Start for free
Why Whitelabel
Products
BUILD YOUR DONORFRONT
DonorPageAITMAgentsAI Community Forums
RUN YOUR NONPROFIT
DonorCardAITMCRM Sync & IntegrationsDeveloper APICrisis EscalationTMAI Governance
RAISE EVERYWHERE
Hyper-Personal Donation FlowsAnswer Engine OptimizationQuizzes & FunnelsAI Social Media Assets
MARKETING & ANALYTICS
Email & SMS CampaignsImpact NewslettersAI Marketing & BlogsWhitelabel Analytics
GET PAID
Smart CheckoutMatching GiftsWhitelabel POS
View all products →
PricingBlogLabStart for free

Get started fast

You could be raising by tomorrow.

No need to switch

Layer Whitelabel on the stack you already run. No replatforming, no IT battles.

BUILT INTO EVERY DONORFRONT
Whitelabel Pay

Smart Checkout

Donors cover the fee. You keep 100%.

Agents

A grounded AI assistant for your mission.

BUILD YOUR DONORFRONT
RUN YOUR NONPROFIT
RAISE EVERYWHERE
MARKETING & ANALYTICS
GET PAID
THE WHOLE SUITE

One orchestration layer

Every way you raise, on top of the stack you already run.

View all products →

Whitelabel · Legal

Data Processing Addendum

Version 1.1. Effective on your acceptance of the Agreement.

How Whitelabel processes personal data in your content, as your processor.

Introduction

This Data Processing Addendum ("DPA") forms part of the agreement governing Customer's use of the Services (the "Agreement") between Whitelabel AI Corporation (d/b/a Whitelabel AI), 823 Congress Ave, Austin, TX 78701, USA ("Whitelabel", "Processor", "we") and the entity agreeing to the Agreement ("Customer", "Controller", "you").

This DPA applies to Whitelabel's Processing of Personal Data in Customer Content on Customer's behalf in connection with the Services.

Definitions

1.1 "Applicable Data Protection Laws" means all data protection and privacy laws applicable to the Processing under this DPA, including where applicable: EU GDPR, UK GDPR and the UK Data Protection Act 2018, Swiss data protection law, and applicable U.S. state privacy laws.

1.2 "Customer Content" means data, documents, prompts, inputs, files, messages, or other content submitted to or made available to the Services by or on behalf of Customer, including End User content.

1.3 "End Users" means Customer's authorized users of the Services (including Customer employees, contractors, volunteers, agents, and Customer's end users, such as donors, supporters, and constituents, where applicable).

1.4 "Personal Data" means any information that constitutes "personal data" / "personal information" under Applicable Data Protection Laws that is included in Customer Content and Processed by Whitelabel on Customer's behalf.

1.5 "Process" / "Processing" has the meaning given under Applicable Data Protection Laws and includes collecting, recording, storing, organizing, using, disclosing, transmitting, or deleting Personal Data.

1.6 "Subprocessor" means any third party engaged by Whitelabel to Process Personal Data on Whitelabel's behalf to provide the Services.

1.7 "Security Incident" means a Personal Data Breach involving Personal Data Processed under this DPA.

1.8 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.9 "De-Identified Data" means data derived from Customer Content (including from Personal Data) that has been processed so that it can no longer reasonably be used to identify, relate to, describe, or be linked to, directly or indirectly, a particular individual, the Customer, or any Data Subject, and that Whitelabel: (i) maintains and uses only in de-identified or aggregated form; (ii) subjects to technical and organizational measures and internal business processes that prohibit re-identification and prohibit linking the data back to any individual, Data Subject, or Customer; and (iii) commits not to attempt to re-identify, except solely to test that the de-identification is effective.

1.10 "Aggregated Data" means De-Identified Data that has been combined or summarized across multiple individuals, Data Subjects, and/or Customers such that it does not reveal, and cannot reasonably be linked to, information about any individual, Data Subject, or Customer.

Capitalized terms not defined here have the meanings in the Agreement.

