Skip to main content
MYPOLITY
Sign In

Data Processing Agreement

Template — June 2026

This is the agreement that governs how MyPolity handles the data your residents provide through your portal. We publish it so your legal and security teams can review it before you ever sign. See also our security posture.

This published version is a template for review. The DPA that governs a customer is the version executed by both parties; have your counsel review it before execution.

1. Parties and roles

This Data Processing Agreement ("DPA") is between the government entity that activates a MyPolity Government Portal ("Customer") and MyPolity ("MyPolity"). It takes effect when the Customer is provisioned a portal and governs the processing of Constituent Data.

For the data a Customer’s residents provide through MyPolity, the Customer is the data controller and MyPolity is the data processor. MyPolity processes Constituent Data only on the Customer’s documented instructions and for the purposes of operating the service.

2. What is processed

Categories of data subjects: residents/constituents of the Customer’s jurisdiction, the Customer’s officials and staff.

Types of personal data: name, postal and email address, phone number, and — only where a resident opts in — date of birth and demographic fields; plus content residents submit, such as 311 issue reports, survey responses, and public comments.

Nature and purpose: to deliver the civic services the Customer enables (announcements, surveys, meetings, 311, insights) and to route a resident’s submissions to the correct jurisdiction. Processing lasts for the term of the Customer’s use of MyPolity.

3. MyPolity’s obligations as processor

Process Constituent Data only on the Customer’s documented instructions, including for transfers, unless required by law (in which case MyPolity notifies the Customer first, where legally permitted).

Ensure personnel authorized to process Constituent Data are bound by confidentiality.

Implement the technical and organizational security measures in Annex A.

Assist the Customer, taking into account the nature of processing, in responding to data-subject rights requests and in meeting the Customer’s breach-notification and impact-assessment obligations.

Make available to the Customer the information needed to demonstrate compliance with this DPA.

4. Constituent data is a public trust

MyPolity will never sell, license, rent, or share Constituent Data with lobbyists, political operatives, campaigns, advertisers, data brokers, or any commercial interest. Constituent Data exists solely to help the Customer serve and govern its residents.

MyPolity will not use Constituent Data to build partisan targeting, voter databases, or advertising products. Aggregate insights are returned only above a minimum-cell privacy floor so that no individual can be re-identified.

5. Subprocessors

MyPolity uses a small set of vetted subprocessors to run the service, listed in Annex B. Each is bound by data-protection terms no less protective than this DPA. MyPolity will give the Customer advance notice of any new subprocessor and a chance to object.

All Constituent Data is stored and processed in the United States.

6. Personal data breach

MyPolity will notify the Customer without undue delay, and in any case within 72 hours of becoming aware of a personal data breach affecting Constituent Data. The notice will describe the nature of the breach, the data and data subjects affected, likely consequences, and the measures taken or proposed.

MyPolity will reasonably assist the Customer in meeting any breach-notification duties the Customer owes to its residents or to regulators.

7. Return and deletion

On termination, and at the Customer’s choice, MyPolity will return or delete all Constituent Data within 30 days, and delete existing copies unless retention is required by law. On request, MyPolity will certify that deletion is complete.

8. Audit

MyPolity will make available, on reasonable request and no more than once per year (or after a breach), the information and documentation necessary to demonstrate compliance, including summaries of its security measures and subprocessor list.

9. General

This DPA is governed by the law of the Customer’s jurisdiction. If any term conflicts with the parties’ main agreement on the subject of data protection, this DPA controls. Liability is as set out in the main agreement.

Annex A — Security measures

Access control: row-level security (RLS) enforced in the database, so access is gated at the data layer rather than only in application code. Separate citizen and government identities. Least-privilege service credentials.

Encryption: TLS in transit (HTTPS with HSTS); encryption at rest at the database and storage layer.

Privacy by design: aggregate-only insights with a hard minimum-cell floor enforced in the query path; demographic fields are opt-in; individual records are never shown across tenants.

Operational: audit logging of administrative actions; provenance and last-verified dates on reference facts; error monitoring; scheduled backups (point-in-time recovery enabled for production customer data).

Annex B — Subprocessors

Supabase — managed PostgreSQL database and authentication (United States).

Vercel — application hosting and content delivery (United States).

Resend — transactional email delivery.

Sentry — application error monitoring (configured to avoid storing constituent personal data in error reports).