Data Processing Agreement

This Data Processing Agreement ("DPA") is part of the Terms of Service between PoliPost Canada Inc. ("PoliPost", "we", operating from British Columbia) and the organization that opens an account ("you"). It explains, in plain language, how we handle the personal information you and your supporters put into the service, and our respective privacy responsibilities under Canadian law — the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (PIPA), plus other applicable provincial privacy laws. If anything here conflicts with the Terms on a privacy matter, this DPA governs.

You are the organization that decides what supporter and contact information to collect and why — in privacy law, you are the one in control of that personal information. PoliPost is your service provider: we store and process that information only to run the features you use, and only on your instructions. We never sell it, rent it, or use it to build our own products. Our letter-drafting AI never receives your supporters' identities — but the CRM's AI features do work on the contact records you enter there (see sections 4 and 14).

"Personal Information": information about an identifiable individual (e.g., a supporter's name, email, address or postal code, the letter they wrote, a petition signature, a CRM contact record). "Supporter Data": personal information about the people your organization engages (constituents, members, contacts, decision-makers). "Service": the PoliPost platform. "Subprocessor": a third party we use to help deliver the service. "Privacy Laws": PIPEDA, BC PIPA, and other Canadian privacy laws that apply to you or us. "Security Incident": a breach of security safeguards affecting personal information.

We process: (a) account data (your team's names, emails, roles and login/security data); (b) Supporter Data your organization collects through letters, petitions, polls, the CRM, imports and integrations; and (c) usage and audit records. We process it only to: deliver the features you turn on, keep the service secure, provide support, meet legal obligations, and bill you. The categories and purposes track what the service visibly does — nothing more. Important — the CRM and AI: the CRM includes AI features (such as the AI copilot and insights). Anything you enter in the CRM — including detailed contact information, notes and interaction history — is processed by those AI features to provide them. By default that processing uses AI providers outside Canada — currently DeepSeek (in China), with Anthropic and OpenAI (in the United States) as backups — and on non-sovereign plans those providers may use what they process (including these CRM records and the content of AI-assisted letter drafts) to train and improve their AI models. The optional Canadian Sovereignty add-on keeps this processing with a Canadian AI provider (Augure) and contractually disables model training. You decide what goes into the CRM (see section 14).

We act on your documented instructions, which are: your use of the service, your settings, and this DPA. If we believe an instruction would break a Privacy Law, we'll tell you. You confirm you have the authority and a lawful basis (including any required consent) to collect and put into the service the personal information you upload, and to instruct us to process it.

Everyone at PoliPost who can touch personal information is bound by confidentiality and works on a least-privilege, need-to-know basis. Administrative access is logged.

We use safeguards appropriate to the sensitivity of the information, including: encryption in transit (HTTPS/TLS, HSTS); encryption at rest of personal-information fields (names, emails and similar are stored encrypted, never in clear text); passwords stored only as salted bcrypt hashes and screened against known-breached passwords; optional two-factor authentication and passkeys; blind-index hashes so we can look a record up without exposing the underlying value; role-based access controls; audit logging; and new-device sign-in alerts. Canadian hosting (see "Where your data lives"). No system is perfectly secure, but we work to keep these measures current.

We use a small, vetted set of subprocessors, each receiving only what it needs for its task; our letter-drafting AI never receives a supporter's identity (the CRM's AI features, which you control, do process the CRM records you enter — see sections 4 and 14). The current list — each provider's role, the data it sees, its location, and a link to its privacy policy — is published in our Subprocessor list and forms part of this DPA. We remain responsible to you for our subprocessors. We'll give you advance notice (by email or in-app) before a new or replacement subprocessor starts handling your personal information; if you reasonably object on privacy grounds within 30 days, you may terminate the affected service and export your data as your remedy. If we add or change a subprocessor in a way that materially affects this DPA — including a material change to the published Subprocessor list incorporated above — we follow the "Changes" process below and notify you of it.

Your account and Supporter Data are hosted in Canada — on servers operated by FullHost, a Canadian company, in Vancouver, British Columbia. A few subprocessors operate outside Canada and receive limited or no Supporter Data — for example billing (Stripe) and bot-protection (Cloudflare), which receive no supporter content, and the optional supporter ID-verification (Didit), which you choose to enable per campaign. Each is disclosed in the Subprocessor list. Personal information handled outside Canada is subject to the laws of that jurisdiction; we handle any cross-border transfers in line with PIPEDA. The optional Canadian Sovereignty add-on keeps your AI (including the CRM's AI features), outbound email, and printed mail entirely with Canadian providers. By default (without that add-on), AI letter-drafting and the CRM's AI features run through providers outside Canada — in the United States, and DeepSeek in China.

