Data Processing Agreement

Last updated: April 1, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between NekoTech Ventures Inc. ("Processor" or "ChapterPulse") and the organization subscribing to ChapterPulse ("Controller" or "Customer").

1. Definitions

Controller: The Customer organization that determines the purposes and means of processing personal data through ChapterPulse.
Processor: NekoTech Ventures Inc., which processes personal data on behalf of the Controller.
Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
Sub-processor: A third party engaged by the Processor to assist in processing personal data on behalf of the Controller.

2. Scope of Processing

The Processor processes personal data solely for the purpose of providing the ChapterPulse service as described in the Terms of Service. Processing activities include storing and managing member data, generating reports, sending transactional communications, and providing AI-assisted features.

3. Obligations of the Processor

Process personal data only on documented instructions from the Controller
Ensure that persons authorized to process personal data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist the Controller in responding to data subject requests
Delete or return all personal data upon termination of the agreement, at the Controller's choice
Make available all information necessary to demonstrate compliance

4. Sub-processors

The Processor uses the sub-processors listed on our Subprocessors page. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to a new sub-processor within 14 days of notification.

5. Security Measures

The Processor implements the following technical and organizational measures:

Encryption in transit (TLS 1.3) for all data communications
Encryption at rest (AES-256-GCM) for sensitive credentials
Row-level security at the database level for tenant isolation
Role-based access controls with granular permissions
Session verification on every API request
Regular security monitoring and updates
Hosting on SOC 2 Type II certified infrastructure

6. Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach. The notification will include:

A description of the nature of the breach
The categories and approximate number of data subjects affected
The likely consequences of the breach
The measures taken or proposed to address the breach

7. Data Transfers

Personal data may be transferred to and processed in the United States and Canada where our infrastructure providers operate. For transfers from the European Economic Area, we incorporate by reference the Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914, Module 2: Controller to Processor).

8. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Audits shall be conducted with reasonable advance notice (minimum 30 days), during normal business hours, and no more than once per year unless required by a data protection authority or following a data breach.

The Processor will provide reasonable cooperation and access to relevant information, subject to confidentiality obligations regarding other customers' data.

9. Duration and Termination

This DPA remains in effect for the duration of the Customer's subscription to ChapterPulse. Upon termination, the Processor will delete all personal data within 30 days, unless retention is required by applicable law.

Annex 1: Details of Processing

Data Subjects

Members of the Controller's professional association chapter, event attendees, volunteer applicants, and authorized users of the ChapterPulse platform.

Categories of Personal Data

Contact information (names, email addresses, phone numbers, mailing addresses)
Professional information (PMI membership status, certifications, employer)
Event participation records (registrations, attendance)
Volunteer application data (postings, applications, resumes)
Account credentials (email, encrypted passwords via auth provider)
Usage data (feature usage, draft editing activity)

Processing Activities

Storage and management of member directory data
Generation and delivery of newsletters via email service integration
Event registration data collection and reporting
Automated CSV report generation and delivery
Volunteer posting management and application tracking
AI-assisted content generation and data analysis
User authentication and access management

Lawful Basis

The Controller determines the lawful basis for processing. Typical bases include: contract performance (providing services to chapter members), legitimate interests (chapter operations management), and consent (where required by applicable law, including CASL for commercial electronic messages).

Retention Period

Personal data is retained for the duration of the Controller's subscription. Upon termination, personal data is deleted within 30 days, except where retention is required by applicable law.

Annex 2: Technical and Organizational Measures

The Processor implements the following measures to protect personal data:

Encryption in transit (TLS 1.3) for all data communications
Encryption at rest (AES-256-GCM) for sensitive credentials
Row-level security at the database level for tenant isolation
Role-based access controls with granular permissions (11 permission types)
Session verification on every API request
Regular security monitoring and updates
Hosting on SOC 2 Type II certified infrastructure (Vercel, Neon, Cloudflare)
Zero data retention policies with AI processing providers

Contact

For DPA inquiries, contact us at:

NekoTech Ventures Inc.
Email: privacy@chapterpulse.com
Alberta, Canada