Below are responses to frequently asked questions. If you would like to access our controls, policies and procedures, they can be found here in our Trust Centre.
1. Are you compliant with any data protection regulations, and how do you ensure compliance?
Volunteero Response:
Yes, Volunteero is fully compliant with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable EU data protection regulations.
We ensure compliance through:
A dedicated Data Protection Lead who oversees internal policies, training, and audits
Regular internal reviews, policy updates, and Data Protection Impact Assessments (DPIAs)
Data Processing Agreements (DPAs) in place with all clients and third-party subprocessors
Support for all data subject rights (e.g. access, erasure, correction)
A robust incident response plan that includes timely notification procedures
Hosting all data within the UK and EEA, using secure and compliant infrastructure (e.g. AWS and Firebase)
Lawful international transfers (if ever needed but not expected) supported by Standard Contractual Clauses (SCCs)
Volunteero is committed to upholding the highest standards of data protection and privacy across all services.
2. What kind of personal data will your software collect or process?
We collect and process personal data related to volunteers, including their name, contact details, application responses, availability, and training records. In some cases, we also process special category data, such as right-to-work documentation or the status of a criminal record check.
3. Why is this data being collected and how will it be used?
The data is used by our clients (e.g. charities or voluntary organisations) to manage volunteer recruitment, onboarding, communications, training, and ongoing engagement. We process this data on their behalf as a data processor under GDPR.
4. Who will have access to the data?
Only authorised users within the client organisation can access volunteer data. Within Volunteero, access is limited to specific trained staff (e.g. support or engineering) and only when required. All access is controlled by role-based permissions and protected by multi-factor authentication (MFA).
5. How do you make sure that the data stays safe and secure?
All data is encrypted using AES-256 at rest and TLS 1.2+ in transit. We host our platform on Amazon Web Services (AWS), which meets ISO 27001 and other relevant international security standards. We also maintain audit logs, conduct regular security testing, and enforce strict internal access control policies.
6. Will any of this data be shared with third parties or stored outside the UK or EU?
We use trusted third-party subprocessors (such as AWS and Firebase) who are based in the UK or EEA. In limited cases where services operate outside these areas, we rely on Standard Contractual Clauses (SCCs) to ensure lawful data transfer under GDPR.
7. How long will you keep the data for?
We retain data only for as long as our client instructs us to. Clients can configure retention rules, and we support manual or automatic deletion of records. We follow the principle of storing data no longer than necessary.
8. How will people know their data is being used and what their rights are?
Each organisation using Volunteero provides its own privacy notice to volunteers, which can be linked through the platform. We support clients in responding to data subject requests such as access, correction, erasure, and restriction of processing.
9. What happens if there’s a data breach or something goes wrong?
We have a documented Incident Response Plan. In the event of a confirmed personal data breach, we notify the affected client without undue delay and within 72 hours, in line with GDPR. We also provide full details of the breach, its impact, and any corrective actions taken.
10. Do you regularly review your privacy and security measures?
Yes. We conduct internal audits, vendor risk reviews, and penetration testing on a regular basis. Our policies are reviewed annually, or sooner if legislation changes. We also conduct biannual disaster recovery drills to ensure business continuity.
11. Who is responsible for data protection at your company?
We have a designated Data Protection Officer who oversees all aspects of data privacy and security. This includes staff training, policy enforcement, data protection impact assessments, and compliance monitoring. All employees receive GDPR and security training as part of their onboarding and ongoing role.