InspireHUB Legal Documents

Data Processing Agreement

Effective: April 8, 2026 Version 1.2 Supersedes all prior versions Questions? privacy@inspirehub.com inspirehub.com/dpa
Start Here

Understanding This Agreement — In Plain Language

In Plain Terms Part 1 applies to all clients everywhere. Part 2 applies if your users are in the EU, EEA, Switzerland, or UK. Part 3 applies to the Canadian instance. Part 4 applies to the Australian instance. Part 5 applies to the US instance. Your applicable instance and contracting entity are identified in the IHUBApp Terms of Service based on your country of residence.

This document — the IHUBApp Data Processing Agreement ("DPA") — describes how InspireHUB handles personal information on your behalf when you use the IHUBApp platform to build and operate your own Hub. It applies to clients who license IHUBApp to create their own digital experiences. When InspireHUB builds and operates its own Hubs using the same platform — for example, for InspireHUB's own events, giving campaigns, or community activities — InspireHUB acts as the Hub Owner and data controller for its users, subject to the same obligations as any client. InspireHUB's privacy notice for its own website and platform interactions is available at inspirehub.com/privacy. This DPA is incorporated into and forms part of the IHUBApp Terms of Service.

Eight things to know before reading on:

1. This DPA applies to every InspireHUB client across our Canadian, US, and Australian instances. Your obligations and ours depend on where your Hub is hosted and where your users are located. That is why this document has separate parts for different regions.

2. InspireHUB acts as your data processor. We handle your users' personal information only to provide the IHUBApp service, and only on your instructions. You are the data controller — the party that decides what personal information is collected and why.

3. Not sure which instance or contracting entity applies to you? The IHUBApp Terms of Service identifies the InspireHUB entity you are contracting with based on your country of residence. You can also contact us at privacy@inspirehub.com.

4. When you cancel, your Hub is archived for up to 12 months and you can retrieve it or reactivate at any time. InspireHUB will email you 30 days before permanent deletion. Free-plan Hubs that are inactive for 365 consecutive days are also subject to a separate dormancy policy — see clause 1.8.7 for the full timeline and exclusions.

5. InspireHUB improves the platform using anonymised, aggregated patterns — not your members' personal data. Notification timing and content engagement are the only two machine learning applications in use. You will be notified before any new ones are added.

6. IHUBApp is built for community engagement, events, and giving — not healthcare. It is not HIPAA-compliant and is not designed for clinical or medical use.

7. If InspireHUB's own breach of this DPA causes you direct losses, InspireHUB will cover them — capped at 12 months of fees paid. Regulatory fines and investigation costs are not covered.

8. Questions? Contact privacy@inspirehub.com.

Terminology

Definitions

The following terms apply throughout this DPA. Terms not defined here have the same meaning as in the Terms of Service.

"Applicable Laws"
All privacy, data protection, and information security laws applicable to the processing of Personal Data under this DPA, including PIPEDA and provincial legislation (Canadian-instance); the Privacy Act 1988 (Cth) and APPs (Australian-instance); GDPR and UK GDPR (EU/EEA/UK-connected); and applicable US federal and state laws including CCPA/CPRA (US-instance).
"Anonymization"
The irreversible processing of Personal Data such that the data subject is no longer identifiable by any means reasonably likely to be used, consistent with Article 29 Working Party Opinion 05/2014 on Anonymisation Techniques (the EU data protection standard for ensuring data cannot be re-identified), or equivalent standard under Applicable Laws. Pseudonymisation is not anonymization for the purposes of this DPA.
"Data Controller"
The entity that determines the purposes and means of processing Personal Data. Client is the Data Controller of all Personal Data processed through its Hub(s).
"Data Processor"
The entity that processes Personal Data on behalf of a Data Controller. InspireHUB is the Data Processor under this DPA.
"Data Subject"
An identified or identifiable natural person whose Personal Data is processed in connection with the Subscription Service.
"GDPR"
Regulation (EU) 2016/679. References to GDPR include the UK GDPR as retained in UK law by the European Union (Withdrawal) Act 2018 where applicable.
"InspireHUB"
The applicable contracting entity as identified in the IHUBApp Terms of Service based on your country of residence: InspireHUB Canada Holdings Inc. (Canadian-instance); Gloo, LLC (US-instance); or InspireHUB Australia Pty Ltd (Australian-instance). If you are uncertain which entity applies to your subscription, refer to the Terms of Service or contact privacy@inspirehub.com.
"Personal Data"
Any information relating to an identified or identifiable natural person, interpreted to include all categories recognised as personal data or personal information under the most broadly applicable of the Applicable Laws. Where the definition varies between jurisdictions, the broadest applicable definition governs.
"Client Data"
All data, content, and information submitted to or stored within the Subscription Service by Client, its Hub members, and individuals who interact with Client's Hub(s), including all Relevant Personal Data.
"Hub Owner"
The Client representative designated as the primary account holder for a Hub, whose contact details are registered in InspireHUB's system. Client is responsible for keeping Hub Owner contact details current. Notices sent to the registered Hub Owner email address are deemed received by Client where delivery is confirmed. For material notices including the Archive Period deletion notice in clause 1.8.3, InspireHUB shall make a secondary attempt to notify through the customer portal where initial email delivery fails or bounces. Cross-reference note: "Client" in this DPA corresponds to the "Licensor" or "Hub Owner" in the IHUBApp EULA template, and to the "Builder" or "Licensor" in the Builder Terms where the Client has delegated building capabilities. These terms refer to the same legal entity in different document contexts.
"Personal Data Breach"
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Relevant Personal Data.
"Relevant Personal Data"
Personal Data processed by InspireHUB on behalf of Client in connection with the Subscription Service.
"Restricted Transfer"
A transfer of Relevant Personal Data to a jurisdiction that requires a lawful transfer mechanism under Applicable Laws in the absence of an adequacy decision.
"Standard Contractual Clauses" / "SCCs"
The Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Commission Implementing Decision 2021/914), incorporated as Schedule 3.
"Sub-processor"
Any third party engaged by InspireHUB to process Relevant Personal Data on InspireHUB's behalf, as listed in Schedule 1.
"Technical and Organisational Measures" / "TOMs"
The security measures described in Schedule 2.
Part 1

Core Processing Obligations — All Jurisdictions

In Plain Terms This Part applies to every InspireHUB client, regardless of where your Hub is hosted. It describes the fundamental obligations that govern how InspireHUB handles personal data on your behalf.

