller's instructions

Processor will Process Customer Data only:

  • (a) to provide, maintain, secure, and support the Services as described in the Agreement;
  • (b) on Controller's documented instructions (including via configuration the Controller's authorized users make in the Services); and
  • (c) as required by applicable law (in which case Processor will, where legally permitted, notify Controller before complying).

If Processor believes a Controller instruction infringes applicable data-protection law, Processor will notify Controller and may suspend performance of that instruction until it is amended.


5. Confidentiality

Processor will ensure that personnel with access to Customer Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and trained on data-protection responsibilities.


6. Security measures

Processor will implement and maintain appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, at minimum:

  • Encryption in transit: TLS 1.2 or higher for all network connections.
  • Encryption at rest: database storage encrypted at the volume level.
  • Access controls: role-based access; least-privilege principle; multi-factor authentication for production access; quarterly access reviews.
  • Network segmentation: production and non-production environments isolated.
  • Logging and monitoring: immutable audit logs of administrative access; security-event monitoring with alerting.
  • Vulnerability management: dependency scanning in CI; security patches applied on a documented cadence.
  • Backup and recovery: rolling 30-day backups; restoration drills conducted at least annually.
  • Personnel screening: background checks for employees with production access (where lawful).
  • Incident response: documented playbook covering detection, containment, eradication, notification, and post-incident review.

Processor may update its security measures from time to time provided the overall level of protection is not materially reduced.


7. Sub-processors

7.1 Authorization

Controller provides a general authorization for Processor to engage sub-processors to assist in providing the Services. The current list of sub-processors is published at https://app.zakatable.org/legal/privacy (the "Sub-processors" section).

7.2 New sub-processors

Processor will give Controller at least 30 days' prior notice of any new sub-processor or material change. Controller may object by notice to [email protected] before the change takes effect; the parties will discuss in good faith. If the objection cannot be resolved, Controller's sole remedy is to terminate the affected Services without refund of pre- paid fees for periods preceding the termination date.

7.3 Sub-processor obligations

Processor will bind each sub-processor by written contract to data- protection obligations no less protective than this DPA. Processor remains liable to Controller for sub-processor performance.


8. Data Subject rights

Where required by applicable law, Processor will, taking into account the nature of the Processing, assist Controller (by appropriate technical and organizational measures, insofar as possible) in responding to Data Subject requests to exercise rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.

If a Data Subject sends a rights request directly to Processor, Processor will (a) not respond substantively except to acknowledge receipt and direct the Data Subject to Controller, and (b) forward the request to Controller within 5 business days.


9. Personal-data breaches

Processor will notify Controller without undue delay and in any event within 72 hours of becoming aware of a personal-data breach affecting Customer Data. The notification will include, to the extent known:

  • the nature and likely consequences of the breach;
  • the categories and approximate number of Data Subjects and records concerned;
  • the measures taken or proposed to address the breach and mitigate adverse effects;
  • a Processor contact for further information.

Processor will cooperate with Controller in good faith on any required regulator notification or Data-Subject communication. Processor's notification of a breach is not, by itself, an acknowledgment of fault or liability.


10. Audits

10.1 Audit reports

Processor will, on Controller's reasonable written request (no more often than annually unless following a breach or regulator request), make available the most recent third-party audit reports or compliance certifications it holds (e.g. SOC 2, ISO 27001 — where applicable).

10.2 On-site audits

Where audit reports are not sufficient to demonstrate compliance with this DPA, Controller may conduct an on-site audit of Processor's facility on at least 60 days' written notice, during normal business hours, no more often than annually (unless following a breach or regulator request), at Controller's cost. The parties will agree audit scope in advance; audits will not unreasonably interfere with Processor's normal operations, must not access other customers' data, and must be conducted by personnel bound by confidentiality.


11. International data transfers

To the extent Processor or its sub-processors transfer Customer Data outside the EEA, UK, or Switzerland to a country not deemed adequate, the parties agree that:

  • (a) the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), Module Two (Controller-to-Processor), are incorporated by reference, with Annexes I and II completed by reference to Schedule A of this DPA;
  • (b) for UK transfers, the UK International Data Transfer Addendum (IDTA, version B1.0) is incorporated by reference; and
  • (c) for Swiss transfers, the SCCs apply with references to "Member State" interpreted as "Switzerland" and supervisory authority as the Swiss Federal Data Protection and Information Commissioner.

