Data Processing Agreement — Template

1. Parties & Definitions

This Data Processing Agreement (“DPA”) is entered into between:

• Processor: SimplyRaffle (operated by [Legal Entity], United States), referred to as “SimplyRaffle” or “Processor.”
• Controller: [Organization Name, Address, Jurisdiction], referred to as “Controller” or “Customer.”

This DPA supplements the SimplyRaffle Terms of Service & Privacy Policy and governs Processor’s processing of Personal Data on behalf of Controller. Defined terms not specifically defined here have the meanings given in GDPR Article 4 (Regulation (EU) 2016/679).

2. Subject Matter and Duration

Subject matter: Processor’s processing of Personal Data necessary to provide the SimplyRaffle raffle platform to Controller, including event setup, participant registration, Magic Link delivery, draw execution, audit-log generation, and post-event reporting.

Duration: This DPA remains in effect for the duration of Controller’s active SimplyRaffle subscription and the post-event retention period defined in Section 9.

3. Nature and Purpose of Processing

Processor processes Personal Data solely to deliver the platform Controller has purchased: hosting Controller’s event, accepting participant entries, sending raffle-related communications (invitations, reminders, draw notifications), executing the random draw, generating an audit log of the draw, and providing Controller with downloadable reports of results.

4. Type of Personal Data and Categories of Data Subjects

Personal Data:

• Controller contact data: organization name, contact name, email address, billing details (processed via Stripe; not stored by Processor)
• Participant data: name, email address, ticket allocations
• Event metadata: event name, dates, prize descriptions, prize photos, organization logo, raffle settings
• Technical data: IP addresses (signup submissions only, retained up to 90 days), draw seed, timestamp, audit log entries
• AI-processed content (conditional on feature use): Where Controller invokes the “Generate from photo” feature, prize photos are transmitted to Google's Gemini API (see Section 8). Where Controller invokes the “Magic Import” feature, organizer-uploaded files (CSV, text, images) are transmitted to Anthropic's Claude API. Where Controller invokes the “Magic Setup Wizard” conversational setup feature, Controller's plain-English event description and clarifying-question answers are transmitted to Google's Gemini API (with Anthropic's Claude API as a fallback when Google is unavailable); only Controller-authored descriptive text is sent, no participant data. Prize photos may incidentally include identifiable individuals, including minors in school-event contexts. Magic Import files may include participant names and email addresses. AI subprocessors process this content solely for the requested generation/extraction/classification task and do not retain it for model training under their commercial API terms.

Data subjects: Controller’s authorized administrators and event participants. Where Controller uses AI features, data subjects may also incidentally include persons depicted in prize photos submitted by Controller.

Processor does not process Special Category data (Article 9), criminal-conviction data (Article 10), or data concerning children under 13 (see Section 12).

5. Processor Instructions and Compliance

Article 28(3)(a): Processor processes Personal Data only on documented instructions from Controller, including with regard to international transfers. Controller’s instructions are set forth in: (a) this DPA, (b) the SimplyRaffle Terms of Service, and (c) Controller’s use of the platform’s administrative controls. If Processor is required by Union or Member State law to process beyond these instructions, Processor will inform Controller of that legal requirement before processing (unless that law prohibits notice on important grounds of public interest).

6. Confidentiality

Article 28(3)(b): Processor ensures that persons authorized to process the Personal Data (including employees, contractors, and authorized subprocessor personnel) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. Security Measures

Article 28(3)(c) and Article 32: Processor maintains the following technical and organizational security measures. Specific implementations vary by hosting environment (see Section 8); the measures below apply consistently across environments.