1.1 Roles and Processing Authority

1.1.1Client is the Data Controller and InspireHUB is the Data Processor in respect of all Relevant Personal Data processed in connection with the Subscription Service.

1.1.2InspireHUB shall process Relevant Personal Data only on the documented instructions of Client, as set out in this DPA and the Terms of Service, except where otherwise required by Applicable Laws. Where law requires processing outside Client's instructions, InspireHUB shall notify Client before such processing unless prohibited.

1.1.3Client is solely responsible for establishing and maintaining a lawful basis for all collection and processing of Personal Data through its Hub(s) and for ensuring its instructions to InspireHUB are lawful.

1.2 Scope and Purpose of Processing

1.2.1InspireHUB shall process Relevant Personal Data only: (a) to provide the Subscription Service, including through Consulting Services as described in clause 1.10.2; (b) in accordance with Client's documented instructions; (c) to anonymise Relevant Personal Data as permitted by clause 1.8; and (d) as required by Applicable Laws after notifying Client.

1.2.2InspireHUB uses Relevant Personal Data in anonymised and aggregated form to support platform features and functionality, including machine learning. InspireHUB's current machine learning activities are limited to: (a) optimising the timing of notifications to improve member visibility; and (b) analysing aggregate content engagement patterns to improve platform performance. Certain data elements, such as IP addresses, are anonymised at the point of ingestion before any aggregation or analysis occurs. This processing does not enable identification of any individual user or Client. InspireHUB will notify Clients no less than thirty (30) days before implementing any new machine learning application that uses Relevant Personal Data, whether in anonymised form or otherwise.

1.2.3InspireHUB does not process Relevant Personal Data for its own commercial purposes, including advertising, profiling, or sale to third parties.

1.2.4The IHUBApp platform is designed for community engagement, event management, giving, and communication. It is not a health information system, electronic medical records platform, or healthcare application, and has not been designed, tested, or certified for clinical, therapeutic, diagnostic, or regulated health service delivery. InspireHUB is not HIPAA-compliant and does not offer HIPAA Business Associate Agreements. Client must not use the Subscription Service as a primary channel for collecting, storing, or transmitting regulated personal health information under HIPAA, the Personal Health Information Protection Act (Ontario), or equivalent health privacy legislation. InspireHUB is not responsible for health information that users spontaneously include in general-purpose fields such as free-text comments, prayer requests, or private messages. Client is responsible for implementing appropriate platform configuration, member communication, and acceptable use policies to minimise the likelihood of regulated health information being submitted through the platform. If regulated health information is inadvertently submitted, Client bears sole responsibility for any resulting obligations under applicable health privacy legislation.

1.3 Confidentiality of Processing

1.3.1InspireHUB shall ensure all personnel authorised to access Relevant Personal Data are subject to binding confidentiality obligations and are informed of their obligations.

1.3.2Access to Relevant Personal Data is limited to personnel who require such access to perform their duties in connection with the Subscription Service (principle of least privilege).

1.4 Technical and Organisational Measures

1.4.1InspireHUB shall implement and maintain the Technical and Organisational Measures described in Schedule 2, designed to protect Relevant Personal Data against unauthorised access, disclosure, alteration, loss, or destruction.

1.4.2All Relevant Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent encryption.

1.4.3InspireHUB may update the TOMs in Schedule 2 from time to time, provided no update materially reduces the overall level of security protection during the applicable Subscription Term. For the purposes of this clause, a material update includes any change to: encryption standards; access control requirements; backup frequency or recovery point objectives; or the penetration testing schedule. InspireHUB shall notify Client of any material update no less than thirty (30) days before the update takes effect. The current version of Schedule 2 is always available at inspirehub.com/dpa.

1.5 Sub-processors

1.5.1Client grants general authorisation for InspireHUB to engage Sub-processors listed in Schedule 1 to process Relevant Personal Data on InspireHUB's behalf.

1.5.2InspireHUB shall give Client no less than thirty (30) calendar days' prior written notice of any proposed addition or replacement of a Sub-processor, by email to the Hub Owner and by update to inspirehub.com/dpa.

1.5.3Client may object in writing to a new Sub-processor within thirty (30) days of notice on reasonable data protection grounds. Reasonable data protection grounds include, without limitation: (i) the proposed Sub-processor is incorporated in a jurisdiction without adequate privacy protections and no lawful transfer mechanism has been identified; (ii) the proposed Sub-processor has suffered a material data breach within the preceding twelve (12) months; or (iii) use of the proposed Sub-processor would cause Client to breach its own regulatory obligations. If InspireHUB cannot accommodate the objection within thirty (30) days, Client may terminate the affected Subscription Service without penalty, effective at end of the then-current Subscription Term. Where the new Sub-processor processes Relevant Personal Data across the Subscription Service as a whole, Client's termination right under this clause applies to the full Subscription Service.

1.5.4InspireHUB uses Stripe, Inc. as its payment processing sub-processor. The Stripe relationship is governed by Stripe's standard Data Processing Agreement, available at stripe.com/legal/dpa. InspireHUB has accepted Stripe's standard DPA terms and relies on Stripe's own compliance programme, PCI DSS Level 1 certification, and data protection commitments for the processing of payment transaction data. For all other Sub-processors listed in Schedule 1, InspireHUB shall ensure each is bound by written data processing obligations addressing confidentiality, security, and data subject rights to a standard consistent with the obligations imposed on InspireHUB under this DPA. InspireHUB remains fully liable for each Sub-processor's performance of its data protection obligations.

1.6 Assistance with Data Subject Rights

1.6.1InspireHUB shall assist Client in responding to Data Subject rights requests by providing reasonable technical and organisational assistance, proportionate to InspireHUB's role and the information available to InspireHUB.

1.6.2End users of a Client's Hub wishing to exercise privacy rights should contact the Hub Owner. InspireHUB does not respond directly to such requests in its capacity as Data Processor. Where a Hub member is unable to reach the Hub Owner and contacts InspireHUB directly at privacy@inspirehub.com, InspireHUB will confirm whether it holds personal data about the individual and direct them to the appropriate process for exercising their rights.