Roles and scope of Processing

2.1 Controller / Processor. Customer is the Controller of Personal Data in Customer Content. Whitelabel is a Processor and will Process such Personal Data only on Customer's documented instructions, as described in this DPA and the Agreement.

2.2 Whitelabel as an independent controller. Whitelabel may act as an independent controller for limited Personal Data relating to Customer's administrators and contacts (e.g., billing, account administration, security communications). That processing is governed by Whitelabel's Privacy Policy, not this DPA.

2.3 Payments out of scope. Payment card data for transactions processed through the Services is handled by Whitelabel's payment processor(s) (for example, Finix) and their acquiring banks, with Whitelabel or its payment partner acting as merchant of record. Such payment card data is not Customer Content under this DPA, and Customer must not submit payment card data into the Services (see Section 4.2).

2.4 Details of Processing. The subject matter, nature, purpose, categories of Personal Data, categories of Data Subjects, and duration of Processing are described in Annex 1.

Customer instructions

3.1 Documented instructions. Customer's documented instructions include: (i) this DPA; (ii) the Agreement; and (iii) Customer's configuration and use of the Services.

3.2 Additional instructions. Additional instructions outside the scope of the Agreement must be agreed in writing and may be subject to additional fees.

3.3 Unlawful instructions. Whitelabel will inform Customer if Whitelabel reasonably believes an instruction violates Applicable Data Protection Laws.

Customer responsibilities

4.1 Lawful basis and transparency. Customer is responsible for (i) providing required notices to Data Subjects, (ii) obtaining any required consents, and (iii) ensuring a lawful basis for Processing. Where Customer uses the Services to conduct AI-assisted or personalized outreach to its donors, supporters, or other end users, Customer is responsible for disclosing that use to those individuals as required by Applicable Data Protection Laws.

4.2 Sensitive data. Unless expressly agreed in writing, Customer will not submit: (i) payment card data (PCI), (ii) government ID numbers, (iii) biometric templates, or (iv) other highly sensitive identifiers not required for the Services. If Customer submits special category data / sensitive personal data, Customer is responsible for ensuring appropriate legal basis and safeguards.

4.3 Security configuration. Customer is responsible for securing access credentials, enabling available security features (e.g., SSO/MFA where provided), and managing End User permissions.

Whitelabel obligations as Processor

5.1 Purpose limitation. Whitelabel will Process Personal Data only to provide, maintain, secure, and support the Services; to comply with law; and as otherwise permitted by the Agreement and this DPA.

5.2 Confidentiality. Whitelabel will ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations.

5.3 Assistance. Whitelabel will provide reasonable assistance to Customer in responding to Data Subject requests and regulatory inquiries relating to Processing under this DPA, to the extent required by Applicable Data Protection Laws and as described in Section 9.

5.4 No training on Customer Content; permitted use of De-Identified and Aggregated Data.

  • (a) Whitelabel will not use Customer Content (including Personal Data in Customer Content) to train or fine-tune generalized or foundation AI models.
  • (b) Whitelabel may create De-Identified Data and Aggregated Data from Customer Content and may use such data to operate, maintain, secure, evaluate, benchmark, and improve the Services and Whitelabel's other products and services, including to develop analytics, insights, and models and to derive cross-customer trends, provided that: (i) the data meets the De-Identified Data standard in Section 1.9 before any such use; (ii) Whitelabel does not attempt to re-identify it, except solely to test that de-identification is effective; (iii) Whitelabel does not disclose it in any form that identifies, or could reasonably be used to identify, any Customer, Data Subject, or individual; and (iv) such use is consistent with Applicable Data Protection Laws.
  • (c) For clarity, nothing in this Section permits Whitelabel to use identifiable Personal Data of one Customer's Data Subjects for the benefit of another Customer, or to build, sell, or offer any product or service that targets or solicits identifiable individuals across Customers. Any such use would require separate, opt-in authorization from the relevant Customers and an appropriate lawful basis and notice to Data Subjects.

Security measures

6.1 Technical and organizational measures (TOMs). Whitelabel will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against Security Incidents. A summary is provided in Annex 2.

