Towershift
?

Data Processing Agreement

Last updated: 28 March 2026

1. Parties and roles

This Data Processing Agreement ("DPA") forms part of the Terms of Service between:

  • Data Controller — the organisation that creates an account and manages volunteer data through Towershift
  • Data Processor — Towershift, which processes personal data on behalf of the organisation

2. Scope of processing

We process personal data solely to provide the Service, including:

  • Storing and displaying volunteer profiles and contact details
  • Managing event signups, assignments, and attendance records
  • Sending communications (SMS, email) on behalf of the organisation
  • Generating reports and analytics for organisation administrators
  • Processing payments for subscriptions and SMS credits

3. Categories of data

The categories of personal data processed are described in Section 2 of our Privacy Policy.

4. Data subjects

The personal data relates to volunteers, temporary volunteers, and administrators who are members of the organisation.

5. Our obligations

As data processor, we will:

  • Process personal data only on the documented instructions of the organisation (i.e. through normal use of the Service)
  • Ensure that persons authorised to process the data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures (see our Privacy Policy, Section 8)
  • Not engage sub-processors without prior notice; our current sub-processors are listed at /dpa/sub-processors
  • Assist the organisation in responding to data subject access requests through the built-in data export feature
  • Delete or return all personal data upon termination of the Service, at the organisation's choice
  • Make available information necessary to demonstrate compliance with these obligations

6. Organisation obligations

As data controller, the organisation will:

  • Ensure it has a lawful basis for collecting and processing volunteer personal data
  • Inform volunteers about how their data is used (we recommend linking to our Privacy Policy in your organisation's welcome message)
  • Handle data subject requests from their volunteers

7. Data location

All data is stored on infrastructure hosted in Australia. Some sub-processors may process data in other jurisdictions as described in our Privacy Policy.

8. Data breach notification

In the event of a personal data breach, we will notify the affected organisation without undue delay (and in any event within 72 hours of becoming aware) and provide information about the nature of the breach, the data affected, and the measures taken.

9. Duration and termination

This DPA applies for as long as we process personal data on behalf of the organisation. Upon termination, we will delete all personal data within 30 days unless retention is required by law.

10. Contact

For DPA-related inquiries, contact us at privacy@towershift.app.