1.6.3Non-member transactors — individuals who completed a transaction through a client-built Hub without creating a hub account, including ticket buyers, event registrants, and donors — should contact the Hub Owner directly to exercise privacy rights in respect of that transaction. Client Hubs process transactions through the Hub Owner's own Stripe account; InspireHUB is not the data controller for that information. Where an individual has transacted directly with InspireHUB through an event, giving campaign, or other activity operated by InspireHUB on its own platform (such as inspirehub.com), they may contact InspireHUB at privacy@inspirehub.com. InspireHUB's handling of such requests, including response timeframes, is described in Section 16.3 of the IHUBApp Privacy Notice at inspirehub.com/privacy.

1.6.4Where InspireHUB is Data Controller in respect of Client account and billing contacts, individuals may contact privacy@inspirehub.com to exercise their rights, as further described in the IHUBApp Privacy Notice at inspirehub.com/privacy.

1.7 Data Protection Impact Assessments

1.7.1InspireHUB shall provide reasonable assistance to Client in conducting data protection impact assessments required by Applicable Laws, where the assessment relates to processing carried out by InspireHUB and InspireHUB holds information necessary for the assessment.

1.8 Deletion, Return, and Archive

1.8.1Upon termination or expiration of the Terms of Service, Client's Hub will go offline at the end of the then-current billing period. At that point, the Hub and all associated Client Data are archived by InspireHUB. The archived Hub is not publicly accessible but is retained securely for a period of up to twelve (12) months from the date of termination or expiration (the "Archive Period").

1.8.2During the Archive Period, Client may at any time: (a) request that InspireHUB return a complete copy of all Relevant Personal Data by secure file transfer in a reasonably specified format, which InspireHUB shall provide within thirty (30) days of the request; or (b) reactivate the Hub subject to payment of InspireHUB's then-current reactivation fee and re-execution of an active subscription. InspireHUB shall confirm completion of any data return in writing on request.

1.8.3No less than thirty (30) days before expiry of the Archive Period, InspireHUB shall send a written notice to the Hub Owner's registered email address advising that permanent deletion of all Relevant Personal Data is imminent and specifying the deletion date. Upon expiry of the Archive Period, InspireHUB shall permanently delete all copies of Relevant Personal Data unless Client has requested data return or reactivation prior to expiry. InspireHUB shall confirm permanent deletion in writing on request.

1.8.4InspireHUB may retain Relevant Personal Data beyond the Archive Period only to the extent and for the period required by Applicable Laws, ensuring confidentiality and no further active processing.

1.8.5Notwithstanding the Archive Period in clause 1.8.1, non-member transaction data — comprising personal data of individuals who transacted through a Hub without creating a hub account (including ticket buyers, event registrants, and donors) — is subject to the retention periods specified in Sections 6.5 and 6.6 of the Merchant Agreement (three years from the date of transaction). Such non-member transaction data shall be retained for those periods and deleted or anonymised at the expiry of those periods, regardless of Hub subscription status. This carve-out applies only to transaction-associated personal data held pursuant to the Merchant Agreement and does not extend to any other categories of Relevant Personal Data.

1.8.6Where InspireHUB satisfies deletion obligations by anonymisation, the anonymisation shall: (a) meet the standard in the definition of "Anonymization" in this DPA; and (b) be confirmed in writing to Client on request, confirming irreversibility and that re-identification by reasonably likely means is not possible.

1.8.7Dormant Hub Data Pathway. A separate dormancy deletion pathway applies to Free Subscription Hubs. The operational terms of that pathway — including the definition of dormancy, the inactivity thresholds, warning notices, suspension mechanics, and reactivation rights — are governed by Section 2.e of the Terms of Service (Dormant Hub Policy) and are not reproduced here. For the purposes of this DPA, InspireHUB confirms the following data protection obligations under that pathway: (a) Client Data associated with a suspended Hub is retained in full during the suspension period and is not deleted or anonymised; (b) InspireHUB will send a final written notice to the Hub Owner's registered email address no less than thirty (30) days before permanent deletion is carried out; (c) upon expiry of that final notice period, InspireHUB shall permanently delete or anonymise all copies of Relevant Personal Data associated with the dormant Hub in accordance with the standard in clause 1.8.6; and (d) the Archive Period defined in clause 1.8.1 does not apply to the dormancy pathway — these are distinct and parallel retention regimes.

1.8.8The exclusions from the dormancy deletion pathway are as set out in Section 2.e of the Terms of Service. The carve-out for non-member transaction data in clause 1.8.5 and the anonymisation standard in clause 1.8.6 apply equally to data deleted or anonymised under the dormancy pathway.

1.9 Audit Rights

1.9.1InspireHUB shall make available to Client, on reasonable written request, information reasonably necessary to demonstrate compliance with this DPA.

1.9.2InspireHUB does not independently hold ISO 27001 or SOC 2 Type II certifications. InspireHUB's platform is hosted on Microsoft Azure infrastructure, which holds those certifications for its own data centre operations. InspireHUB is PCI DSS compliant in respect of its payment processing integration with Stripe and can provide its PCI DSS compliance documentation on request. InspireHUB may satisfy clause 1.9.1 by providing: (a) documentation of its own security practices and policies; (b) Microsoft Azure's applicable certifications; (c) InspireHUB's PCI DSS compliance documentation; (d) any third-party security assessment reports held by InspireHUB, including CIS Controls assessment results; and (e) Privacy Impact Assessment documentation where applicable. Client shall treat all such materials as InspireHUB's Confidential Information.

1.9.3Where third-party reports are insufficient for a specific Applicable Laws requirement, Client may on thirty (30) days' prior written notice request a direct audit. Such audit: (a) shall not occur more than once per calendar year; (b) shall be at Client's cost; (c) shall be conducted by an independent qualified auditor bound by confidentiality who is not a competitor of InspireHUB, meaning a company whose primary business includes providing community engagement, event management, or giving platform services substantially similar to IHUBApp; (d) shall comply with InspireHUB's security requirements; and (e) shall be charged at fees that are reasonable and proportionate to the scope of the audit. Before the audit commences, InspireHUB will provide Client with a written fee estimate including a breakdown of estimated costs. Client may withdraw its audit request within five (5) business days of receiving the estimate without incurring any obligation.

1.10 Delegated Support Access and Consulting Services Access

1.10.1Delegated Support Access as defined in Section 3.1(c) of the Terms of Service is a technical mechanism that allows authorised InspireHUB staff to impersonate a user account on a Client's Hub in order to replicate and diagnose platform behaviour. Delegated Support Access: (a) requires Client authorisation prior to each session; authorisation may be given verbally during a support call, which InspireHUB records — the call record constitutes the documented authorisation for that session; (b) is available only to InspireHUB staff with designated access permissions, consistent with the principle of least privilege; and (c) is fully logged in InspireHUB's internal audit system, including the date, time, and identity of the InspireHUB representative. Client may request a disclosure of access logs relating to their Hub by submitting a written request to privacy@inspirehub.com. InspireHUB will verify the identity and authorisation of the requester before disclosing logs and will respond within thirty (30) days of a verified request.

