Data Processing Addendum
Last updated
This is the document the in-product DPA-signing flow serves. MapleGather ships an in-product compliance surface (Feature 12.14) where an Organization admin reviews and e-signs a Data Processing Addendum, receives a counter-signed PDF, and views the sub-processor list and US-region statement. This draft is the content of that DPA.
In plain terms: This addendum spells out, in contract form, how we handle your members’ data as your service provider under the California Consumer Privacy Act — what we can and can’t do with it, the vendors we use, how we protect it, and what happens when you leave. It backs up the promises in the Privacy Policy with enforceable terms.
1. Scope, roles, and definitions
This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Terms of Service between MapleGather and the Organization. It governs MapleGather’s processing of Member Data on the Organization’s behalf.
- The Organization is the business that determines the purposes and means of processing Member Data.
- MapleGather is the Organization’s service provider and processes Member Data only on the Organization’s behalf and on its documented instructions.
- Capitalized terms not defined here have the meaning given in the Terms of Service. “Personal Information,” “business,” “service provider,” “sell,” and “share” have the meanings given in the CCPA/CPRA.
Regulatory scope. This DPA is a CCPA/CPRA service-provider addendum for a United States
service. The Organization’s primary records are stored in the US (Google Cloud us-central1);
certain sub-processors operate global infrastructure (e.g., edge security, AI inference), as
identified in the Sub-Processor List. MapleGather does not offer EU/EEA data
residency; this DPA does not incorporate GDPR obligations, EU Standard Contractual Clauses, or a
GDPR-style advance sub-processor-notice SLA, which are outside the Service’s scope.
Documented instructions. The Organization’s “documented instructions” consist of the Terms of Service, this DPA, the Organization’s configuration and use of the Service, and any additional written instructions the parties mutually agree to. MapleGather processes Member Data only on these instructions.
2. Details of the processing (Annex-style)
In plain terms: Here’s the who/what/why of the data we process for you.
- Subject matter: provision of the MapleGather membership-management Service.
- Duration: for the term of the Terms of Service, plus the post-termination period in Section 8.
- Nature and purpose: processing Member Data to provide membership management, billing, events, email, payments, donations, community, reporting, and administration, as directed by the Organization.
- Categories of data subjects: the Organization’s Members (members, prospective members, donors, event registrants, and similar contacts) and its admins.
- Categories of Personal Information: as described in the Privacy Policy — identifiers and contact info, profile/membership data, communication history, member-identifiable financial records, consent records, authentication artifacts, and audit-log data. Payment-card numbers are not processed by MapleGather (entered directly into Stripe; PCI SAQ-A).
3. MapleGather’s service-provider obligations and certification
In plain terms: We certify, in writing, that we’ll only use your members’ data to run the service for you — never for our own purposes, never to sell.
MapleGather shall, with respect to Member Data (Personal Information disclosed by the Organization):
- Process it only for the specific business purposes described in Section 2 (Details of the processing) — membership management, billing, events, communications, and the other Service functions listed there — and only on the Organization’s documented instructions. These purposes are stated specifically, not by generic reference to the agreement.
- Not sell it and not share it for cross-context behavioral advertising.
- Not retain, use, or disclose it for any purpose other than the business purposes specified in this DPA and the Terms of Service, including not retaining, using, or disclosing it outside the direct business relationship with the Organization.
- Not combine it with Personal Information received from other sources, except as permitted by the CCPA to perform a business purpose.
- Comply with the applicable obligations of the CCPA/CPRA and provide the same level of privacy protection as the CCPA requires of the Organization.
- Notify the Organization if MapleGather determines it can no longer meet its obligations under the CCPA.
- Grant the Organization the right to take reasonable and appropriate steps to help ensure MapleGather uses Member Data consistently with the Organization’s CCPA obligations (see Section 7).
- On notice from the Organization, stop and remediate any unauthorized use of Member Data.
Certification. MapleGather certifies that it understands the restrictions in this Section 3 and will comply with them, as required of a service provider under CCPA §1798.140.
4. Sub-processors
In plain terms: We use a small set of vetted vendors to run the service; each vendor’s data-processing addendum requires it to protect your data at least as well as we promise to. The current list is a living page, and we’ll tell you when it changes.
- MapleGather may engage sub-processors to process Member Data in connection with the Service. The current list of sub-processors — provider, service, data touched, and region — is maintained at Sub-Processor List and is incorporated into this DPA by reference.