• Encryption in transit: TLS 1.2 or higher on all external endpoints. Cloudflare terminates TLS at the edge and re-establishes a Tunnel-encrypted channel to operator-managed origins.
• Encryption at rest: AES-256 encryption applied per environment —
  • Railway (paid tier): Postgres volumes encrypted with Railway provider-managed AES-256.
  • Cloudflare R2 (paid-tenant prize photos and logos): AES-256 with provider-managed keys.
  • Operator-managed infrastructure (Community tier): Filesystem-level encryption (LUKS dm-crypt) on operator-owned hosts. Backups inherit the host's encryption posture.
• No card data: Payment cards are handled exclusively by Stripe (PCI-DSS Level 1 certified); Processor does not store raw card data.
• Access controls: Role-based access to organizer admin interfaces; per-participant Magic Link tokens; admin credentials managed via secure session tokens. Tenant-scoped database credentials enforced at the application layer.
• Tenant data segregation: Segregation is implemented per environment —
  • Railway (paid tier): Each paid tenant runs in its own Railway service with its own dedicated PostgreSQL database. No shared database across paid tenants on Railway.
  • Operator-managed infrastructure (Community tier): Each tenant runs in its own Docker container with its own bind-mounted volume and own PostgreSQL database. Hosts are not shared cross-tenant at the application layer.
  • Cloudflare R2 (paid-tenant uploads): All paid tenants share the production bucket. Per-tenant isolation is enforced at the application layer by always prefixing every object key with the tenant identifier (<tenant-slug>/) through a single helper function. Bucket-level credentials are not scoped per-tenant; tenants do not receive direct R2 credentials. Processor is transparent that this is logical-isolation; Controllers requiring per-tenant IAM-scoped storage credentials should advise Processor before execution.
• Audit logging: Every draw operation is logged with seed, timestamp, initiator, and selected entries.
• Abuse prevention: Rate limiting and IP-based fraud detection on signup; IP addresses retained up to 90 days for security purposes.
• Subprocessor security attestations (see Section 8 for the full list): Stripe is PCI-DSS Level 1 certified. Cloudflare maintains SOC 2 Type II and ISO 27001. Resend maintains SOC 2 Type II. Google LLC (Gemini API) maintains SOC 2/3 and ISO 27001. Anthropic maintains SOC 2 Type II. Microsoft/GitHub maintains SOC 1/2/3 and ISO 27001. Railway is contractually bound under its DPA and is EU-US Data Privacy Framework certified; Railway has not publicly published a current SOC 2 attestation and Processor does not represent that it holds one. Operator-managed infrastructure does not carry third-party security attestations; security measures are as described elsewhere in this Section 7.

8. Subprocessors

Article 28(3)(d) and 28(2): Controller grants Processor general authorization to engage the subprocessors listed below. Subprocessors are organized by category: Universal (engaged for every tenant), Conditional Hosting (one of three is engaged depending on Controller's plan and provisioning), and AI (engaged only when the corresponding optional feature is used).

Universal subprocessors:

• Stripe, Inc. (United States) — payment processing for Controller's subscription fees and Community-tier SetupIntent. PCI-DSS Level 1. EU-US Data Privacy Framework certified. Stripe DPA.
• Resend, Inc. (United States) — transactional email delivery. EU-US Data Privacy Framework certified (March 2025). Resend DPA.
• Cloudflare, Inc. (United States) — CDN, DNS, TLS termination, edge compute (Workers), Cloudflare Tunnel ingress, and Cloudflare R2 object storage (paid-tier prize images and logos, bucket simplyraffle-uploads-prod, key-prefixed by tenant). EU-US Data Privacy Framework certified; Global CBPR and Global PRP certified. SOC 2 Type II + ISO 27001. Cloudflare DPA.
• GitHub, Inc. / Microsoft Corporation (United States) — GitHub Container Registry (GHCR) stores the private application container image deployed to hosting infrastructure. Receives only application binaries and deployment authentication credentials — no Personal Data flows to GHCR. Microsoft EU-US DPF certified. GitHub Privacy Statement.

Conditional hosting subprocessors (which one is engaged depends on Controller's plan):

• Railway Corp. (United States, us-east region) — application hosting and per-tenant PostgreSQL for paid-tier SimplyRaffle tenants (Basic, Starter, Pro, Annual variants). EU-US Data Privacy Framework certified. Railway privacy.
• Operator-managed infrastructure (United States, San Francisco, California) — Community (free) SimplyRaffle tenants are hosted on Processor's own infrastructure at the operator's San Francisco facility, fronted by Cloudflare Tunnel. Per-tenant Docker container with its own PostgreSQL database. This infrastructure does not carry independent third-party security certifications; security measures are as described in Section 7. Data remains within the United States. Paid-tier tenants who specifically require operator-managed infrastructure may be assigned here at provisioning on request. Controller requiring a third-party cloud-hosted deployment for a Community-tier event should advise Processor at signup.

AI subprocessors (engaged only when the corresponding optional feature is used):

