Data Protection Terms

We recognise that your data is important. These provisions apply to how we treat your data in order to comply with the relevant data protection legislation.

We are registered on the Data Protection Public Register, under number: ZA188315. To find out more about the Data Protection Register, visit the Information Commissioner's Office website at

In addition to words and phrases previously defined in our Terms, terms shall be as defined in the General Data Protection Regulation (GDPR) as amended from time to time.

This document should be read alongside our Privacy Policy.

Data Controller And Data Processor

In order to provide our services, Benefacto acknowledges that we are required to process personal data. Benefacto may be both a Data Controller and Data Processor, depending on the service.

Benefacto as a Data Controller

We are the Data Controller for activities surrounding VolunteerHub, where we collect data and use it for the purposes of organising volunteering and reporting details of this activity back to our corporate members.

Where Benefacto provides a service where we are the data controller, we acknowledge and agree that we shall comply with the relevant data protection legislation with respect to all such personal data.

Benefacto as a Data Processor

For our DataHub and GivX services, we are the Data Processor, and the Benefacto Member is the Data Controller.

In this case, the Benefacto Member is using our digital tools to collect and report data.

In the case we are a Data Processor we confirm we will support the Data Controller by:

  • taking into account the nature of any processing, take all reasonable steps to assist you by appropriate technical and organisational measures, insofar as this is possible, for you to fulfil your obligation to respond to requests for exercising the data subject's rights;
  • at your written request, we shall take all reasonable steps to assist you in meeting your obligations as a Data Controller taking into account the nature of our processing of the personal data and the information available to us;
  • only process your personal data in accordance with our terms or your documented instructions (which may be given by email), unless required to do so by law. If we consider in our reasonable opinion that any of your instructions infringe relevant data protection legislation we shall notify you and shall not be required to comply with any such instruction.

Data Storage

We store data in the following places:

  • Webserver: Benefacto’s web-platform is hosted by Siteground and based in London.
  • Company Email: Our email system is hosted by GSuite (Google) and while their web-servers are located across the world, they have outlined compliance with GDPR.
  • Mailing System: Our website is integrated with Klaviyo’s email system which is based in the United States. As of January 2018 Klaviyo has confirmed their intent to comply with GDPR.
  • FileSharing: We use Tresorit to share files within our company and maintain backups using end-to-end encryption. Tresorit use datacentres in the EU and comply with GDPR.
  • Backup System: We use BackBlaze to keep a continuous back-up of our Data. They are based in the United States but have outlined compliance with GDPR, including engaging UK counsel to prepare for it.
  • Local Storage: We also hold copies of the data required to run our organisation on our local computer systems. Our computer systems are encrypted using FileVault and use alphanumeric passwords.

Access To Personal Data Within Benefacto

Notwithstanding the wide-ranging contacts and opportunities that Benefacto provides, it is a small company with fewer than 12 employees. All employees have had data protection training and receive regular updates on data protection and related activities, such as security. All of our employees have access to our databases in order to perform our services.

We do not permit any other third party to process personal data on our behalf.


We have implemented appropriate technical and organisational measures to meet the requirements of the relevant data protection legislation, to protect the rights of data subjects, and to ensure and to be able to demonstrate that processing is performed in accordance with relevant data protection legislation. This includes appropriate technical and organisational security measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This includes:

  • Encryption: All files stored locally on Benefacto systems are encrypted
  • Remote deletion: All files stored locally on Benefacto systems can be wiped remotely
  • Passwords: Benefacto enforce the use of complex alpha-numeric passwords for access to our website and access to our computers.
  • OWASP: Benefacto builds its technology to minimise risks of security breaches, as identified by OWASP. We have applied numerous hardening techniques and if you require more information on these please contact

Processing Personal Data

We have in place appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

More information on what data we collect and process can be found on our Privacy Policy.

Return Or Deletion Of Personal Data

At your written request, we shall delete, anonymise or return all the personal data relating to participants associated with your organisation to you within a reasonable time and to delete all existing copies unless applicable law requires storage of the personal data.

Should a participant of one of your community investment activities request to have their personal data removed from our systems, we will do this, regardless of how this data was added to our system. See our Privacy Policy for more information.

Please email to organise this.

Transfers Of Your Data

We shall not transfer personal data to a third-party country or international organisation unless you have given prior written consent and such transfer complies with relevant data protection laws.

Record Keeping

We shall maintain a record of all information reasonably necessary to demonstrate compliance with our obligations and shall provide reasonable assistance to you in respect of any audits performed by you or on your behalf as required to meet the standards set out in the relevant data protection legislation.

Damage To Or Loss Of Data

We shall promptly inform you if any personal data is lost or destroyed or becomes damaged, corrupted or unusable.

In compliance with the relevant data protection legislation we shall notify you and/or the relevant supervisory authority of any data breaches.