1.10.2Consulting Services means professional troubleshooting, configuration, and support services provided by InspireHUB staff to Client, which may involve administrative access to Client's Hub environment, including reports, account data, message content, and member records, depending on the nature of the issue being investigated. Consulting Services: (a) are provided only in response to a Client request or with Client's knowledge; (b) are subject to the same access permissions and least privilege principles as Delegated Support Access, and are limited to what is reasonably necessary to resolve the specific issue identified in the Client's request; (c) are logged in InspireHUB's internal audit system to the same standard as Delegated Support Access, including documentation of the scope of access; and (d) Client may request a disclosure of Consulting Services access logs under the same process described in clause 1.10.1.

1.11 PCI DSS Scope Boundary

1.11.1InspireHUB does not store primary account numbers (PANs), CVVs, or full cardholder data. InspireHUB retains only truncated card identifiers provided by Stripe for display and identification purposes, specifically: last four digits of the card number, card brand, expiration date, and a Stripe-generated card fingerprint. The Stripe fingerprint is a persistent unique identifier for a specific payment card generated by Stripe; it does not contain or reveal the full card number. Payment card transactions are processed entirely within Stripe, Inc.'s PCI DSS-certified environment via tokenization. Client PCI DSS obligations are governed by Section 2.4(a)(ii) of the Terms of Service.

1.12 Hub Instance Migration

1.12.1During any Hub Instance Migration under Section 2.15 of the Terms of Service, InspireHUB shall: (a) apply the same protections required under this DPA to all Relevant Personal Data in transit; (b) maintain encryption of data in transit throughout the migration; (c) notify Client within twenty-four (24) hours of becoming aware of a confirmed security incident during migration, or within forty-eight (48) hours of becoming aware of a suspected security incident under active investigation; and (d) confirm in writing upon completion that no Relevant Personal Data was lost, corrupted, or accessed without authorisation during transit, or describe any confirmed issue and remediation taken.

1.13 Infrastructure Availability

1.13.1InspireHUB's platform is hosted on Microsoft Azure with automatic regional failover. In the event of a failure in the primary Azure region, InspireHUB's infrastructure automatically fails over to a secondary Azure region within the same jurisdiction, with the objective of minimising service interruption. Failover is automatic and does not require manual intervention by InspireHUB staff.

1.13.2In the event of a total Microsoft Azure outage affecting all regions, restoration of InspireHUB's service is dependent on Microsoft Azure's own recovery. InspireHUB's service restoration following Azure recovery is automatic.

1.13.3InspireHUB's recovery point objective (RPO) is a maximum of twenty-four (24) hours, based on real-time incremental backups supplemented by daily full backups. In practice, real-time backups mean the actual recovery point is typically significantly shorter than the maximum.

1.13.4InspireHUB does not operate its own independent failover infrastructure outside Microsoft Azure. Clients requiring contractual SLA commitments for total Azure outage scenarios should assess their own business continuity requirements accordingly.

Part 2

GDPR and UK GDPR Supplement

Who This Applies To Part 2 applies if your Hub processes personal data of individuals located in the EU, EEA, Switzerland, or UK — regardless of where your organisation or InspireHUB is established. This includes situations where your Hub's users, ticket buyers, donors, or members are located in those jurisdictions even if your organisation is based in Canada, the US, or Australia. Contracting entity for Canadian-instance clients: InspireHUB Canada Holdings Inc.

2.1 Application

2.1.1This Part 2 supplements Part 1 for processing subject to the GDPR or UK GDPR. In the event of conflict between Part 1 and Part 2, Part 2 prevails to the extent of the conflict.

2.2 Lawful Basis

2.2.1Client, as Data Controller, is solely responsible for establishing and maintaining a lawful basis under Article 6 GDPR (and Article 9 for special category data) for all Relevant Personal Data processed through its Hub(s). InspireHUB assumes no liability for Client's failure to establish lawful basis.

2.3 Data Subject Rights (Articles 15–22 GDPR)

2.3.1InspireHUB shall assist Client in fulfilling its obligations to respond to Data Subject rights requests under Articles 15–22 GDPR, including rights of access, rectification, erasure, restriction, portability, and objection, within GDPR timeframes. Assistance is limited to InspireHUB's technical capabilities and information available to it as Data Processor.

2.4 Breach Notification

2.4.1InspireHUB shall notify Client without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Relevant Personal Data. InspireHUB's notification to Client starts Client's own obligation under Article 33 GDPR to notify the supervisory authority within seventy-two (72) hours of becoming aware of the breach. The notification shall include, to the extent then known: (a) the nature of the breach and categories of affected Data Subjects; (b) categories and approximate number of affected records; (c) likely consequences; (d) measures taken or proposed; and (e) InspireHUB's data protection contact details.

2.4.2InspireHUB's notification does not replace Client's independent obligations to notify supervisory authorities and Data Subjects under Articles 33 and 34 GDPR.

2.5 Data Protection Impact Assessments (Article 35)

2.5.1InspireHUB shall provide reasonable assistance for DPIAs required under Article 35 GDPR where the relevant processing is carried out by InspireHUB and InspireHUB holds information necessary for the assessment.

2.6 Records of Processing Activities (Article 30)

2.6.1InspireHUB shall maintain records of all categories of processing activities carried out on behalf of Clients as required by Article 30(2) GDPR and shall make such records available to supervisory authorities on request.

2.7 International Data Transfers — 2021 Standard Contractual Clauses

2.7.1Where Relevant Personal Data subject to the GDPR or UK GDPR is transferred in circumstances constituting a Restricted Transfer, that transfer shall be governed by the SCCs in Schedule 3.

2.7.2Module 2 (Controller-to-Processor) SCCs apply to transfers from Client to InspireHUB. Module 3 (Processor-to-Processor) SCCs apply to transfers from InspireHUB to Sub-processors.

2.7.3Annex I incorporates this DPA's definitions and processing descriptions. Annex II incorporates Schedule 2. Annex III incorporates Schedule 1. In the event of conflict between this DPA and the SCCs, the SCCs prevail.

