Effective Date: April 3, 2026
This Data Processing Agreement (“DPA”) supplements the Terms of Service (“Agreement”) between F&D Ventures LLC, doing business as Tormano (“Processor,” “we,” “us”), and the entity agreeing to the Terms of Service (“Controller,” “Customer,” “you”). This DPA applies to the extent that Processor processes Personal Data on behalf of Controller in connection with the Service.
“Data Protection Laws” means all applicable laws relating to Personal Data processing, including GDPR, UK GDPR, Swiss Federal Act on Data Protection, and CCPA/CPRA. “Data Subject” means an identified or identifiable natural person. “Personal Data” means any information relating to a Data Subject processed by Processor on behalf of Controller. “Processing” means any operation on Personal Data. “Sub-processor” means any third party engaged by Processor to process Personal Data on behalf of Controller.
2.1 Controller determines purposes and means of processing. Processor processes on documented instructions.
2.2 Categories of Data Subjects: contacts, donors, volunteers, company representatives, and other individuals.
2.3 Types of Personal Data: names, emails, phones, addresses, job titles, organization affiliations, donation history, communications, activity logs, and other data entered by Controller.
2.4 Duration: Processing continues for the duration of the Agreement plus post-termination export period.
Processor shall: (a) process only on documented instructions; (b) ensure authorized persons are bound by confidentiality; (c) implement appropriate security measures; (d) not engage sub-processors without authorization; (e) assist with Data Subject requests; (f) assist with GDPR Articles 32-36 compliance; (g) delete or return data after service ends; and (h) make compliance information available for audits.
Controller shall: (a) comply with Data Protection Laws; (b) ensure all necessary consents and legal bases; (c) provide written instructions; (d) not submit Prohibited Data; and (e) notify Processor of data protection concerns.
Technical and organizational measures including: TLS 1.2/1.3 encryption, Argon2 password hashing, JWT/RSA-256 authentication, CSRF protection, rate limiting, audit logging, XSS prevention, security headers, fail2ban, daily encrypted backups, Docker container isolation, firewall, and regular security assessments.
6.1 General authorization granted. Current list in Privacy Policy.
6.2 30-day notice before engaging new sub-processors.
6.3 30-day objection period; Controller may object to a new sub-processor by providing written notice to Processor within 30 days of receiving notification. If Processor cannot reasonably accommodate the objection, Controller may terminate the affected portion of the Service by providing written notice.
6.4 Sub-processor obligations no less protective than this DPA.
7.1 Processor notifies Controller promptly.
7.2 Processor assists with technical means for export, correction, or deletion.
7.3 Processor will not respond directly unless instructed.
8.1 Annual audit information upon written request.
8.2 On-site audits at Controller's expense with 30 days' notice.
8.3 Prompt remediation of non-compliance at Processor's expense.
9.1 Notification within 72 hours.
9.2 Notification includes: nature of breach, categories/numbers affected, contact details, likely consequences, measures taken.
9.3 Cooperation in investigation and remediation.
10.1 Data may be transferred to and processed in the United States.
10.2 Transfer mechanisms: EU-U.S. Data Privacy Framework, Standard Contractual Clauses (Decision 2021/914), supplementary measures.
10.3 SCCs Module Two details: Clause 9(a) Option 2 general authorization; Clause 17 Option 1 Ireland governing law; Clause 18(b) Ireland courts.
10.4 UK International Data Transfer Addendum incorporated.
11.1 30-day export period post-termination.
11.2 Deletion within 90 days after export period (unless legally required to retain).
11.3 Written certification of deletion upon request.
12.1 Processing per Article 28 GDPR; assist with DPIAs (Art. 35) and prior consultation (Art. 36).
12.2 Data protection contact: privacy@tormano.com.
13.1 Processor is a “service provider” under CCPA.
13.2 Processor will not: sell or share Personal Data; use outside the direct business relationship; combine with other sources (except as permitted by CCPA).
13.3 Processor certifies compliance.
14.1 Limitation of Liability. Each party’s total aggregate liability under or in connection with this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement (Terms of Service). For the avoidance of doubt, the liability caps, consequential damages exclusions, and other limitations in the Agreement apply to all claims arising under this DPA, including claims related to data breaches, unauthorized processing, or failure to comply with Data Protection Laws.
14.2 Controller Liability. Controller shall be solely liable for the lawfulness of its processing instructions and the accuracy, quality, and legality of Personal Data provided to Processor. Processor shall have no liability for any claim arising from processing performed in accordance with Controller’s documented instructions.
This DPA remains in effect for the duration of the Agreement and as long as Processor retains any Personal Data. Termination of the Agreement does not release obligations regarding retained data.
DPA prevails over Agreement for Personal Data processing. SCCs prevail over DPA.
F&D Ventures LLC
Data Protection Contact: privacy@tormano.com
Website: https://tormano.com