6.2 Encryption. Whitelabel uses encryption in transit and at rest for in-scope systems, consistent with industry standards.

6.3 Trust Center. Additional information about Whitelabel's security controls and frameworks is available at https://trust.whitelabel.ai/ or by contacting trust@whitelabel.ai.

Subprocessors

7.1 Authorization. Customer provides a general authorization for Whitelabel to engage Subprocessors to Process Personal Data to provide the Services.

7.2 Subprocessor obligations. Whitelabel will enter into written agreements with Subprocessors imposing data protection obligations that are no less protective than those in this DPA, as required by Applicable Data Protection Laws. Whitelabel remains responsible for Subprocessor performance under this DPA.

7.3 Subprocessor list and updates. Whitelabel maintains a list of Subprocessors (the "Subprocessor List") available via the Trust Center or upon request. Whitelabel will provide notice of material changes to Subprocessors where required by Applicable Data Protection Laws and/or the Agreement, and Customer may reasonably object on data protection grounds within a reasonable period after notice. If the parties cannot resolve the objection in good faith, Customer may discontinue the affected feature or terminate that portion of the Services, subject to the Agreement.

7.4 Core Subprocessors (illustrative). Whitelabel currently relies on: Amazon Web Services (AWS) for cloud hosting and infrastructure; PostHog for product analytics; OpenAI for model inference via API (where enabled/configured by Customer); and Finix for payment processing (as merchant of record / payment facilitator). See Annex 3 for a starter list; the Trust Center / Subprocessor List is the authoritative list.

Note on OpenAI: OpenAI states that, by default, it does not use business/API inputs or outputs to train or improve its models, and that business data is encrypted in transit and at rest.

International transfers

8.1 Processing locations. By default, Customer Content is Processed in the United States and other locations where Whitelabel or its Subprocessors operate, unless otherwise agreed in writing.

8.2 Transfer safeguards. Where Applicable Data Protection Laws restrict transfers of Personal Data to a third country, the parties will rely on an approved transfer mechanism (e.g., the EU Standard Contractual Clauses and/or the UK International Data Transfer Addendum) and supplementary measures where required. If needed, Whitelabel will make available applicable transfer terms upon request.

Data Subject requests and regulatory assistance

9.1 Data Subject requests. If Whitelabel receives a request from a Data Subject relating to Personal Data Processed under this DPA, Whitelabel will (to the extent legally permitted) direct the Data Subject to Customer and notify Customer without undue delay. Whitelabel will not respond substantively unless legally required or authorized by Customer.

9.2 Assistance. Taking into account the nature of Processing, Whitelabel will provide reasonable assistance to Customer to enable Customer to respond to requests to exercise Data Subject rights (access, deletion, correction, restriction, portability, objection) and to conduct DPIAs where required.

Security incident notification

10.1 Notice. Whitelabel will notify Customer without undue delay after becoming aware of a Security Incident and, where feasible, within 48 hours.

10.2 Information. Whitelabel's notice will include, to the extent available: (i) a description of the incident; (ii) categories and approximate number of affected Data Subjects and records (if known); (iii) likely consequences; and (iv) measures taken or proposed to mitigate. Whitelabel will provide updates as additional information becomes available.

Deletion and return

11.1 During the term. Customer may delete Customer Content via the Services where supported.

11.2 Upon termination. Following termination or expiration of the Services, Whitelabel will delete or return Personal Data in Customer Content in accordance with the Agreement, except to the extent retention is required by law or for legitimate archival/backup purposes. Where data remains in backups, it will be isolated and protected and deleted in accordance with Whitelabel's backup retention cycles. De-Identified Data and Aggregated Data created in accordance with Section 5.4 are not subject to return or deletion.

Audits and information rights

12.1 Security documentation. Upon written request, Whitelabel will provide reasonable documentation demonstrating compliance with this DPA (e.g., summaries of security controls, third-party reports where available, and relevant policies), subject to confidentiality.

