Data Processing Addendum
Data-processing terms for customer-controlled CRM data, including controller/processor roles, confidentiality, incident notice, export, deletion, legal requests, and CRM compliance responsibilities.
For donor and organization records, the customer generally decides what data is collected, why it is collected, who may access it, and how it is used. Do Good Labs processes that data to provide the CRM according to customer configuration and instructions.
Do Good Labs acts as a processor, service provider, or similar role for customer-controlled CRM data, depending on the applicable privacy law. We do not use customer-controlled donor data for unrelated advertising, resale, or independent profiling.
Do Good Labs processes customer-controlled CRM data to provide, secure, support, maintain, troubleshoot, and improve the service; to follow customer configuration choices; and to comply with applicable law.
Do Good Labs uses reasonable technical and organizational safeguards, including encrypted connections, authenticated access, organization separation, role-based permissions, monitoring, backups, and administrative controls appropriate for a cloud CRM.
Customer data, donor data, account configuration, imports, files, and nonpublic CRM activity are treated as confidential. Do Good Labs personnel and service providers access it only for authorized business purposes.
Do Good Labs uses service providers for hosting, database storage, backups, payments, email delivery, analytics, security, AI features, support, file handling, and integrations. Providers are given access only as needed to perform their services.
If Do Good Labs determines that a security incident has affected customer data, it should notify affected customers without unreasonable delay, consistent with legal obligations, security needs, and available facts.
Do Good Labs will reasonably assist customers with data access, correction, deletion, export, security, and privacy requests related to customer-controlled CRM data when the request cannot be completed directly in the product.
Upon reasonable request or account termination, customers can export key CRM data. Do Good Labs may delete or de-identify customer data after the account ends, subject to backups, audit logs, legal obligations, security, and dispute-resolution needs.
Do Good Labs may disclose information when required by law, subpoena, court order, or government request, or when necessary to protect rights, safety, security, users, customers, or the service. When appropriate, customers should be notified unless prohibited by law.
Customers are responsible for complying with email, SMS, telemarketing, fundraising, donor consent, unsubscribe, sender identity, and suppression-list laws. The CRM may provide tools, but customers decide what to send and to whom.
Receipt, acknowledgment, DAF, gift-in-kind, and tax-document tools are provided to help organize customer workflows. Customers are responsible for legal accuracy, required disclosures, jurisdiction rules, and professional review where needed.
Customers are responsible for the accuracy and lawfulness of imported data. Import matching, duplicate detection, pending changes, AI prompts, and undo tools are designed to help reduce mistakes, but customers must review important changes.
Current legal policies are linked from login, account setup, and the legal center. Material policy changes will be communicated through the app, email, or another reasonable notice method.
Customers may have obligations under state, federal, international, or sector-specific privacy laws depending on their donors, location, and activities. Do Good Labs can support product workflows, but customers remain responsible for their own legal compliance.