Some engagements involve RAEFORM processing data on a client's behalf: donor records, applicant data, spreadsheets, or systems we're asked to rebuild or maintain. This page describes the baseline terms that apply in that situation. A specific engagement may layer additional terms on top of this baseline in its own agreement.
In this context, the client is the data controller: they decide what data is collected and why. RAEFORM acts as a data processor: we handle that data only to deliver the agreed work, and only on the client's documented instructions.
Where a project requires third-party infrastructure (hosting, database, email delivery, or similar), we choose providers with their own security commitments and only pass along the data needed for that specific function.
This page describes our default approach. Clients with specific compliance requirements (a particular regulatory framework, a grant funder's data terms, etc.) should raise it during scoping so we can address it in the engagement's signed agreement.
Questions about how a specific engagement handles data can be sent to raeformtoday@gmail.com.