• Google LLC (United States) — Gemini API. Engaged in two distinct optional flows: (1) the “Generate from photo” feature using Gemini 2.5 Flash vision model — receives uploaded prize images and a short structured prompt; returns a 1–2 sentence text description; per-tenant usage capped at 20 calls (Community) / 500 calls (paid). (2) the “Magic Setup Wizard” conversational setup feature using Gemini Pro (with Gemini Flash as a same-vendor fallback tier) — receives Controller's plain-English event description and clarifying-question answers; returns a recommended preset, scenario, and extracted configuration values; rate-limited to 25 conversations per IP per minute. No participant data is transmitted in either flow. Google's API terms prohibit use of submitted content to train models; payloads retained ≤ 30 days for abuse monitoring only. EU-US DPF certified. Google Cloud DPA.
• Anthropic, PBC (United States) — Claude Sonnet API. Engaged in three distinct optional flows: (1) the “Magic Import” smart-extract feature to parse an uploaded participant roster (CSV, text, image) — receives the uploaded file content; returns structured participant data; per-tenant usage capped at 100 calls lifetime. (2) the “Audit Import” data-quality review feature — receives the already-parsed participant, prize, and entry records (no raw file content); returns a list of detected issues (duplicates, invalid data, outliers) and a one-sentence summary; per-tenant usage capped at 5 audits per hour. (3) the “Magic Setup Wizard” conversational setup feature, Claude Sonnet 4.6 acting as a fallback model when Google's Gemini tiers are unavailable — receives Controller's plain-English event description and clarifying-question answers; returns a recommended preset, scenario, and extracted configuration values; rate-limited to 25 conversations per IP per minute. No participant data is transmitted in flows (2) or (3). In all flows Anthropic's API terms prohibit use of submitted content to train models; payloads retained ≤ 30 days for trust-and-safety review. Anthropic Commercial Terms.

Onward transfers: Each subprocessor's onward processing is governed by their own DPA, which incorporates EU SCCs Module 3 (processor-to-subprocessor) where applicable. Processor flows the same data-protection obligations to subprocessors as imposed on Processor by this DPA.

Subprocessor change notice: For Universal subprocessors, Controller's general authorization extends to changes notified by at least 30 days' advance written notice. For Conditional Hosting subprocessors, Controller's authorization is specific to the platforms listed above; changes within this category (e.g., adding a fourth hosting target) require at least 14 days' written notice. For AI subprocessors, Controller's authorization extends to the named vendors only; replacing or adding a new AI vendor requires at least 30 days' notice. Controller may object to a new subprocessor within the applicable notice period; if the objection cannot be resolved, Controller may terminate the affected services without penalty. Controller acknowledges that objecting to a Conditional Hosting or AI subprocessor may limit or eliminate availability of the associated feature or provisioning tier.

9. Data Subject Rights Assistance

Article 28(3)(e): Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling Controller’s obligation to respond to requests from data subjects exercising their GDPR Chapter III rights (access, rectification, erasure, restriction, objection, portability).

Processor responds to verified data-subject requests sent to [email protected] within Article 12(3)’s one-month window. If a request is received directly by Processor but pertains to data Processor processes on behalf of Controller, Processor will forward the request to Controller without undue delay.

10. Assistance with Security, DPIAs, and Breach Notification

Article 28(3)(f) and Article 33-34: Processor will:

• Provide Controller with reasonable information needed to demonstrate Controller’s compliance with Article 32 (security) on request
• Assist with Controller's Data Protection Impact Assessments (DPIAs) under Article 35 by providing information about Processor’s processing, security measures, and subprocessors
• Notify Controller of a personal data breach affecting Controller's data without undue delay after Processor becomes aware of it, and in any event within 72 hours of awareness. "Awareness" means actual knowledge by Processor's operator that a breach has occurred, whether through (a) observation in platform or application logs, (b) notification from a subprocessor, or (c) report from Controller or a data subject. Processor relies on each subprocessor's own breach-notification timeline as the upstream input to its own clock. Processor does not currently operate a centralized SIEM or 24/7 SOC; detection capability is commensurate with a small-organization processor and is limited to operator review of platform-native logs and subprocessor alerts. Controllers requiring shorter notification SLAs or third-party-attested monitoring should evaluate that gap before electing SimplyRaffle for their event. Notification will include, to the extent then known: the nature of the breach, the categories and approximate number of data subjects and records concerned, the contact details of Processor's privacy contact, the likely consequences, and the measures taken or proposed.

11. Retention, Return, and Deletion of Data

Article 28(3)(g): Upon termination of Controller’s services with Processor (or earlier on Controller's documented request), Processor will, at Controller's election, either delete or return all Personal Data and existing copies, except to the extent applicable law requires storage of the Personal Data.

Retention modes during active engagement. Processor's platform supports two retention configurations:

• Auto-Delete mode (default): Event data (organizer contact information, participant roster, draw records, audit logs) is retained for the duration of the event plus 45 days, then permanently deleted from production systems. Backups containing this data are retained for an additional 30 days, then permanently overwritten.
• Retain mode (Controller-selected): The automatic 45-day deletion is suspended. Event data persists until Controller's documented deletion request, account closure, or termination of this DPA. Controller, as data controller, bears responsibility for ensuring this mode complies with applicable data minimization and storage limitation obligations (including GDPR Article 5(1)(e), CCPA, and any sector-specific requirements).

The retention mode applicable to Controller's account is identified in Controller's admin settings and, where material to Controller's compliance posture, may be specified as an annex to this DPA. Processor will confirm the active retention mode upon request.

