← Back to civitar.org

Civitar Data Handling Addendum (DHA) — Institutional Accounts

This addendum extends Civitar's standard Privacy Policy and Terms of Service for Institutional accounts (newsrooms, libraries, conservation organizations, university departments). It addresses the additional data-handling guarantees institutional accounts typically require.

Effective for: Institutional accounts only (Free and Monitor consumer accounts are covered by the standard Privacy Policy and Terms of Service) Effective date: *Set per-account at signing.* Last updated: 2026-06-28

---

1. Purpose of this addendum

This DHA supplements (and does not replace) Civitar's Privacy Policy and Terms of Service. It provides the additional data-handling commitments that institutional accounts — and the legal departments reviewing them — typically request.

If any term in this DHA conflicts with the standard Privacy Policy or Terms of Service, the more protective term controls.

2. Definitions

• "Institutional Account" — a Civitar account on the Institutional tier (from $120/year, sliding scale), with multiple seats.
• "Authorized User" — an individual to whom the Institutional Account has granted access.
• "Account Data" — data collected through the Institutional Account, including Authorized User account info, saved sites, search history, briefing-generation activity, and any data submitted through Civitar features (e.g., institutional inquiry forms).
• "Service Data" — operational logs, performance metrics, and aggregated, non-identifying analytics used to operate Civitar.

3. Data Civitar processes for Institutional Accounts

We process Account Data only for the limited purpose of providing the Civitar service to Authorized Users and the institution, including:

• Authentication and account access
• Storing saved sites, search history, and briefings generated
• Sending transactional emails (one-time sign-in links, account changes, alerts the user opts into)
• Billing and subscription management (via Stripe)
• Responding to support requests
• Operating, securing, and debugging the platform

We do not process Account Data for:

• Marketing or advertising
• Profiling
• Sale to third parties
• Training of AI models other than Civitar's own service-internal models (and not on Authorized User content without explicit institutional consent)

4. Sub-processors

Civitar uses the following sub-processors. Each sees only the data described:

Sub-processor	Data accessed	Purpose	Location
Cloudflare (Workers, D1, R2, DNS)	Account data, saved sites, session data, server logs, IP / request metadata	Host the service; store account data; edge routing	US-based account (global edge)
Stripe	Card data, billing info, email	Process subscription payments	US
Resend	Email addresses, message content	Send transactional emails	US
Twilio	Phone number, message content	Send SMS alerts users opt into (not active until SMS launches)	US
Google Earth Engine	Geospatial queries (no PII)	Generate the public briefings (no Account Data)	US

Civitar will notify the Institutional Account at least 30 days before adding a new sub-processor that will have access to Account Data. The Institutional Account may object to the new sub-processor by emailing privacy@civitar.org; if Civitar and the institution cannot agree on a mitigation, the institution may terminate this DHA without penalty.

5. Data location and international transfer

All Account Data is stored on Cloudflare (D1 + R2) under Civitar's U.S.-based account and processed in the United States.

We do not currently transfer Account Data outside the United States. If we ever need to (for example, to expand to a non-U.S. cloud region for performance reasons), we will notify the Institutional Account at least 30 days in advance.

6. Security measures

Civitar implements the following technical and organizational measures:

Encryption

• In transit: all connections use TLS 1.2 or higher
• At rest: Cloudflare D1 (database) and R2 (object storage) are encrypted at rest
• No passwords: Civitar uses passwordless sign-in; one-time links and session tokens are stored only as SHA-256 hashes

Access controls

• Role-based access controls on the Civitar admin tooling (founder-only at launch)
• Administrative access to Cloudflare/Stripe protected by multi-factor authentication
• Administrative access is logged
• Authorized Users see only their own data plus institution-shared data

Operational practices

• Civitar reviews access logs monthly for anomalies
• Audit log access is available to the Institutional Account on request (with 5 business day SLA)
• Civitar maintains an incident response plan (Section 9)

7. Authorized User rights

Each Authorized User retains all rights described in the Civitar Privacy Policy, including:

• Access: see all data Civitar has about them
• Correction: fix anything wrong
• Deletion: delete their account and associated data
• Portability: download their data as JSON
• Opt-out of marketing email

The Institutional Account may not override these individual rights. If an Authorized User exercises their deletion right, their personal data is deleted; data attributable to the institution (e.g., institution-shared saved sites) is retained at the institution's direction.

