Data Processing Agreement (DPA)
In accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)
Last updated: March 2026
1. Parties
This Data Processing Agreement ("Agreement") is entered into between:
- Data Controller: The organization or entity that subscribes to the MiemBoxApp service ("the Client" or "Controller")
- Data Processor: MiemBoxApp ("the Service Provider" or "Processor"), provider of the SaaS platform
2. Purpose and Scope
The Processor shall process personal data on behalf of the Controller solely for the purpose of providing the MiemBoxApp SaaS platform services, which include:
- Member management and directory services
- Event management and attendance tracking
- Financial management (transactions, bookkeeping, donations)
- Communication services (internal messaging, convocations)
- User account management and authentication
- Reporting and data export
The Processor shall not process the personal data for any purpose other than those described in this Agreement and as instructed by the Controller.
3. Categories of Data Subjects
The personal data processed under this Agreement may relate to the following categories of data subjects:
- Members of the Controller's organization
- Donors and financial contributors
- Users with access to the platform (administrators, treasurers, etc.)
- Event attendees and participants
- Family members associated with organization members
4. Types of Personal Data Processed
| Category | Data Types |
|---|
| Identification | First name, last name, date of birth, tax identification number |
| Contact | Email address, phone number(s), postal address, city, province, postal code, country |
| Financial | Donation amounts, bank transaction details, donor codes, tax certificates |
| Organizational | Membership dates, roles, group assignments, family relationships |
| Authentication | Username, hashed passwords, login timestamps, IP addresses |
| Activity | Event attendance, communication records, audit logs |
5. Obligations of the Processor
The Processor undertakes to:
- a) Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law
- b) Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data in transit (TLS/HTTPS)
- Encryption of passwords using industry-standard hashing algorithms
- Multi-tenancy isolation ensuring each organization's data is segregated
- Role-based access controls and permission management
- Audit logging of data access and modifications
- Regular security updates and vulnerability assessments
- d) Not engage another processor without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors
- e) Assist the Controller in responding to requests for exercising the data subject's rights as laid down in Chapter III of the GDPR (access, rectification, erasure, portability, restriction, and objection)
- f) Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor
- g) At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the personal data
- h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR
6. Sub-processors
The Processor currently uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|
| Cloud hosting provider | Infrastructure and data storage | EU |
| Email service provider | Transactional email delivery | EU/US (with appropriate safeguards) |
The Processor shall inform the Controller of any changes to sub-processors, giving the Controller the opportunity to object to such changes.
7. Data Breach Notification
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall:
- Describe the nature of the personal data breach, including the categories and approximate number of data subjects and records concerned
- Communicate the name and contact details of the data protection contact point
- Describe the likely consequences of the breach
- Describe the measures taken or proposed to address the breach
8. Data Retention and Deletion
Personal data shall be retained for the duration of the service agreement. The Processor implements soft-delete mechanisms to allow data recovery in case of accidental deletion. Upon termination of the service:
- The Controller may export all data using the platform's export features before termination
- The Processor shall permanently delete all Controller's data within 30 days of termination, unless legal retention requirements apply
- Financial records (donations, tax certificates) may be subject to legal retention periods as required by applicable tax legislation
9. International Data Transfers
The Processor shall not transfer personal data to a third country or international organization without the prior written consent of the Controller, unless required by Union or Member State law. Where such transfers are necessary, the Processor shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.
10. Data Subject Rights
The platform provides built-in tools to assist the Controller in responding to data subject requests:
- Right of Access: Data export features allow extraction of all personal data
- Right to Rectification: Controllers can edit member, donor, and user records directly
- Right to Erasure: Soft-delete and permanent delete functionality is available
- Right to Data Portability: Excel export is available for all data modules
- Right to Restriction: Status toggles (active/inactive) allow restriction of processing
11. Audits and Inspections
The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor maintains comprehensive audit logs that record all data access and modifications within the platform.
12. Liability
Each party shall be liable for damages caused by processing that infringes the GDPR, in accordance with Article 82 of the GDPR. The Processor shall be liable for damages caused by processing only where it has not complied with obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.
13. Term and Termination
This Agreement shall remain in effect for as long as the Processor processes personal data on behalf of the Controller. The obligations of confidentiality and data protection shall survive termination of this Agreement.
14. Governing Law
This Agreement shall be governed by and construed in accordance with the laws of Spain and the European Union, specifically the GDPR (EU) 2016/679 and the LOPDGDD (Organic Law 3/2018).
15. Contact
For any questions regarding this Data Processing Agreement or data protection matters, please contact the Processor through the platform's support channels.