Back to homepage

Data Processing Agreement (DPA)

MUNICIPAL LABS

1. Roles

  • Controller: The government office using Municipal Labs.
  • Processor: Municipal Labs, processing data solely on the Controller's documented instructions.

2. Personal Data Processed

  • Constituent messages, contact information, and attachments.
  • Government user account information.
  • System, security, and audit logs.

3. Processing Purposes

Municipal Labs processes personal data to:

  • Provide, maintain, and support the Municipal Labs platform.
  • Classify, analyze, and organize constituent communications.
  • Ensure security, reliability, and operational continuity of the Service.

4. Confidentiality

All Municipal Labs personnel with access to personal data are bound by confidentiality obligations. Data is only accessed as needed to provide, secure, or support the platform in accordance with the Controller's instructions.

5. Security Measures

Municipal Labs implements appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit and at rest where appropriate.
  • Access controls and role-based permissions.
  • Security monitoring, logging, and alerting.
  • Regular backups and tested recovery procedures.
  • Vulnerability management and security reviews.

6. Subprocessors

Municipal Labs may engage authorized subprocessors, such as cloud hosting, logging, and email providers, to support delivery of the Service. Municipal Labs remains responsible for the performance of subprocessors and will ensure they are subject to data protection obligations at least as protective as those in this DPA.

7. Data Subject Rights

Municipal Labs will reasonably assist the Controller in responding to requests from data subjects to exercise rights of access, correction, deletion, or other rights available under applicable law, to the extent such requests relate to data processed on behalf of the Controller.

8. Breach Notification

Municipal Labs will notify the Controller without undue delay after becoming aware of a personal data breach affecting data processed on the Controller's behalf. The notification will include, to the extent known:

  • The nature of the breach.
  • The categories of data and data subjects affected.
  • Actions taken or proposed to address and mitigate the breach.
  • Recommendations to help the Controller meet any legal or notification obligations.

9. Data Return and Deletion

Upon termination of the Services or upon the Controller's request, Municipal Labs will delete or return personal data processed on the Controller's behalf, unless retention is required by law. Backups containing personal data will be deleted on their normal rotation schedule.

10. Governing Law

This Data Processing Agreement is governed by the laws of the State of New Jersey, without regard to its conflict of laws principles, and follows the governing law provisions in the underlying agreement between Municipal Labs and the Controller.