2.8 UK GDPR

2.8.1References to the GDPR in this Part 2 include the UK GDPR where applicable. References to the "supervisory authority" include the UK Information Commissioner's Office for processing relating to UK Data Subjects.

Part 3

Canadian Supplement (PIPEDA and Provincial Privacy Laws)

Who This Applies To Part 3 applies if your Hub is on the Canadian instance. Contracting entity: InspireHUB Canada Holdings Inc.

3.1 Application

3.1.1This Part 3 supplements Part 1 under: PIPEDA; the Alberta Personal Information Protection Act (PIPA AB); the British Columbia Personal Information Protection Act (PIPA BC); and Quebec's Act Respecting the Protection of Personal Information in the Private Sector as amended by Law 25 (Bill 64). References to PIPEDA include applicable provincial equivalents.

3.2 PIPEDA Service Provider Obligations

3.2.1InspireHUB acknowledges that it acts as a "service provider" to Client within the meaning of PIPEDA Schedule 1 Principle 4.1.3 and is contractually bound to provide comparable privacy protection to that required of Client under PIPEDA.

3.2.2InspireHUB shall: (a) collect, use, and disclose Relevant Personal Data only to provide the Subscription Service; (b) implement and maintain safeguards appropriate to the sensitivity of Relevant Personal Data; and (c) make information about its privacy practices available to Client on reasonable request.

3.2.3InspireHUB's accountability for Relevant Personal Data transferred to Sub-processors is maintained through the obligations imposed on Sub-processors under clause 1.5.4.

3.3 Cross-Border Transfer Disclosure

3.3.1Client acknowledges that Relevant Personal Data may be processed outside Canada by Sub-processors in Schedule 1 (including Stripe, Inc., Cloudflare, Inc., SendGrid (Twilio Inc.), and Twilio Inc., all US-incorporated). Client is responsible for ensuring its privacy notice discloses that personal information may be transferred to and processed in jurisdictions outside Canada.

3.3.2InspireHUB will continue to protect Relevant Personal Data transferred to Sub-processors through the contractual protections in clause 1.5.4, consistent with its accountability obligations under PIPEDA.

3.4 Breach Notification — PIPEDA

3.4.1InspireHUB shall notify Client as soon as feasible after becoming aware of a Personal Data Breach that creates a real risk of significant harm to one or more individuals within the meaning of PIPEDA section 10.1. "As soon as feasible" is the standard required under PIPEDA and its regulations; there is no fixed legislated hour count. InspireHUB will endeavour to provide initial notification within seventy-two (72) hours where feasible, but the governing commitment is timely notification consistent with the statutory standard rather than a specific hour count.

3.4.2Client may have independent obligations to report to the Office of the Privacy Commissioner of Canada and to notify affected individuals under PIPEDA. InspireHUB will cooperate with Client in meeting these obligations.

3.5 Quebec Law 25 — Additional Requirements

3.5.1The following additional requirements apply where Client has end users who are residents of Quebec.

3.5.2Privacy Impact Assessments: InspireHUB will provide reasonable information and assistance to Client in completing PIAs required under section 63.3 of Law 25 before communication of personal information outside Quebec.

3.5.3Confidentiality by Default: InspireHUB confirms its default privacy settings for the Subscription Service are designed to give the highest practicable level of confidentiality, consistent with the confidentiality-by-default principle in Law 25.

3.5.4Data Portability: Where required under Law 25, InspireHUB will assist Client in providing end users with access to their personal information in a structured, commonly used, technological format.

Part 4

Australian Supplement (Privacy Act 1988 and APPs)

Who This Applies To Part 4 applies if your Hub is on the Australian instance. Contracting entity: InspireHUB Australia Pty Ltd. InspireHUB Australia Pty Ltd is the legal contracting entity for Australian-instance clients under the laws of New South Wales. Day-to-day platform operations — including client support, privacy management, and technical operations — are conducted by InspireHUB Canada Holdings Inc. on behalf of InspireHUB Australia Pty Ltd under an intra-group services arrangement. This arrangement does not affect InspireHUB Australia Pty Ltd's obligations as contracting party under Australian law or the Privacy Act 1988 (Cth).

4.1 Application

4.1.1This Part 4 supplements Part 1 under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.

4.2 APP Processor Obligations

4.2.1InspireHUB handles Personal Data on Client's behalf in the course of providing the Subscription Service. Client, as the APP entity that collected the personal information, is responsible for ensuring InspireHUB's handling is consistent with the APPs.

4.2.2InspireHUB shall handle Relevant Personal Data consistently with the obligations in this DPA, designed to assist Client in meeting its obligations under the APPs, including APP 6 (use and disclosure), APP 11 (security), and APP 12 (access).

4.3 Cross-Border Disclosure — APP 8

4.3.1Client acknowledges that InspireHUB may disclose Relevant Personal Data to Sub-processors outside Australia as listed in Schedule 1. InspireHUB shall take reasonable steps through the contractual protections in clause 1.5.4 to ensure each overseas Sub-processor does not breach the APPs in relation to Relevant Personal Data.

4.3.2InspireHUB acknowledges that under APP 8.1, InspireHUB Australia Pty Ltd remains accountable for the acts and practices of overseas Sub-processors in relation to Relevant Personal Data. InspireHUB takes reasonable steps to ensure overseas Sub-processors do not breach the APPs, through the contractual protections in clause 1.5.4. This clause does not limit InspireHUB's accountability under the Privacy Act 1988 (Cth).

4.3.3Client is responsible for ensuring its privacy policy discloses cross-border disclosure of personal information to overseas Sub-processors as required under APP 1.

4.4 Notifiable Data Breaches

4.4.1InspireHUB shall notify Client as soon as reasonably practicable after becoming aware of an eligible data breach within the meaning of section 26WA of the Privacy Act, and in sufficient time to enable Client to meet its own notification obligations.

4.4.2Client must notify the Australian Information Commissioner and affected individuals within thirty (30) days of becoming aware of an eligible data breach. InspireHUB's notification shall include, to the extent then known, the information described in clause 2.4.1.

4.4.3InspireHUB will cooperate with Client and, where required, with the Office of the Australian Information Commissioner in connection with any eligible data breach.

4.5 Sensitive Information

4.5.1Sensitive information under the Privacy Act (including health information, genetic information, biometric information, and information about racial or ethnic origin, religious beliefs, or sexual orientation) is subject to heightened protection under APP 3 and APP 6. InspireHUB shall not process sensitive information without Client's prior written instruction and shall apply additional safeguards appropriate to the sensitivity of the data.