- Each sub-processor is subject to a data-processing addendum imposing data-protection obligations at least as protective as those in this DPA.
- MapleGather remains responsible for its sub-processors’ performance of these obligations.
- Self-hosted components (our Keycloak-based authentication system) run on MapleGather’s own infrastructure and are not third-party sub-processors.
Change notification. MapleGather maintains the Sub-Processor List as the authoritative, current list; the “last updated” date changes whenever the list changes. The published list is MapleGather’s notice of sub-processor changes. MapleGather does not commit to individual advance notice of, or an objection right to, sub-processor changes.
5. Security measures (as built)
In plain terms: These are the actual protections in place — encryption, per-organization data isolation, audit logs, strong login, backups.
MapleGather maintains the following technical and organizational security measures, as built:
- Encryption in transit — TLS 1.2+ (TLS 1.3 preferred), HSTS enforced.
- Encryption at rest — database and file storage encrypted at rest; sensitive custom fields encrypted with org-level key isolation.
- Tenant isolation — logical isolation of each Organization’s data via PostgreSQL row-level security; cross-tenant exposure is a top-severity incident, tested against.
- Access controls — role-based access control; multi-factor authentication support (authenticator apps, passkeys); no plaintext credentials; secrets held in a managed secret store.
- Audit logging — append-only audit log of admin actions and structural data changes.
- Backup & recovery — automated daily backups; RPO ≤ 1 hour; RTO ≤ 4 hours.
- Monitoring & incident response — platform monitoring, alerting, and a documented incident- response procedure with the customer-notification SLA in Section 6.
MapleGather maintains these measures as binding commitments and may update or replace them from time to time, provided the updated measures do not materially reduce the overall security of Member Data (equivalent-or-better).
6. Security incidents and breach assistance
In plain terms: If your members’ data is breached, we notify you fast (within 24 hours of confirmation) and give you what you need to meet your own legal obligations.
On confirming a security breach involving Member Data, and as a matter of operational practice, MapleGather aims to:
- notify the Organization’s primary admin (and compliance contact, if configured) with an initial notification within 24 hours of confirmation and a fuller disclosure within 72 hours (scope, timeline, remediation);
- provide the information the Organization reasonably needs to meet its own breach-notification obligations to its Members and regulators; and
- for incidents originating with a sub-processor, forward incident details with MapleGather’s own context, inheriting the stricter of MapleGather’s and the sub-processor’s notification timeline.
These timeframes describe MapleGather’s operational incident-response practice and are targets, not a contractual guarantee. The Organization, as the business, is responsible for notifying its Members and any regulator (for example, a state Attorney General) as required by law; MapleGather notifies and assists the Organization so it can do so.
7. Assistance, audit, and compliance demonstration
In plain terms: We’ll help you respond to your members’ privacy requests and give you reasonable information to show your own compliance.
- Assistance with consumer requests. MapleGather provides in-product tools (data export and deletion/anonymization) that enable the Organization to respond to Member access, portability, and deletion requests, and will provide reasonable assistance on request.
- Demonstrating compliance. MapleGather will make available to the Organization information reasonably necessary to demonstrate its compliance with this DPA — for example, responses to a reasonable security questionnaire and, when available, a summary of any third-party security assessment. This is provided in lieu of an on-site audit or inspection right. MapleGather may charge a reasonable fee for requests that are excessive or repetitive, and does not commit to providing a SOC 2 report.
- Right to monitor. The Organization may take reasonable and appropriate steps to help ensure MapleGather processes Member Data consistently with the Organization’s CCPA obligations.
8. Deletion and return on termination
In plain terms: When you leave, you can export everything first; then, after the grace period, your data is deleted.
- On termination, and before purge, the Organization may export its Member Data via the self-service export feature.
- MapleGather deletes the Organization’s Member Data following the 30-day post-cancellation grace period (per Terms of Service §9); purge is terminal. Deleted data may persist in encrypted backups until those backups age out, and in any case is removed from backups within 12 months.
- Member-level deletion requests are processed by anonymization (as described in the Privacy Policy), preserving transactional and audit records without identifying data, as permitted by CCPA.
9. General
- This DPA is incorporated into the Terms of Service; in the event of a conflict on data-processing matters, this DPA controls.
- Governing law and other general terms follow the Terms of Service.