Data Processing Agreement

Effective: April 13, 2026 · Last updated: April 13, 2026

This Data Processing Agreement (“DPA”) forms part of the Loavenly Terms of Service between:

  • Customer: The organization that has entered into an agreement to use the Loavenly Service (“Controller”).
  • Processor: Loavenly, Inc. (“Loavenly”).

This DPA describes how Loavenly processes Personal Data on the Controller's behalf. If there is a conflict between this DPA and the Terms of Service, this DPA controls with respect to data processing.

1. Definitions

  • Personal Data — Client and user information processed via the Service.
  • Processing — Any operation performed on Personal Data (collection, storage, retrieval, use, disclosure, deletion).
  • Data Subject — The individual to whom Personal Data relates (e.g., food bank clients, volunteers, staff).
  • Controller — The Customer, who determines the purposes and means of Processing.
  • Processor — Loavenly, who Processes Personal Data on behalf of the Controller.
  • Subprocessor — A third party engaged by Loavenly to Process Personal Data on the Controller's behalf.

2. Scope and Purpose

Loavenly Processes Personal Data solely to provide the Service as described in the Terms of Service. Processing includes:

  • Storing client records and visit history
  • Generating USDA TEFAP / EFAP compliance reports
  • Managing volunteer information and shifts
  • Supporting Customer operations and reporting

3. Customer Instructions

Loavenly will:

  • Process Personal Data only per Controller instructions and the Terms of Service
  • Not use Personal Data for its own purposes, except aggregation in anonymized form
  • Not sell or share Personal Data for cross-context behavioral advertising
  • Promptly inform the Controller if, in its opinion, an instruction violates applicable law

4. Data Security Measures

Loavenly implements the following technical and organizational measures:

  • Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+)
  • Row-level security (RLS) policies enforcing multi-tenant isolation at the database layer
  • Role-based access control with the principle of least privilege
  • Authentication via Supabase Auth, including optional multi-factor authentication
  • Centralized logging and monitoring of access to Personal Data
  • Regular automated backups with encryption
  • Automated dependency vulnerability scanning
  • A documented incident response and breach notification plan
  • Periodic security review and internal audit

5. Subprocessors

Current Subprocessors:

  • Supabase — Database, authentication, and real-time sync (SOC 2 Type II)
  • Vercel — Application hosting and edge network (SOC 2 Type II)
  • Resend — Transactional email delivery
  • Google — Address autocomplete (Places API); only the query typed is transmitted, never identifying client data
  • Cloudflare — DNS and DDoS protection
  • Sentry — Error monitoring (Personal Data is filtered before submission)

Customer authorizes use of the Subprocessors listed above. Loavenly will:

  • Notify the Controller of any addition or replacement of a Subprocessor before that change takes effect
  • Ensure Subprocessors enter into written agreements imposing data-protection obligations at least equivalent to this DPA
  • Remain liable for the acts and omissions of its Subprocessors

6. Data Subject Rights

Loavenly will assist the Controller in responding to Data Subject requests, including requests for:

  • Access to Personal Data
  • Correction of inaccurate data
  • Deletion (subject to legal retention requirements)
  • Opt-out of sale or sharing (Loavenly does not sell or share)
  • Data portability

The Controller remains responsible for responding to Data Subjects directly. Loavenly will provide the data export and deletion tools necessary for the Controller to fulfill requests within applicable timeframes (45 days under CCPA, extendable to 90 days with notice).

7. Breach Notification

Loavenly will:

  • Notify the Controller without undue delay, and in any event within 24 hours of confirming a personal data breach affecting Customer Data
  • Provide details of the nature of the breach, the categories and approximate number of Data Subjects and records affected, and the likely consequences
  • Describe the measures taken or proposed to mitigate the breach
  • Cooperate with the Controller to meet regulatory notification obligations

The Controller is responsible for:

  • Notifying affected Data Subjects as required
  • Reporting to the California Attorney General (required at 500+ affected residents) or other regulators
  • Complying with California Civil Code § 1798.82 (SB 1386) and any other applicable law

8. Data Retention and Deletion

  • Retention: Personal Data is retained for seven (7) years to support USDA TEFAP compliance audits (exceeds the three-year federal requirement)
  • Deletion: Upon termination of the Service, Customer has 30 days to export its data, after which data is archived per the retention schedule
  • Certification: Upon Controller request, Loavenly will provide written certification that Personal Data has been deleted
  • Backups: Backup copies are retained for no more than 90 days after the originating data is deleted

9. Audit Rights

The Controller may:

  • Request current compliance documentation (this DPA, our security overview, Subprocessor SOC 2 reports where available)
  • Conduct reasonable security reviews no more than once per calendar year, with at least 30 days' prior written notice
  • Review Subprocessor SOC 2 Type II reports (Supabase, Vercel) when these are available from the Subprocessors

Audit activity must not disrupt Loavenly's normal operations or compromise the security of other customers' data.

10. Data Transfers

  • Personal Data is stored in the United States
  • Loavenly does not transfer Personal Data internationally without the Controller's prior consent
  • Where transfers are authorized, Loavenly will implement appropriate safeguards

11. Liability

Loavenly's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability where such limitation is prohibited by law.

12. Term and Termination

  • This DPA takes effect when the Controller begins using the Service
  • It continues for the duration of the Service and for the retention period that follows termination
  • Sections governing deletion, liability, and governing law survive termination
  • Either party may terminate the DPA immediately upon material, uncured breach by the other

13. Governing Law

This DPA is governed by the laws of the State of California. The parties submit to the exclusive jurisdiction of the courts of California for any dispute arising from this DPA.

14. Agreement

By using the Service, the Controller accepts the terms of this DPA. For a counter-signed copy for internal records, contact legal@loavenly.com.