Cause Shield: Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the agreement between the Customer and Cause Shield Pty Ltd (“Cause Shield”) for the provision of fraud monitoring, uptime monitoring, traffic analytics, and security scanning services. It uses GDPR Article 28 aligned pre-flow language. Where the Customer is in the European Economic Area or the United Kingdom, this DPA incorporates the Standard Contractual Clauses by reference.
01Parties and definitions
The “Customer” is the legal entity identified in the order form (“[Customer Legal Name]”). Cause Shield is the “Processor”. “Personal Data” means donor data and any other personal data the Customer instructs Cause Shield to process. “Data Subjects” are donors, supporters, event registrants, and the Customer’s authorised users.
02Subject matter and duration
Cause Shield processes Personal Data on behalf of the Customer for fraud detection, uptime monitoring, traffic analytics, and security scanning, for the duration of the Customer’s subscription to the Cause Shield service.
03Nature and purpose
Processing activities include fraud scoring of donation events, classification of inbound webhook payloads, alerting on suspicious activity, dashboarding of aggregated metrics, and generation of plain-English summary emails and security reports.
04Categories of data
- SHA-256 hashed donor email address and donor name (per-organisation pepper).
- Donation amount, currency, and timestamp.
- IP-derived country code (raw IP is dropped after derivation).
- User-agent fingerprint hash.
- Transaction metadata from Stripe and donation-platform webhooks.
- Customer staff email address and authentication identity (via Clerk).
05Categories of data subjects
- Donors and supporters of the Customer.
- Event registrants of the Customer.
- The Customer’s authorised users (staff, volunteers, board, auditors).
06Obligations of the Processor (Cause Shield)
Cause Shield will:
- Process Personal Data only on the Customer’s documented instructions.
- Ensure personnel authorised to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures, including TLS 1.2+ in transit, AES-256 at rest, per-organisation Row Level Security on every Postgres table holding customer data, append-only audit logging, and least-privilege access controls.
- Notify the Customer in writing before adding or replacing a sub-processor, giving the Customer an opportunity to object on reasonable grounds.
- Notify the Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach.
- On termination of the agreement, return or delete all Personal Data held on behalf of the Customer at the Customer’s election.
07Sub-processors
Cause Shield engages the sub-processors listed at causeshield.com/trust#sub-processors. That page is the authoritative, version-stamped list. Each sub-processor is bound by contractual obligations no less protective than those in this DPA.
08International transfers and data residency
Personal Data relating to the Customer’s donors and supporters (“Customer Data”) is hosted in the AWS region selected by the Customer at sign-up:
- US: AWS us-east-1 (Northern Virginia, United States).
- Australia: AWS ap-southeast-2 (Sydney, Australia).
- Europe: AWS eu-west-1 (Dublin, Ireland), covering EU and UK Customers via the EU↔UK mutual adequacy decisions.
Cause Shield’s own operational data (internal staff, support tickets, feature requests, marketing analytics, Claude usage ledger) is hosted in AWS us-east-1 regardless of Customer-chosen region.
For Customers in the EEA or UK whose Customer Data is hosted in the EU (Ireland) region, GDPR Article 28 processor obligations are met by in-region residency. For sub-processors that remain US-hosted (Anthropic, Clerk, Resend; see Clause 13), the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) are incorporated by reference and form part of this DPA.
09Audits and inspections
Subject to confidentiality undertakings, the Customer may, on reasonable prior written notice and not more than once per calendar year, audit Cause Shield’s compliance with this DPA at the Customer’s expense. Cause Shield will respond to reasonable written security questionnaires in lieu of on-site audits where practical.
10Term and termination
This DPA is coterminous with the Customer’s subscription. On termination, Cause Shield will, at the Customer’s election, return or delete Personal Data within 30 days, subject to retention required by law.
11Liability and governing law
This DPA is governed by the laws of [Governing Jurisdiction], and the parties submit to the exclusive jurisdiction of the courts of [Governing Jurisdiction]. Each party’s aggregate liability arising out of or in connection with this DPA is capped at the fees paid by the Customer to Cause Shield in the twelve months preceding the event giving rise to the liability, except for liability that cannot be excluded by law.
Plain English: We are a small Australian company. This DPA is good-faith starter language. A qualified lawyer in your jurisdiction should review before counter-signature for high-stakes deployments.
12Supporter correlation (Trails feature)
When customers enable Supporter Trails (Partner tier and above), Cause Shield correlates donation events received from Stripe, fundraising-platform webhooks, and (if explicitly enabled by the customer) site tracking events, into a per-supporter view scoped to the customer’s organisation. The supporter row carries two parallel stores: a SHA-256 hash of email and name (per-organisation pepper) used for correlation regardless of mode, and an optional plaintext copy used only for display.
Plaintext donor identifiers are stored on the supporter row when the Customer’s organisation is in “unmasked” mode (the default for new accounts). This applies uniformly to events received from Stripe AND from the smart-webhook receiver: the display behaviour is governed by the Customer-controlled privacy setting, not by the ingest path. Customers may flip to “masked” mode at any time from their organisation settings; once set, new events store hash-only and plaintext donor identifiers are hidden from the user interface and from AI-generated supporter summaries.
Independent of mode, the inbound webhook payload itself (stored verbatim alongside the event for debugging and re-classification) has donor email and name redacted at write time, replaced with hash sentinels.
13AI processing (Anthropic sub-processor)
Cause Shield uses Anthropic, PBC (“Anthropic”) as a sub-processor for artificial-intelligence inference. Anthropic’s Claude API is used to (i) score donation transactions for fraud risk, (ii) classify inbound webhook payloads from fundraising platforms, (iii) generate plain-English narratives that appear in the customer’s dashboard and digest emails, and (iv) produce monthly security and accessibility scan reports.
To perform (ii), the contents of the inbound webhook payload (which typically contain the donor’s plaintext email address and name) transit Anthropic’s API for the duration of the inference call. Cause Shield hashes these identifiers before persistent storage; Anthropic is the only sub-processor that sees the plaintext donor identifiers en route to that hash. Free-text fields longer than 500 characters (e.g. donor comments, biography fields) are stripped from the payload before transmission to Anthropic.
Under Anthropic’s commercial terms in force at the date of this DPA, Anthropic does not use customer API inputs or outputs to train its models. Anthropic retains API logs for a limited operational window (currently 30 days at the date of this DPA) for trust-and-safety review, after which they are deleted. Anthropic offers Zero Data Retention (ZDR) on request; Cause Shield will work with enterprise Customers on request to obtain ZDR for the Customer’s inference traffic.
Anthropic is bound by contractual obligations no less protective than those in this DPA. Anthropic’s privacy notice is available at anthropic.com/legal/privacy.