4.5.2Client is responsible for obtaining appropriate consent for collection and processing of sensitive information through its Hub(s) as required by APP 3.3.

Part 5

United States Supplement

Who This Applies To Part 5 applies if your Hub is on the US instance (contracting entity: Gloo, LLC) or if your Hub processes personal information of California residents or residents of other US states with comprehensive privacy laws.

5.1 Application

5.1.1This Part 5 supplements Part 1 under applicable US federal and state privacy laws, including CCPA/CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Texas Data Privacy and Security Act, and other applicable US state privacy laws ("US Privacy Laws").

5.2 Service Provider Status

5.2.1To the extent US Privacy Laws apply, the parties acknowledge that InspireHUB acts as a "service provider" under CCPA/CPRA and as a "processor" under applicable state privacy laws in respect of Relevant Personal Data processed on Client's behalf.

5.2.2InspireHUB's processing of Relevant Personal Data is limited to what is necessary to perform the services specified in the Terms of Service or as otherwise permitted by Applicable Laws.

5.3 No Sale or Sharing of Personal Information

5.3.1InspireHUB shall not sell or share (as defined under CCPA/CPRA) Relevant Personal Data. InspireHUB shall not retain, use, or disclose Relevant Personal Data outside of the direct business relationship between the parties, except as permitted by Applicable Laws or directed by Client.

5.3.2InspireHUB shall not combine Relevant Personal Data with personal information received from another source or collected from its own consumer interactions, except as permitted by CCPA/CPRA or other applicable US Privacy Laws.

5.4 CCPA/CPRA Service Provider Obligations

5.4.1To the extent required by California Civil Code section 1798.100(d) (as amended by the CPRA), InspireHUB: (a) shall comply with applicable obligations under CCPA/CPRA; (b) shall provide the same level of privacy protection as required by CCPA/CPRA; (c) shall notify Client if InspireHUB determines it can no longer meet its CCPA/CPRA obligations; and (d) grants Client the right to take reasonable steps to stop and remediate any unauthorised use of Relevant Personal Data on written notice from Client.

5.4.2Client is responsible for providing required notices to California consumers and other individuals, including disclosures about the use of service providers and consumer rights under CCPA/CPRA.

5.5 Multi-State Privacy Framework and Breach Notification

5.5.1InspireHUB shall assist Client in responding to consumer rights requests under applicable US Privacy Laws (including access, correction, deletion, portability, and opt-out of sale or sharing) consistent with clause 1.6.

5.5.2InspireHUB shall notify Client of a Personal Data Breach in accordance with applicable US federal and state breach notification laws, in a timeframe sufficient for Client to meet its own notification obligations under applicable state law.

Schedule 1

Authorised Sub-processors

In Plain Terms This schedule lists the third-party companies InspireHUB uses to deliver IHUBApp. InspireHUB provides 30 days' notice of any additions or changes per clause 1.5.2. Current list maintained at inspirehub.com/dpa.
Stripe, Inc.
🇺🇸 United States PCI DSS Level 1
Services Payment processing; transaction management; tax services
Data Processed Payment transaction data — amounts, currency, status, Stripe charge and customer identifiers, and truncated card identifiers (last four digits, brand, expiration, Stripe-generated fingerprint). Cardholder data is captured directly by Stripe Elements in the user's browser and never passes through InspireHUB's servers. Governed by Stripe's standard DPA.
Microsoft Azure
🌐 Global — data residency per instance (CA, US, AU) ISO 27001 SOC 2 Type II
Services Cloud infrastructure; hosting; data storage and compute; backup
Data Processed All Relevant Personal Data stored within the Subscription Service
Cloudflare, Inc.
🇺🇸 United States ISO 27001 SOC 2 Type II
Services CDN; DDoS protection; DNS; web application firewall
Data Processed Traffic logs; IP addresses; access metadata
SendGrid (Twilio Inc.)
🇺🇸 United States ISO 27001 SOC 2 Type II
Services Transactional and notification email delivery
Data Processed Email addresses; email content including notification text, Hub invitation messages, and system notifications
Twilio Inc.
🇺🇸 United States ISO 27001 SOC 2 Type II
Services Push notification delivery
Data Processed Device push tokens; notification content; delivery metadata
Rewardful Inc.
🇺🇸 United States GDPR-compliant
Services Affiliate and referral programme tracking; commission management
Data Processed Affiliate and referral partner data: names, email addresses, referral tracking identifiers, conversion data, and commission records
Compliance DPA available at dpo@rewardful.com. Hosted on AWS (ISO 27001; SOC 2 Type II at infrastructure level).

Note: Cardholder data is captured directly by Stripe Elements in the user's browser and never passes through InspireHUB's servers. InspireHUB stores only truncated card identifiers (last four digits, brand, expiration, and Stripe-generated card fingerprint) provided by Stripe. The fingerprint does not contain or reveal the full card number. See clause 1.11 for the full PCI DSS scope boundary.

Schedule 2

Technical and Organisational Measures

In Plain Terms InspireHUB protects your users' data using industry-standard encryption, strict access controls, continuous security monitoring, and documented incident response procedures. InspireHUB may update these measures but will not materially reduce protection during your Subscription Term.
Summary of Controls
Control AreaSummary
Access Controls Role-based access controls (RBAC); MFA required for all staff accessing production systems; quarterly access reviews; immediate revocation on termination; all access logged for minimum 12 months.
Encryption Data in transit: TLS 1.2 or higher (TLS 1.3 where supported). Data at rest: AES-256 or equivalent. Encryption keys managed via Microsoft Azure Key Vault; rotated annually and on confirmed compromise.
Network Security Cloudflare enterprise DDoS mitigation and WAF; network segmentation between production, development, and administrative environments; continuous vulnerability scanning with CVSS-based remediation timelines (Critical: 72 hrs; High: 30 days; Medium: 90 days).
Security Assessments Annual independent security assessments of InspireHUB's production environment. In 2025, InspireHUB completed a CIS Controls assessment by an independent third-party auditor. Commencing 2026, InspireHUB conducts annual external penetration testing by an independent, qualified third-party security firm. Assessment findings and remediation status available to Clients on reasonable written request within 30 days, subject to confidentiality.
Incident Detection Documented Breach Response Procedure; continuous security monitoring with critical alerts reviewed within four (4) business hours of detection; non-critical alerts reviewed within one (1) business day; escalation to Gloo Holdings governance oversight committee for material incidents. Security escalation contact: Sierra Scott, Head of Operations — overseeing InspireHUB's development team and all security functions (sscott@inspirehub.com).
Physical Security Data hosted on Microsoft Azure infrastructure. Physical data centre security governed by Microsoft's ISO 27001 and SOC 2 Type II certifications. InspireHUB does not operate its own data centre facilities.
Personnel Security Background screening for personnel with access to Relevant Personal Data; annual security awareness training including data protection, phishing, and incident reporting.
Business Continuity Real-time incremental backups supplemented by daily full backups; maximum RPO of 24 hours (in practice typically shorter). Automatic regional failover within Azure — if the primary region fails, service switches to a secondary Azure region in the same jurisdiction with no manual intervention. Total Azure outage: service restores automatically when Azure recovers. Annual review of business continuity and disaster recovery plan.
Sub-processor Oversight Annual security assessment of all Sub-processors; contractual requirements equivalent to this Schedule.

