Data Processing Agreement

The “Customer” is the legal entity identified in the order form (“[Customer Legal Name]”). Cause Shield is the “Processor”. “Personal Data” means donor data and any other personal data the Customer instructs Cause Shield to process. “Data Subjects” are donors, supporters, event registrants, and the Customer’s authorised users.

Cause Shield processes Personal Data on behalf of the Customer for fraud detection, uptime monitoring, traffic analytics, and security scanning, for the duration of the Customer’s subscription to the Cause Shield service.

Processing activities include fraud scoring of donation events, classification of inbound webhook payloads, alerting on suspicious activity, dashboarding of aggregated metrics, and generation of plain-English summary emails and security reports.

• SHA-256 hashed donor email address and donor name (per-organisation pepper).
• Donation amount, currency, and timestamp.
• IP-derived country code (raw IP is dropped after derivation).
• User-agent fingerprint hash.
• Transaction metadata from Stripe and donation-platform webhooks.
• Customer staff email address and authentication identity (via Clerk).

• Donors and supporters of the Customer.
• Event registrants of the Customer.
• The Customer’s authorised users (staff, volunteers, board, auditors).

Cause Shield will:

• Process Personal Data only on the Customer’s documented instructions.
• Ensure personnel authorised to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures, including TLS 1.2+ in transit, AES-256 at rest, per-organisation Row Level Security on every Postgres table holding customer data, append-only audit logging, and least-privilege access controls.
• Notify the Customer in writing before adding or replacing a sub-processor, giving the Customer an opportunity to object on reasonable grounds.
• Notify the Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach.
• On termination of the agreement, return or delete all Personal Data held on behalf of the Customer at the Customer’s election.

Cause Shield engages the sub-processors listed at /trust#sub-processors. That page is the authoritative, version-stamped list. Each sub-processor is bound by contractual obligations no less protective than those in this DPA.

Personal Data is hosted in AWS us-east-1. Australian-residency hosting (Supabase Sydney region) is available as a separate-project option on request. For Customers in the European Economic Area or the United Kingdom, the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) are incorporated by reference and form part of this DPA.

Subject to confidentiality undertakings, the Customer may, on reasonable prior written notice and not more than once per calendar year, audit Cause Shield’s compliance with this DPA at the Customer’s expense. Cause Shield will respond to reasonable written security questionnaires in lieu of on-site audits where practical.

This DPA is coterminous with the Customer’s subscription. On termination, Cause Shield will, at the Customer’s election, return or delete Personal Data within 30 days, subject to retention required by law.

This DPA is governed by the laws of [Governing Jurisdiction], and the parties submit to the exclusive jurisdiction of the courts of [Governing Jurisdiction]. Each party’s aggregate liability arising out of or in connection with this DPA is capped at the fees paid by the Customer to Cause Shield in the twelve months preceding the event giving rise to the liability, except for liability that cannot be excluded by law.

Plain English: We are a small Australian company. This DPA is good-faith starter language. A qualified lawyer in your jurisdiction should review before counter-signature for high-stakes deployments.

When customers enable Supporter Trails (Partner tier and above), Cause Shield correlates donation events received from Stripe, fundraising-platform webhooks, and (if explicitly enabled by the customer) site tracking events, into a per-supporter view scoped to the customer’s organisation. Plaintext email addresses received from Stripe are retained for display purposes within the customer’s account. Email addresses received via the smart-webhook receiver remain hashed; correlation is performed using the per-organisation hash. Customers may opt into a “masked PII” mode at any time from their organisation settings, which prevents plaintext donor identifiers from being displayed in the user interface and from being included in AI-generated supporter summaries. The list of sub-processors handling correlation outputs (including Anthropic for AI-generated summaries) is published at causeshield.com/security/subprocessors.