Legal

Data Processing Agreement

Last updated: July 2026

Some engagements involve RAEFORM processing data on a client's behalf: donor records, applicant data, spreadsheets, or systems we're asked to rebuild or maintain. This page describes the baseline terms that apply in that situation. A specific engagement may layer additional terms on top of this baseline in its own agreement.

Roles

In this context, the client is the data controller: they decide what data is collected and why. RAEFORM acts as a data processor: we handle that data only to deliver the agreed work, and only on the client's documented instructions.

What we commit to

  • Process client data only for the purpose of the engagement, not for our own unrelated purposes.
  • Keep client data confidential and restrict access to team members who need it for the work.
  • Use reasonable technical and organizational measures to protect data against unauthorized access, loss, or disclosure.
  • Notify the client without undue delay if we become aware of a security incident affecting their data.
  • Delete or return client data at the end of an engagement, at the client's direction, unless we're required to retain it by law.

Subprocessors

Where a project requires third-party infrastructure (hosting, database, email delivery, or similar), we choose providers with their own security commitments and only pass along the data needed for that specific function.

Engagement-specific terms

This page describes our default approach. Clients with specific compliance requirements (a particular regulatory framework, a grant funder's data terms, etc.) should raise it during scoping so we can address it in the engagement's signed agreement.

Contact

Questions about how a specific engagement handles data can be sent to raeformtoday@gmail.com.

Copy away. Great ideas deserve to inspire.