Data Processing Agreement

Last updated: June 2, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between NekoTech Ventures Inc. ("Processor" or "ChapterPulse") and the organization subscribing to ChapterPulse ("Controller" or "Customer").

1. Definitions

  • Controller: The Customer organization that determines the purposes and means of processing personal data through ChapterPulse.
  • Processor: NekoTech Ventures Inc., which processes personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
  • Sub-processor: A third party engaged by the Processor to assist in processing personal data on behalf of the Controller.

2. Scope of Processing

The Processor processes personal data solely for the purpose of providing the ChapterPulse service as described in the Terms of Service. Processing activities include storing and managing member data, generating reports, sending transactional communications, and providing AI-assisted features.

3. Obligations of the Processor

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject requests
  • Delete or return all personal data upon termination of the agreement, at the Controller's choice
  • Make available all information necessary to demonstrate compliance

4. Sub-processors

The Processor uses the sub-processors listed on our Subprocessors page. For non-AI sub-processors, the Processor will notify the Controller at least 30 days before adding or replacing a sub-processor, and the Controller may object to a new sub-processor within 14 days of notification.

AI model providers are exempt from the 30-day notice requirement. Every AI sub-processor used by the Processor must operate under a zero data retention agreement as a hard contractual requirement, meaning prompts and responses are not stored by the provider, are not logged for human review, and are not used to train or fine-tune models. Because any permitted AI sub-processor must meet this ZDR standard, the Processor reserves the right to add, remove, or replace AI sub-processors at any time without advance notice, provided the replacement also operates under zero data retention. The Subprocessors page is the source of truth for the current list of AI providers and is kept current. This exemption applies only to AI model providers and does not extend to any other category of sub-processor.

5. Security Measures

The Processor implements the following technical and organizational measures:

  • Encryption in transit (TLS 1.3) for all data communications
  • Encryption at rest (AES-256-GCM) for sensitive credentials
  • Row-level security at the database level for tenant isolation
  • Role-based access controls with granular permissions
  • Session verification on every API request
  • Regular security monitoring and updates
  • Hosting on SOC 2 Type II certified infrastructure

6. Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach. The notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

7. Data Transfers

Personal data may be transferred to and processed in the United States and Canada where our infrastructure providers operate. For transfers from the European Economic Area, we incorporate by reference the Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914, Module 2: Controller to Processor).

8. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Audits shall be conducted with reasonable advance notice (minimum 30 days), during normal business hours, and no more than once per year unless required by a data protection authority or following a data breach.

The Processor will provide reasonable cooperation and access to relevant information, subject to confidentiality obligations regarding other customers' data.

9. Duration and Termination

This DPA remains in effect for the duration of the Customer's subscription to ChapterPulse. Upon termination, the Processor will delete all personal data within 30 days, unless retention is required by applicable law.

Annex 1: Details of Processing

Data Subjects

Members of the Controller's professional association chapter, event attendees, volunteer applicants, and authorized users of the ChapterPulse platform.

Categories of Personal Data

  • Contact information (names, email addresses, phone numbers, mailing addresses)
  • Professional information (association membership status, certifications, employer)
  • Event participation records (registrations, attendance)
  • Volunteer application data (postings, applications, resumes)
  • Account credentials (email, encrypted passwords via auth provider)
  • Usage data (feature usage, draft editing activity)

Processing Activities

  • Storage and management of member directory data
  • Generation and delivery of newsletters via email service integration
  • Event registration data collection and reporting
  • Automated CSV report generation and delivery
  • Volunteer posting management and application tracking
  • AI-assisted content generation and data analysis
  • Automated retrieval and synchronization of data from third-party platforms authorized by the Controller
  • User authentication and access management

Lawful Basis

The Controller determines the lawful basis for processing. Typical bases include: contract performance (providing services to chapter members), legitimate interests (chapter operations management), and consent (where required by applicable law, including CASL for commercial electronic messages).

Retention Period

Personal data is retained for the duration of the Controller's subscription. Upon termination, personal data is deleted within 30 days, except where retention is required by applicable law.

Annex 2: Technical and Organizational Measures

The Processor implements the following measures to protect personal data:

  • Encryption in transit (TLS 1.3) for all data communications
  • Encryption at rest (AES-256-GCM) for sensitive credentials
  • Row-level security at the database level for tenant isolation
  • Role-based access controls with granular permissions (17 permission types)
  • Session verification on every API request
  • Regular security monitoring and updates
  • Hosting on SOC 2 Type II certified infrastructure (Vercel, Neon, Cloudflare)
  • Zero data retention policies with AI processing providers

Contact

For DPA inquiries, contact us at:

NekoTech Ventures Inc.
Email: privacy@chapterpulse.com
Alberta, Canada