Full details of InspireHUB's technical and organisational measures are available to Clients on reasonable written request to support@inspirehub.com, subject to confidentiality.

Schedule 3

Standard Contractual Clauses (EU Commission, 4 June 2021)

Scope This Schedule incorporates the 2021 SCCs (Commission Implementing Decision 2021/914). Module 2 (Controller-to-Processor) applies to transfers from Client to InspireHUB. Module 3 (Processor-to-Processor) applies to InspireHUB-to-Sub-processor transfers. SCCs prevail over this DPA in case of conflict.
Enterprise Clients InspireHUB will provide a version of this DPA with the full 2021 SCC text (Modules 2 and 3) appended and signed by an authorised InspireHUB representative upon written request to privacy@inspirehub.com. Single-entity SCC annexes (naming one specific contracting entity as the sole data importer) are available for clients who require them for regulatory purposes — this is the recommended approach for any client whose users include EU/EEA data subjects. The multi-entity data importer structure in Annex I.A is a known deferred item under active remediation; until individual single-entity annexes are executed, InspireHUB recommends that EU-connected clients request a single-entity annex before processing EU personal data through this DPA. All requests are fulfilled at no charge. Each named sub-processor — Stripe, SendGrid (Twilio Inc.), and Twilio Inc. — maintains its own GDPR-compliant standard DPA and active EU data transfer mechanisms. Copies are available from each provider directly.

Incorporation of 2021 SCCs

The Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("2021 SCCs") are hereby incorporated by reference and form a binding part of this Agreement. Full text: eur-lex.europa.eu

Annex I.A — List of Parties

Data Exporter: Client, as identified in the InspireHUB account and Terms of Service. Role: Controller.

Data Importer: InspireHUB Canada Holdings Inc. (Canadian-instance) / Gloo, LLC (US-instance) / InspireHUB Australia Pty Ltd (Australian-instance), as applicable. Address: c/o Gloo, LLC, 831 Pearl Street, Boulder, CO 80305, USA. Contact: privacy@inspirehub.com. Role: Processor.

Annex I.B — Description of Transfer

Data subjects: End users of Client's Hub(s); registered Hub users; employees and representatives of Client; individuals who purchase tickets, registrations, or event access through Events without creating a hub account; individuals who make donations through Giving without creating a hub account.

Personal data categories:

(a) Account registration data for hub members: name, email address, phone number, authentication credentials (stored in encrypted form), profile information;
(b) Hub usage and analytics data;
(c) User-submitted content: content created or uploaded by hub members within the Subscription Service, which may include text posts, images, comments, and prayer requests or other personal disclosures made within Hub communities. InspireHUB staff may access this content only through authorised Delegated Support Access or Consulting Services as described in clauses 1.10.1 and 1.10.2;
(d) Communication data: messages and notifications sent between users or between the platform and users through the Subscription Service. InspireHUB staff may access communication data only through authorised Delegated Support Access or Consulting Services as described in clauses 1.10.1 and 1.10.2;
(e) Transaction data — including payment amounts, currency, payment status, Stripe charge and customer identifiers, and truncated card identifiers (last four digits, brand, expiration, and Stripe-generated card fingerprint). InspireHUB does not store full card numbers or CVVs. The Stripe card fingerprint is a persistent unique identifier for a specific payment card; it does not contain or reveal the full card number;
(f) IP addresses and access logs;
(g) Paid Channels subscriber data: first name, last name, email address, Stripe customer ID, and truncated card identifiers (last four digits, card brand, expiration, and Stripe-generated card fingerprint);
(h) Events ticket buyer and registration data: first name, last name, email address, phone number, and optional free-text comments — including for individuals transacting without a hub account;
(i) Giving donor data: first name, last name, email address, phone number (optional) — including for individuals transacting without a hub account;
(j) Hub owner merchant data: email address, Stripe account ID, administrator identity.
Specific categories depend on Client's Hub configuration and the features activated.

Special categories: Client shall not deliberately transfer special categories of data under Article 9 GDPR without a prior written agreement and amendment to this Annex. InspireHUB's platform is not designed to process special categories of data. Where special category data is inadvertently processed through user-generated content such as prayer requests, free-text comments, or private messages, InspireHUB shall treat such data with heightened protection and shall not actively process it for any purpose beyond storage, delivery, and deletion.

Frequency: Continuous, for the duration of the Subscription Term.

Nature and purpose: Hosting, storage, transmission, retrieval, backup, and deletion of Relevant Personal Data to provide the Subscription Service.

Duration: For the Subscription Term and such period thereafter as required by clause 1.8 of this DPA.

Annex I.C — Competent Supervisory Authority

EU/EEA exporters: The supervisory authority of the Member State where the data exporter is established.

UK exporters: The Information Commissioner's Office (ICO).

Non-EU/EEA exporters without an EU representative (including Canadian, US, and Australian organisations): Pursuant to SCC Clause 13 and EDPB guidance on non-EU data exporters, the parties designate the Data Protection Commission of Ireland as the competent supervisory authority. This designation is made solely for the purpose of SCC compliance and does not constitute a submission to Irish jurisdiction for any other purpose.

The competent supervisory authority is that of the Member State where the data exporter is established. For UK-based data exporters: the Information Commissioner's Office (ICO).

Annex II & III

Annex II (TOMs): Schedule 2 of this DPA is incorporated in its entirety.

Annex III (Sub-processors): Schedule 1 of this DPA is incorporated in its entirety.