12.2 Audit. To the extent required by Applicable Data Protection Laws, Customer may conduct an audit of Whitelabel's relevant controls no more than once per 12-month period, on reasonable notice, during normal business hours, subject to: (i) confidentiality obligations; (ii) scope limitations to protect other customers and Whitelabel's security; and (iii) reasonable cooperation and cost allocation as set out in the Agreement.

U.S. state privacy terms (service provider / processor)

To the extent Applicable Data Protection Laws include U.S. state privacy laws (e.g., CCPA/CPRA and similar laws), Whitelabel will:

  • (a) Process Personal Data only to provide the Services and as otherwise permitted by the Agreement;
  • (b) not "sell" or "share" Personal Data (as those terms are defined under such laws);
  • (c) not retain, use, or disclose Personal Data outside the direct business relationship with Customer except as permitted by law;
  • (d) implement reasonable security procedures and practices; and
  • (e) upon Customer's request, provide information reasonably necessary to help Customer complete privacy impact assessments and respond to consumer requests, consistent with Section 9.

De-Identified Data and Aggregated Data created and used under Section 5.4 are intended to meet the "deidentified" standard under applicable U.S. state privacy laws and are not "sold" or "shared."

Order of precedence

If there is any conflict between this DPA and the Agreement regarding Processing of Personal Data in Customer Content, this DPA will control. If the parties execute transfer terms (e.g., SCCs/IDTA), those terms will control for international transfer issues.

Contact

Privacy and trust: trust@whitelabel.ai

Support: support@whitelabel.ai

Address: Whitelabel AI Corporation (d/b/a Whitelabel AI), 823 Congress Ave, Austin, TX 78701, USA.

Annex 1: Details of Processing

  • Subject matter: Provision of the Services (AI assistants/agents, donor engagement and personalized outreach, knowledge workflows, analytics, and related platform features).
  • Nature of Processing: Hosting, storing, organizing, transmitting, retrieving, analyzing, enriching, and generating outputs from Customer Content; administering accounts; providing customer support; security monitoring; usage measurement.
  • Purpose(s): Provide, maintain, secure, and support the Services; prevent fraud/abuse; comply with legal obligations.
  • Categories of Data Subjects: Customer End Users; Customer's end users/constituents (including donors and supporters) where Customer deploys the Services externally; Customer contacts/admins (separately governed where Whitelabel is controller).
  • Categories of Personal Data: Determined by Customer; may include identifiers (name, email), account/user IDs, donor/supporter contact details and engagement history, device and usage metadata, and unstructured text provided through chats, uploads, or integrations. Excludes payment card data, which is handled by the payment processor (Section 2.3).
  • Special category / sensitive data: Only to the extent Customer chooses to include such data in Customer Content.
  • Duration: For the term of the Agreement plus any limited period required for support, compliance, dispute resolution, and backups as described in Section 11.

Annex 2: Security measures

Whitelabel maintains security controls designed to protect Customer Content and Personal Data, including:

  • access controls (role-based access, least privilege, periodic reviews)
  • MFA for remote administrative access
  • encryption in transit and at rest
  • logging and monitoring, intrusion detection, and alerting
  • secure SDLC and change management controls
  • vulnerability scanning and remediation processes
  • incident response procedures and testing
  • data retention and disposal procedures
  • organizational policies (training, confidentiality, background checks where appropriate)

Additional detail and control mappings may be provided via the Trust Center (https://trust.whitelabel.ai/) or upon request to trust@whitelabel.ai.

Annex 3: Subprocessors

We use a limited number of trusted third-party service providers ("Subprocessors") to help us deliver and operate our services. These Subprocessors may process personal data on our behalf solely for the purposes described below and in accordance with this DPA.

We do not list internal productivity, HR, finance, or developer tools that process only employee data or do not involve customer personal data. An up-to-date list can be found on our Trust Center, where you can also sign up to updates.

We may update this list from time to time. If we add or replace a Subprocessor that processes customer personal data, we will provide advance notice in accordance with this DPA and allow customers to object where required by law.

Questions about our use of Subprocessors: privacy@whitelabel.ai

Questions about this document? Email privacy@whitelabel.ai. This page reproduces the current policy for convenience; where it differs from your signed agreement, the agreement controls.