For Community (free) tier accounts that go inactive: a reminder email is sent, followed by a grace period, then permanent deletion of the account and all associated data, regardless of configured retention mode.

On Controller’s documented request, Processor will provide an export of Controller’s data in a structured, commonly-used format (CSV) before deletion, where technically feasible.

Processor certifies deletion on Controller's written request.

12. Audit Rights

Article 28(3)(h): Processor will make available to Controller all information necessary to demonstrate compliance with the obligations in this DPA. On reasonable prior written notice (minimum 30 days), Controller may conduct an audit, at Controller’s expense, of Processor’s compliance with this DPA. Processor may satisfy this obligation by providing Controller with the relevant portions of its most recent third-party security audit, where applicable. Audit cooperation shall not unduly disrupt Processor’s normal business operations and shall be limited to one audit per calendar year except where a breach has occurred or regulatory inquiry is pending.

13. Children's Data (COPPA)

Processor does not knowingly collect personal information from children under 13. Controller represents and warrants that, where Controller’s event involves participants under 13 (e.g., school events), Controller has obtained verifiable parental consent before submitting any child’s personal information through the platform. If Processor becomes aware of unsolicited child data in its systems, Processor will delete it without undue delay and notify Controller.

AI features and incidental imagery: Where Controller's events involve participants or settings where minors may be present (e.g., school events, youth organization events) and Controller uses the AI prize-description feature (Google Gemini, see Section 8), Controller represents that it has assessed and complied with all applicable legal requirements regarding transmission of imagery that may incidentally capture minors to a third-party AI processor, including without limitation COPPA, FERPA (where applicable to educational records), and any applicable state student-data-privacy laws. If Controller's institutional policies or applicable law prohibit transmission of images that may contain minors to AI services, Controller should not use the AI prize-description feature for those events; descriptions can be entered manually without invoking any AI processing.

14. International Data Transfers

All personal data is processed in the United States. Processor does not transfer personal data outside the US. Where Controller is established in the EU/EEA, UK, or Switzerland, transfers from Controller to Processor and onward to subprocessors are subject to the following safeguards:

• Primary mechanism (Controller-to-Processor): EU-US Data Privacy Framework (DPF) Article 45 adequacy decision, where applicable.
• Fallback mechanism (Controller-to-Processor): The EU Standard Contractual Clauses adopted by Commission Decision (EU) 2021/914 of 4 June 2021 are hereby incorporated by reference. Module 2 (Controller-to-Processor) applies.
• Onward transfers to subprocessors (Section 8), per subprocessor:
  • Stripe, Resend, Cloudflare, Railway, Google LLC (Gemini), Microsoft/GitHub: EU-US DPF (primary, where each maintains active certification) + SCCs Module 3 (fallback), via each subprocessor's published DPA.
  • Anthropic, PBC (Claude): SCCs incorporated into Anthropic's commercial terms. Anthropic is not currently DPF-certified as of the date of this DPA; Processor monitors Anthropic's DPF status and will update this section upon certification.
  • Operator-managed infrastructure (San Francisco): No third-party transfer occurs. Data remains within the United States on Processor's own infrastructure; Module 2 SCCs between Controller and Processor (as above) govern.
• UK transfers: The UK International Data Transfer Addendum (IDTA) to the EU SCCs is hereby incorporated by reference for UK-originating data.
• Swiss transfers: The EU SCCs apply with references to GDPR construed as references to the Swiss FADP and references to the EU Commission construed as references to the Swiss FDPIC.

15. Liability

Each party’s liability under this DPA is subject to the limitation-of-liability provisions in the underlying SimplyRaffle Terms of Service. Where the SCCs include their own liability provisions (Clauses 12 of the EU SCCs), those provisions apply to the transfers governed by them.

16. Term and Termination

This DPA takes effect when signed and remains in force for the duration of Controller’s relationship with Processor plus the retention period in Section 11. Either party may terminate the underlying Terms of Service in accordance with their provisions; this DPA terminates with them, subject to the deletion obligations in Section 11.

17. Governing Law

This DPA is governed by the laws of the State of California, USA, except that for transfers governed by the EU SCCs, the governing-law provisions of the SCCs themselves (Clause 17, designating the law of an EU Member State) prevail. For UK SCCs, the laws of England & Wales prevail for those transfers.

18. Signatures

Attorney review note: This template is provided in good faith based on Article 28 GDPR, EU SCCs (Commission Decision 2021/914), and standard SaaS-processor practice. SimplyRaffle recommends that institutional Controllers have this DPA reviewed by their data-protection or legal counsel before execution. The final executed version will incorporate the EU SCCs by direct attachment or by reference, depending on Controller’s preference.