Module and Clause Selections

ClauseSelection
Clause 7 (Docking)Not included.
Clause 9 (Sub-processors)Option 2 — General Written Authorisation. Notice period: 30 days (per clause 1.5.2 of this DPA).
Clause 11 (Redress)Optional redress language not included.
Clause 13 (Supervision)Supervisory authority as identified in Annex I.C.
Clause 17 (Governing Law)Law of the Member State where the data exporter is established; for non-EU exporters, the law of an EU Member State that allows for third-party beneficiary rights.
Clause 18 (Jurisdiction)Courts of the Member State identified in Clause 17.
General Terms

General Terms

Limitation of Liability

Each party's liability arising out of or related to this DPA is subject to the Limitation of Liability section of the Terms of Service. InspireHUB's total liability for all claims arising under or in connection with this DPA is subject to and shall not exceed the aggregate liability cap set out in Section 2.18(d) of the Terms of Service (fees paid by Client in the twelve months preceding the event giving rise to the claim). The aggregate liability of each party and its Affiliates under this DPA and the Terms of Service is subject to the caps set out in the Terms of Service. This DPA does not create any additional, separate, or higher liability cap beyond those established in the Terms of Service.

Indemnification

In Plain Terms InspireHUB agrees to cover your direct, proven losses if InspireHUB's own material breach of this DPA caused them, subject to the limits below. You agree to cover InspireHUB's direct losses if your breach caused them. Neither party covers the other's indirect losses, regulatory fines, or regulatory investigation costs.

Each party ("Indemnifying Party") shall indemnify, defend, and hold harmless the other party and its Affiliates, officers, directors, and employees ("Indemnified Party") from and against direct and proven losses, damages, costs, and expenses (including reasonable legal fees) arising from a material breach of this DPA by the Indemnifying Party, subject to the following conditions and limitations.

InspireHUB's indemnification obligations are conditional on: (a) Client providing InspireHUB with prompt written notice of any claim; (b) InspireHUB being given sole control of the defence and settlement of the claim, except that Client retains sole control of any response to supervisory authorities and regulatory bodies in respect of Client's own independent regulatory obligations; and (c) Client providing reasonable cooperation and assistance at InspireHUB's expense.

InspireHUB's indemnification obligations under this clause do not extend to: (a) indirect, consequential, special, punitive, or exemplary damages of any kind; (b) regulatory fines, penalties, administrative sanctions, or the costs of responding to regulatory investigations or inquiries, imposed on or incurred by Client in connection with any supervisory authority or regulatory body; (c) losses arising from Client's failure to comply with its obligations as Data Controller under Applicable Laws or under this DPA; (d) losses arising from Client's provision of unlawful processing instructions to InspireHUB; (e) losses caused by third parties or events outside InspireHUB's reasonable control; or (f) any loss that Client could have avoided or mitigated by taking reasonable steps.

Each party's total aggregate indemnification liability under this clause shall not exceed the fees paid by Client to InspireHUB in the twelve (12) months immediately preceding the incident giving rise to the claim. This cap applies cumulatively across all claims and operates within — and does not increase — the overall liability caps established in the Terms of Service.

Notices

Notices under this DPA shall be in writing and delivered by email or courier to the following addresses:

InspireHUB Canada Holdings Inc. (Canadian-instance): 3850 Dougall Ave, PO Box 31085, Windsor, ON N9G 2Y2, Canada. Email: legal@inspirehub.com

Gloo, LLC (US-instance): 831 Pearl Street, Boulder, CO 80305, USA. Email: legal@inspirehub.com

InspireHUB Australia Pty Ltd (Australian-instance): Registered address on file with ASIC; contact legal@inspirehub.com to confirm current registered address.

Client notices should be sent to the Hub Owner's registered account email address, or as specified in the Terms of Service.

Dispute Resolution

In the event of a dispute arising out of or relating to this DPA, the parties shall first attempt to resolve the dispute through good faith negotiation. Either party may initiate negotiations by providing written notice to the other describing the dispute in reasonable detail. The parties shall have thirty (30) days from receipt of such notice to resolve the dispute through negotiation, after which either party may, without further obligation to negotiate, pursue resolution through the courts of competent jurisdiction as identified in the Governing Law and Precedence section below.

Governing Law and Precedence

This DPA is governed by the law applicable to the contracting entity identified in the Terms of Service: (a) the laws of the Province of Ontario and the federal laws of Canada applicable therein, for Canadian-instance clients (InspireHUB Canada Holdings Inc.); (b) the laws of the State of Colorado, USA, for US-instance clients (Gloo, LLC); and (c) the laws of the State of New South Wales, Australia, for Australian-instance clients (InspireHUB Australia Pty Ltd).

In the event of conflict: (a) this DPA prevails over the Terms of Service in respect of data protection and privacy obligations; and (b) the SCCs in Schedule 3 prevail over this DPA.

This DPA is executed in the English language. Any translation provided for convenience only; the English version governs in the event of conflict.

Severability

If any provision of this DPA is found to be invalid or unenforceable, the remainder continues in full force. The invalid provision shall be amended as necessary to give effect to the parties' original intent.

Updates to this DPA

InspireHUB may update this DPA to reflect changes in law or operations. Updates will be notified to the Hub Owner's registered email address no less than thirty (30) days before taking effect. Each updated version will carry a new version number and effective date in the document header, using the following convention: major version increments (e.g., v1.0 to v2.0) indicate material changes to Client obligations or privacy protections; minor version increments (e.g., v1.0 to v1.1) indicate administrative corrections, formatting updates, or changes required by law that do not materially affect Client obligations. The current version is always available at inspirehub.com/dpa.

If an update materially reduces the privacy protections afforded to Client or its end users, Client may notify InspireHUB in writing within thirty (30) days of receiving notice. If Client gives such notice, Client's subscription will continue under the prior DPA version for the remainder of the then-current Subscription Term. Upon renewal, the updated DPA applies. This right applies only to material reductions in privacy protection and does not apply to updates required by Applicable Laws or updates that expand Client's rights.

Execution

This DPA is incorporated into and forms part of the Terms of Service. No separate execution is required. By accepting the Terms of Service, Client agrees to be bound by this DPA as of the effective date.

Questions about this DPA? Contact InspireHUB's Privacy Officer at privacy@inspirehub.com or visit inspirehub.com/dpa. For a signed version with full 2021 SCC text appended, email privacy@inspirehub.com — available at no charge.