8. Data retention and deletion

• Account Data: retained for the duration of the Institutional Account, plus 30 days after termination (so accidental terminations can be reversed)
• Server logs containing PII: 30 days
• Backups: Cloudflare D1 time-travel / point-in-time recovery (rolling ~30 days)
• Stripe transaction records: 7 years (held by Stripe; required for tax/audit)
• Authorized User accounts after individual deletion: 30-day reversibility window, then permanent deletion

Upon written request, Civitar will:

• Delete all Account Data within 30 days of the request
• Provide a written confirmation of deletion
• Delete data from backups as backups age out (no longer than 30 additional days)

9. Incident response

If Civitar becomes aware of a security incident that has resulted in or is reasonably likely to result in unauthorized access to, use of, or disclosure of Account Data, Civitar will:

1. Notify the Institutional Account within 24 hours of discovery (or within the timeline required by applicable law, whichever is shorter)
2. Provide a written incident report within 7 days, including:

• What happened
• When it happened (or earliest known time)
• What Account Data was affected
• What we are doing to remediate
• What steps the institution and Authorized Users should take

1. Continue providing updates as material new information is available
2. Cooperate with the Institutional Account's reasonable investigation requests

We will notify the institution even if applicable law does not require notification.

10. Audit rights

The Institutional Account may, no more than once per calendar year and with 30 days' written notice, request:

• A summary of Civitar's then-current security practices (delivered as a written document)
• Audit logs of administrative access to the Institutional Account's data over the past 90 days

For more extensive audits (penetration testing, full SOC 2 or ISO 27001 audit), Civitar will work with the institution to find a mutually agreeable arrangement. As an early-stage venture, full third-party audits are not yet available; we will provide a roadmap to compliance.

11. Data-Sharing Restrictions

Civitar will not share Account Data with any third party other than:

• The sub-processors listed in Section 4
• As required by law, with notice to the Institutional Account when permitted
• With explicit written consent of the Institutional Account
• In connection with a merger, acquisition, or sale of Civitar (with notice and the institution's right to terminate before the change of control)

12. Confidentiality

Civitar will treat Account Data as the confidential information of the Institutional Account. Civitar will not disclose Account Data except as permitted under this DHA, the Privacy Policy, the Terms of Service, or applicable law.

The Institutional Account may treat this DHA itself as confidential.

13. Liability

The liability limitations in the Terms of Service apply to this DHA. To the extent the Institutional Account has paid more than $100 in the prior 12 months, the actual amount paid serves as the cap.

14. Term and termination

This DHA is effective from the start of the Institutional Account's subscription and continues until terminated.

Either party may terminate this DHA upon 30 days' written notice if the other party materially breaches its terms and fails to cure the breach within 30 days of notice.

Upon termination, Civitar will delete Account Data per Section 8.

15. Order of precedence

If any term in this DHA conflicts with the Privacy Policy or Terms of Service, the more protective term controls. Otherwise, the Privacy Policy and Terms of Service remain in full force.

16. Modifications

Civitar may modify this DHA from time to time. Material changes will be communicated to the Institutional Account at least 60 days before they take effect. If the institution objects to a modification, it may terminate this DHA without penalty.

17. Contact

• General DHA questions: privacy@civitar.org
• Security incidents (24/7): security@civitar.org

For institutional accounts requesting custom DHA terms (e.g., from a university general counsel), email hello@civitar.org to start a redline conversation.