Data Processing Addendum

The Controller determines the purposes and means of processing. Custodia processes personal data only on documented instructions from the Controller, including the operation of the Service as configured by the Controller.

Personal data processed includes: account holder names and emails, volunteer contact information, RSVP details, audit log identifiers, and any personal data the Controller chooses to upload (for example, in field notes).

Categories of data subjects: stewards, volunteers, event attendees, and individuals referenced in user-uploaded content.

The Controller authorizes Custodia to engage subprocessors (cloud hosting, email delivery, payment processing). Custodia maintains a current list of subprocessors and will provide reasonable notice before engaging new ones, allowing the Controller to object on reasonable grounds.

Custodia implements appropriate technical and organizational measures, including encryption at rest and in transit, role-based access control, audit logging, and regular vulnerability scanning. See our Security page for details.

Custodia provides tooling that allows the Controller to fulfill data subject access, correction, export, and deletion requests within statutory timeframes.

Where personal data is transferred outside its origin jurisdiction, Custodia relies on Standard Contractual Clauses or other lawful transfer mechanisms.

Custodia will notify the Controller without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach affecting Controller data.

Custodia will make available information necessary to demonstrate compliance with this DPA and, on reasonable notice, allow audits conducted by the Controller or a mutually agreed third party.

Upon termination, Custodia will, at the Controller's choice, return or delete personal data within 90 days, except where retention is required by law.