Data Processing Addendum

For procurement teams: this Data Processing Addendum ("DPA") is incorporated into the CivicCA Terms of Service by reference. By subscribing to a paid plan, you accept this DPA. A countersigned PDF copy is available on request — email sales@civicca.com with your agency name and we will return an executed copy within one business day.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service or in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA").

• "Customer" means the agency, organization, or individual subscribing to CivicCA.
• "Customer Personal Information" means personal information processed by CivicCA on behalf of Customer in providing the Service.
• "Service" means the CivicCA board and meeting management platform.
• "Sub-Processor" means any third party engaged by CivicCA to process Customer Personal Information.

2. Roles of the Parties

For purposes of CCPA/CPRA, the Customer is the Business and CivicCA is the Service Provider. CivicCA processes Customer Personal Information solely on behalf of the Customer and only for the purposes set forth in the Terms of Service and this DPA.

3. Scope & Purpose

CivicCA processes Customer Personal Information only for the following purposes (the "Permitted Purposes"):

• Providing, securing, and supporting the Service;
• Generating, storing, and serving meeting agendas, minutes, legislation, votes, attendance, speaker registrations, and related public-meeting records;
• Providing AI-assisted summarization, transcription, and compliance analysis when explicitly enabled by Customer;
• Detecting, preventing, and responding to security incidents, fraud, or unauthorized access;
• Producing aggregated, de-identified statistics for product improvement;
• Complying with legal obligations and lawful requests.

CivicCA will not:

• Sell or share Customer Personal Information as those terms are defined under CCPA/CPRA;
• Retain, use, or disclose Customer Personal Information outside the direct business relationship with Customer;
• Combine Customer Personal Information with personal information received from another source, except as permitted by CCPA/CPRA §1798.140(ag)(1).

4. Categories of Personal Information

The categories of Personal Information processed under this DPA may include:

• Identifiers: name, email, phone number, role, agency affiliation;
• Authentication data: hashed passwords, session tokens, two-factor identifiers;
• Public-record content: agendas, minutes, votes, attendance records, public comments, speaker registration data;
• Audit and usage data: access logs, IP addresses, user actions taken in the Service;
• Billing data: agency billing contact and invoice metadata (payment instruments are processed by Stripe, a separate Service Provider).

5. Security

CivicCA implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Information against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are described in the Security Overview and include, at minimum:

• Encryption in transit (TLS 1.2+) and at rest (AES-256);
• Role-based access control with least-privilege principles for CivicCA personnel;
• Multi-factor authentication for all administrative access;
• Comprehensive audit logging of access and configuration changes;
• Routine vulnerability scanning and quarterly third-party assessment;
• Secure software development lifecycle practices.

6. Sub-Processors

The current list of Sub-Processors is published at civicca.com/subprocessors. CivicCA will:

• Conduct due diligence on each Sub-Processor before engaging it;
• Bind each Sub-Processor by written contract to data-protection obligations no less protective than those in this DPA;
• Provide at least 30 days' prior notice of any new Sub-Processor by updating the Sub-Processors page and (for Government plan customers) by email to the procurement contact on file;
• Remain responsible for the acts and omissions of each Sub-Processor in connection with this DPA.

Customer may object to a new Sub-Processor on reasonable data-protection grounds within 15 days of notice; if the parties cannot resolve the objection, Customer may terminate the affected portion of the Service for convenience and receive a pro-rated refund.

7. Data Subject Requests

CivicCA will provide reasonable assistance to Customer in responding to verifiable consumer requests under CCPA/CPRA, including requests to know, delete, correct, or limit use of personal information. Customer is responsible for verifying requestor identity and for the substantive response. Standard assistance is included in the Service; complex requests requiring engineering work may be billed at $200/hour with prior written approval.

8. Security Incident Notification

CivicCA will notify the Customer's designated security contact without undue delay and in no event later than 72 hours after becoming aware of a Security Incident affecting Customer Personal Information. The notification will include, to the extent then known: nature of the incident, categories and approximate volume of records affected, likely consequences, measures taken or proposed, and contact for further information. CivicCA will reasonably cooperate with Customer's legally-required breach notifications under California Civil Code §1798.29 / §1798.82.

9. Audits & Compliance Documentation

Customer may, no more than once per twelve-month period and on at least 30 days' written notice, request a copy of CivicCA's then-current security audit results, completed security questionnaires (SIG Lite, CAIQ), and a summary of penetration-test findings (with sensitive details redacted). On-site audit rights are reserved for Customers under cooperative purchasing or master service agreements and are subject to mutually agreed scope.

10. International Transfers

CivicCA processes and stores Customer Personal Information in data centers located in the United States. CivicCA does not transfer Customer Personal Information outside the United States without Customer's prior written consent.

11. Return or Deletion of Customer Personal Information

Upon termination of the Service, CivicCA will, at Customer's election:

• Provide an export of Customer Personal Information in a commonly-used format within 30 days of the termination date; and/or
• Delete or anonymize all Customer Personal Information within 60 days of the termination date,

except where retention is required by applicable law (e.g., California Public Records Act retention schedules, financial-records retention).

12. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of Customer Personal Information.

13. Governing Law

This DPA is governed by the laws of the State of California, without regard to conflict-of-laws principles. The exclusive venue for any dispute is the state and federal courts located in Stanislaus County, California.

14. Contact

For DPA execution, security incident notification, or data-subject request coordination:

• General & sales: sales@civicca.com
• Security incidents: security@civicca.com
• Privacy & data-subject requests: privacy@civicca.com

Related: Privacy Policy · Security Overview · Sub-Processors · SLA · Terms of Service.