Data Processing Agreement
Effective date: 7 May 2025 · Version 1.0 · Regulation: GDPR (EU) 2016/679
Contact: carashelters@gmail.com
This Data Processing Agreement (“DPA”) is entered into between:
DATA CONTROLLER: The animal shelter organisation that has accepted the Cara Shelters Terms of Service (“Shelter” or “Controller”).
DATA PROCESSOR: Cara Shelters, carashelters.ie, Republic of Ireland (“Cara” or “Processor”).
By accepting the Terms of Service, the Controller agrees to the terms of this DPA.
1. Definitions
In this DPA, the following terms have the meanings given to them in GDPR Article 4:
- “Personal Data”
- Any information relating to an identified or identifiable natural person.
- “Data Subject”
- The individual to whom Personal Data relates.
- “Processing”
- Any operation performed on Personal Data.
- “Controller”
- The entity that determines the purposes and means of processing Personal Data.
- “Processor”
- An entity that processes Personal Data on behalf of the Controller.
- “Sub-processor”
- A processor engaged by Cara to process Personal Data on behalf of the Controller.
- “GDPR”
- The General Data Protection Regulation (EU) 2016/679 and any applicable national implementing legislation.
- “Supervisory Authority”
- The Irish Data Protection Commission (dataprotection.ie).
2. Subject Matter and Duration
This DPA governs the processing of Personal Data by Cara on behalf of the Controller solely for the purpose of providing the Cara Shelters shelter management platform (“Platform Services”).
This DPA is effective from the date the Controller accepts the Terms of Service and remains in force until the earlier of: (a) termination of the shelter’s subscription; or (b) written agreement between the parties to terminate this DPA.
3. Nature and Purpose of Processing
Cara processes Personal Data on behalf of the Controller for the following purposes:
- Storage and retrieval of adopter and fostering application records.
- Storage and retrieval of donor records and donation history.
- Storage and retrieval of volunteer and team member records.
- Generation, storage, and e-signature collection for adoption contracts.
- Transmission of email notifications to adopters and donors (where configured by the Controller).
- Display of anonymised statistics and activity logs to shelter administrators.
Cara will not process Personal Data for any purpose other than providing the Platform Services, unless required to do so by law.
4. Categories of Data Subjects
- Prospective adopters and fosterers who submit applications through the Controller’s public portal.
- Donors who make donations through the Controller’s public portal.
- Volunteers registered in the Controller’s account.
- Foster carers registered in the Controller’s account.
5. Categories of Personal Data
- Identification data: full name, email address, telephone number.
- Address data: home address, city, county, postcode, country.
- Household information: property type, garden details, presence of children or other pets.
- Experience information: previous pet ownership, experience level.
- Consent records: GDPR consent status, timestamp, and IP address at time of consent.
- Contract data: e-signature (typed name), IP address at time of signing, signing timestamp.
- Financial data: donation amounts, Stripe payment references (no raw card data is stored by Cara).
- Animal care history: fostering notes, medical observations entered by shelter staff.
Cara does not intentionally collect special category data (Article 9 GDPR). Shelters must not enter special category data into the platform unless a specific lawful basis applies.
6. Obligations of the Processor (Cara)
Cara shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
- Ensure that all Cara personnel authorised to process the Controller’s Personal Data are subject to a binding obligation of confidentiality.
- Implement and maintain appropriate technical and organisational security measures in accordance with Article 32 GDPR (see Section 9).
- Not engage any sub-processor without the prior written consent of the Controller. The Controller consents to the sub-processors listed in Section 8 by accepting these Terms.
- Assist the Controller in responding to Data Subject rights requests under Articles 15–22 GDPR.
- Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).
- At the choice of the Controller, delete or return all Personal Data at the end of provision of services.
- Make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits (see Section 11).
- Immediately inform the Controller if, in Cara’s opinion, an instruction infringes the GDPR or other applicable data protection law.
7. Obligations of the Controller (Shelter)
The Controller shall:
- Ensure that all processing of Personal Data carried out through the Platform has a valid lawful basis under GDPR Article 6.
- Obtain and record valid consent from Data Subjects before collecting their Personal Data through the public portal, where consent is the lawful basis.
- Maintain and publish an accessible Privacy Policy covering the Controller’s own data processing activities.
- Respond to Data Subject rights requests within the statutory timeframe (one month under GDPR Article 12).
- Notify Cara promptly if the Controller becomes aware of any actual or potential breach of Personal Data stored on the Platform.
8. Sub-processors
The Controller grants general authorisation to Cara to engage the following sub-processors. Cara will enter into data processing agreements with each sub-processor that impose equivalent obligations to those in this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, file storage | EU (Ireland) |
| Stripe Payments Europe, Ltd. | Payment processing | EU (Ireland) |
| Vercel Inc. | Application hosting, CDN | Global (EU regions preferred) |
Cara will notify the Controller of any intended changes to sub-processors by email with at least 30 days’ notice. If the Controller objects to a new sub-processor, it may terminate the subscription within that 30-day period.
9. Security Measures
In accordance with Article 32 GDPR, Cara implements the following measures:
Technical Measures
- Encryption of all Personal Data at rest (AES-256 via Supabase).
- Encryption of all Personal Data in transit using TLS 1.2 or higher.
- Row-level security policies on the database restricting access to data by organisation.
- Unique signing tokens (UUIDs) for adoption contract signing links, invalidated on use.
- IP address logging at time of consent and contract signing for audit purposes.
- API rate limiting on public-facing endpoints to mitigate abuse.
- Bcrypt hashing of all user passwords; passwords never stored in plain text.
Organisational Measures
- Access to production data is restricted to authorised Cara Shelters personnel on a need-to-know basis.
- All personnel with access to Personal Data are bound by confidentiality obligations.
- Regular security reviews of the platform codebase.
- Incident response procedures for data breach detection and notification.
10. Personal Data Breach Notification
In the event of a personal data breach affecting the Controller’s Personal Data, Cara shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:
- A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected.
- The name and contact details of Cara’s data protection contact.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach.
The Controller is responsible for notifying the Supervisory Authority (Irish Data Protection Commission) and affected Data Subjects as required by GDPR Articles 33 and 34.
11. Audit Rights
The Controller may, no more than once per calendar year, request written evidence of Cara’s compliance with this DPA by submitting a request to carashelters@gmail.com. Cara shall provide relevant documentation within 30 days.
Where the Controller reasonably requires an on-site audit, the parties shall agree in writing on the scope, timing, and cost before any audit commences. Audits must be conducted in a manner that minimises disruption to Cara’s operations.
12. Transfers Outside the EEA
Cara does not routinely transfer Personal Data outside the European Economic Area. Where Vercel processes request logs on non-EEA infrastructure, this is governed by Vercel’s Standard Contractual Clauses (SCCs) adopted under Commission Decision 2021/914. No other international transfers are made without the Controller’s knowledge.
13. Governing Law
This DPA is governed by the laws of the Republic of Ireland and shall be interpreted in accordance with GDPR (EU) 2016/679. Any dispute arising under this DPA shall be subject to the jurisdiction of the courts of the Republic of Ireland.
14. Contact
Email: carashelters@gmail.com
Website: carashelters.ie