Individuals have rights under Privacy Laws to access and correct their personal information, and to withdraw consent. You can view, export, correct, and delete records directly in the service. If an individual contacts us directly about data we hold for you, we'll refer them to you and help you respond as the organization in control of that information.

If we become aware of a Security Incident affecting your personal information, we'll notify you without undue delay (and in any event within 72 hours of confirming it) and give you the information you reasonably need to assess it and meet your obligations under PIPEDA's breach-reporting rules (which can require reporting to the Office of the Privacy Commissioner of Canada and notifying affected individuals where there is a real risk of significant harm). You are responsible for deciding on, and making, any notifications you are legally required to give.

We keep your data while your account is active. You can delete records yourself at any time in the service. If you cancel, your data stays exportable for 30 days, after which we delete it from our active systems; routine backups age out on our normal cycle. We may keep limited records where the law requires (e.g., billing/tax, and the lobbying-compliance records you've generated) and de-identified or aggregate data that can't identify anyone. When we de-identify, we remove direct identifiers and the deterministic indexes that could re-link a person, in line with the federal and provincial Privacy Commissioners' de-identification guidance — recognizing that no de-identification is perfectly irreversible, especially against AI-assisted re-identification.

On reasonable written request (normally no more than once a year, and treated as confidential), we'll provide information to help you confirm we're meeting this DPA — such as a summary of our security measures, our subprocessor list, and this agreement.

You're responsible for: collecting personal information lawfully and with any required consent; the accuracy of what you upload; managing your team's access; honouring individuals' choices (e.g., unsubscribes); and not putting categories of sensitive information into the service that it isn't designed to handle. Because the CRM's AI features process whatever you enter in the CRM — including detailed contact information — you are responsible for ensuring you do not enter into the CRM any personal information you are not permitted to collect, use, disclose to our subprocessors, or have analyzed by AI under applicable Privacy Laws and the consents you hold. Because non-sovereign plans send that information to AI subprocessors outside Canada (including in the United States and China) that may train their models on it, you confirm that, for every individual whose personal information you put into the service on a non-sovereign plan, you have given all notices and obtained all consents that applicable Privacy Laws require for (a) that cross-border processing and (b) that model-training use. If you cannot or do not wish to obtain those consents, use the Canadian Sovereignty add-on. You'll use the service in line with the Terms and applicable law.

This DPA is part of, and governed by, the Terms — including their limits of liability, disclaimers, dispute-resolution and governing-law provisions. For privacy and data-protection matters specifically, this DPA controls if it conflicts with the rest of the Terms.

This DPA applies for as long as we process personal information for you, and the parts about returning/deleting data and confidentiality continue to apply after your account ends.

If we make a material change to this DPA, we'll give you at least 15 days' notice (matching the Terms) and post the updated version with a new version number and date. During that window a notice appears in your account asking you to review and accept. If you don't accept within 15 days, access to the service may be limited until you do — you'll still be able to sign in to review and accept the updated agreement. We keep a record of which version you accepted, when, and by whom.

This DPA is governed by the laws of British Columbia and the federal laws of Canada that apply there, consistent with the Terms. Privacy questions: privacy@polipost.ca.

Roles: you are the controller; PoliPost is the service provider/processor. Individuals: your team; your supporters/constituents; your CRM contacts (including decision-makers/DPOHs). Data categories: account + login/security data; supporter name, email, postal address, the letter and any optional note; petition signatures; CRM contact records, notes and interactions; usage + audit logs. Purposes: deliver the features you enable (letters, petitions, polls, CRM, monitoring), security, support, billing, legal compliance. Operations: storage, transmission, AI drafting/insights, delivery (email/print/pen), analytics, de-identification. Retention: while your account is active; 30-day export window after cancellation; letters de-identified at the end of your retention window; operational logs pruned on configurable schedules. Security: see section 7 (encryption in transit + at rest, bcrypt, MFA/passkeys, blind indexes, role-based access, audit logging). Location: Canada (FullHost, Vancouver); some subprocessors abroad; default AI outside Canada (sections 4 and 9); the Canadian Sovereignty add-on keeps AI, email and print in Canada. Subprocessors: the current list (role, data seen, location, policy link) is published and incorporated by reference (section 8).