Data Processing Agreement

The “Customer” is the legal entity identified in the order form (“[Customer Legal Name]”). Cause Shield is the “Processor”. “Personal Data” means donor data and any other personal data the Customer instructs Cause Shield to process. “Data Subjects” are donors, supporters, event registrants, and the Customer’s authorised users.

Cause Shield processes Personal Data on behalf of the Customer for fraud detection, uptime monitoring, traffic analytics, and security scanning, for the duration of the Customer’s subscription to the Cause Shield service.

Processing activities include fraud scoring of donation events, classification of inbound webhook payloads, alerting on suspicious activity, dashboarding of aggregated metrics, and generation of plain-English summary emails and security reports.

• SHA-256 hashed donor email address and donor name (per-organisation pepper).
• Donation amount, currency, and timestamp.
• IP-derived country code (raw IP is dropped after derivation).
• User-agent fingerprint hash.
• Transaction metadata from Stripe and donation-platform webhooks.
• Customer staff email address and authentication identity (via Clerk).

• Donors and supporters of the Customer.
• Event registrants of the Customer.
• The Customer’s authorised users (staff, volunteers, board, auditors).

Cause Shield will:

• Process Personal Data only on the Customer’s documented instructions.
• Ensure personnel authorised to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures, including TLS 1.2+ in transit, AES-256 at rest, per-organisation Row Level Security on every Postgres table holding customer data, append-only audit logging, and least-privilege access controls.
• Notify the Customer in writing before adding or replacing a sub-processor, giving the Customer an opportunity to object on reasonable grounds.
• Notify the Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach.
• On termination of the agreement, return or delete all Personal Data held on behalf of the Customer at the Customer’s election.

Cause Shield engages the sub-processors listed at /trust#sub-processors. That page is the authoritative, version-stamped list. Each sub-processor is bound by contractual obligations no less protective than those in this DPA.

Personal Data relating to the Customer’s donors and supporters (“Customer Data”) is hosted in the AWS region selected by the Customer at sign-up:

• US: AWS us-east-1 (Northern Virginia, United States).
• Australia: AWS ap-southeast-2 (Sydney, Australia).
• Europe: AWS eu-west-1 (Dublin, Ireland), for EU and UK Customers. The UK is covered by the EU’s adequacy decision for the UK and the UK’s mutual adequacy decision for the EU, meaning data hosted in Ireland satisfies UK GDPR residency requirements without a separate UK region.

Cause Shield’s own operational data (internal staff records, support ticket history, feature requests, the marketing site analytics, and the Claude API usage ledger) is hosted in AWS us-east-1 regardless of the Customer’s chosen region. This separation lets Cause Shield run a single operations stack while honouring per-customer residency on donor-facing data.

For Customers in the European Economic Area or the United Kingdom whose Customer Data is hosted in the EU (Ireland) region, GDPR Article 28 processor obligations are met by in-region residency without reliance on cross-border transfer mechanisms for the primary donor data set.

Three sub-processors remain hosted outside the Customer’s region regardless of the chosen residency: Anthropic (Claude API, United States; see Clause 13), Clerk (authentication, United States, except on Clerk’s Enterprise tier), and Resend (transactional email, United States). For these sub-processors, the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) are incorporated by reference and form part of this DPA. Customers requiring strict no-US-transit residency for these surfaces should contact Cause Shield to discuss timing for EU-region replacements (on the roadmap).

Subject to confidentiality undertakings, the Customer may, on reasonable prior written notice and not more than once per calendar year, audit Cause Shield’s compliance with this DPA at the Customer’s expense. Cause Shield will respond to reasonable written security questionnaires in lieu of on-site audits where practical.

This DPA is coterminous with the Customer’s subscription. On termination, Cause Shield will, at the Customer’s election, return or delete Personal Data within 30 days, subject to retention required by law.

This DPA is governed by the laws of [Governing Jurisdiction], and the parties submit to the exclusive jurisdiction of the courts of [Governing Jurisdiction]. Each party’s aggregate liability arising out of or in connection with this DPA is capped at the fees paid by the Customer to Cause Shield in the twelve months preceding the event giving rise to the liability, except for liability that cannot be excluded by law.

Plain English: We are a small Australian company. This DPA is good-faith starter language. A qualified lawyer in your jurisdiction should review before counter-signature for high-stakes deployments.

When customers enable Supporter Trails (Partner tier and above), Cause Shield correlates donation events received from Stripe, fundraising-platform webhooks, and (if explicitly enabled by the customer) site tracking events, into a per-supporter view scoped to the customer’s organisation. The supporter row carries two parallel stores: a SHA-256 hash of email and name (per-organisation pepper) used for correlation regardless of mode, and an optional plaintext copy used only for display.

Plaintext donor identifiers are stored on the supporter row when the Customer’s organisation is in “unmasked” mode (the default for new accounts). This applies uniformly to events received from Stripe AND from the smart-webhook receiver: the display behaviour is governed by the Customer-controlled privacy setting, not by the ingest path. Customers may flip to “masked” mode at any time from their organisation settings; once set, new events store hash-only and plaintext donor identifiers are hidden from the user interface and from AI-generated supporter summaries. Existing plaintext on rows from before the mode change is not retroactively scrubbed unless the Customer requests it.

Independent of mode, the inbound webhook payload itself (stored verbatim alongside the event for debugging and re-classification) has donor email and name redacted at write time, replaced with hash sentinels. Other PII classes flagged by the classifier (phone numbers, addresses, free-text notes) are hashed or removed on the same write path. The list of sub-processors handling correlation outputs (including Anthropic for AI-generated summaries) is published at causeshield.com/trust#sub-processors.

Cause Shield uses Anthropic, PBC (“Anthropic”) as a sub-processor for artificial-intelligence inference. Anthropic’s Claude API is used to (i) score donation transactions for fraud risk, (ii) classify inbound webhook payloads from fundraising platforms, (iii) generate plain-English narratives that appear in the customer’s dashboard and digest emails, and (iv) produce monthly security scan and accessibility scan reports.

To perform (ii), the contents of the inbound webhook payload (which typically contain the donor’s plaintext email address and name) transit Anthropic’s API for the duration of the inference call. Cause Shield hashes these identifiers before persistent storage; Anthropic is the only sub-processor that sees the plaintext donor identifiers en route to that hash. Free-text fields longer than 500 characters (e.g. donor comments, biography fields) are stripped from the payload before transmission to Anthropic.

Under Anthropic’s commercial terms in force at the date of this DPA, Anthropic does not use customer API inputs or outputs to train its models. Anthropic retains API logs for a limited operational window (currently 30 days at the date of this DPA) for trust-and-safety review, after which they are deleted. Anthropic offers Zero Data Retention (ZDR) on request; Cause Shield will work with enterprise Customers on request to obtain ZDR for the Customer’s inference traffic.

Customers may opt into “masked PII” mode from their organisation settings, which prevents plaintext donor identifiers from being displayed in the user interface and from being included in AI-generated supporter narratives. Anthropic is bound by contractual obligations no less protective than those in this DPA. Anthropic’s privacy notice is available at anthropic.com/legal/privacy.