Processor will assist Controller in completing any transfer impact assessments where required.


12. Deletion and return of Customer Data

On termination or expiry of the Agreement, Processor will, at Controller's choice, delete or return Customer Data within 30 days of termination, except where retention is required by applicable law (in which case Processor will continue to protect the retained data under this DPA for as long as it is retained).

Processor will provide written confirmation of deletion on Controller's written request.


13. Liability

The parties' liability under this DPA is subject to the limitation-of- liability provisions in the Agreement. Nothing in this DPA limits any liability that cannot be limited by applicable law.


14. Governing law

This DPA is governed by the law of the State of Arizona, except that where applicable data-protection law mandates a different governing law for the protection of Data Subjects, that law applies for that limited purpose.


15. Order of precedence

In case of conflict between this DPA, the Agreement, the SCCs (where applicable), and any other documents: the SCCs prevail (for in-scope transfers); then this DPA; then the Agreement.


16. General

  • Term: This DPA takes effect on the latest signature date and continues for the term of the Agreement.
  • Survival: Sections that by their nature survive termination (Sections 9, 12, 13, 14) survive.
  • Entire agreement on Processing: This DPA, together with the Agreement, constitutes the entire agreement of the parties regarding the Processing of Customer Data and supersedes any prior representations.
  • Severability: If any provision is held unenforceable, the rest remains in effect.
  • Amendments: Amendments require a written instrument signed by both parties.

Schedule A — Description of Processing

A.1 Subject matter of Processing

Provision of the Zakatable software-as-a-service platform under the Agreement, including its administrator portal, community portal, mobile app, AI features, identity verification, EIN verification, OFAC sanctions screening, subscription billing, and ACH disbursements.

A.2 Duration of Processing

For the duration of the Agreement, plus the 30-day post-termination data- return / deletion window described in Section 12, plus any legally mandated retention period for donation records.

A.3 Nature and purpose of Processing

  • Hosting and storing Customer Data within the Services.
  • Routing assistance applications to in-range, eligible organizations.
  • Generating AI-assisted assessments and chat-assistant responses (where enabled).
  • Sending transactional email, SMS, and push notifications.
  • Processing subscription payments and ACH disbursements.
  • Verifying applicant identity (where enabled).
  • Detecting fraud and abuse (rate limiting, sanctions screening, EIN verification).
  • Complying with legal obligations.

A.4 Types of personal data Processed

  • Identification and contact details (names, email addresses, phone numbers, postal addresses).
  • Government-issued identification (when identity verification is enabled — held by our identity-verification provider, not Zakatable directly).
  • Financial information (household income, employment status, bank routing details for disbursements).
  • Demographic information voluntarily provided (household size, marital status, country of origin, language).
  • Application content (free-text descriptions of assistance need, uploaded supporting documents).
  • Communications (in-app messages, AI phone-intake transcripts where enabled).
  • Technical data (IP addresses, device identifiers, browser type, session identifiers).

A.5 Categories of Data Subjects

  • Controller's organization administrators and staff.
  • Controller's volunteers and members.
  • Applicants for assistance from Controller.
  • Recipients of disbursements from Controller.
  • Donors (where Controller uses Zakatable's donor-management features).

A.6 Sub-processors

The categories of sub-processors are described in the Privacy Policy at https://app.zakatable.org/legal/privacy (Section "Sub-processors"). A current list of the specific sub-processors — including each one's purpose and location — is available to the Controller on request to [email protected]. Zakatable will give the Controller at least 30 days' notice before adding or replacing a sub-processor, during which the Controller may object.

A.7 Transfers outside the EEA / UK / Switzerland

Customer Data is hosted in the United States. Sub-processors may Process Customer Data in their respective regions of operation, primarily the United States. Transfers from the EEA, UK, or Switzerland to the United States are made under the EU Standard Contractual Clauses and the UK IDTA as described in Section 11.


Acceptance

This DPA forms part of, and is incorporated by reference into, the Zakatable Terms of Service. By accepting the Terms of Service — or by using the Services — the Controller agrees to and is bound by this DPA; no separate signature is required.

Organizations that require a countersigned copy of this DPA for their own records may request one at [email protected].

Bright Thoughts Technologies, LLC · PO Box 904, Chandler, AZ 85225

Privacy· Terms· Refund· DPA

© 2026 Zakatable