What the DPA covers
- Roles: your organization is the data controller; Sembr is the data processor.
- Processing scope: Sembr processes member records, dues, event data, and communications as instructed by your organization, solely to operate your Sembr workspace.
- Confidentiality: Sembr personnel with access to your data are bound by confidentiality obligations.
- Security measures: encryption in transit (TLS 1.2+) and at rest (AES-256). Tenant isolation via row-level security. Audit logs for sensitive operations.
- Subprocessors: authorized subprocessors are listed at /subprocessors. 30-day notice on any addition or change.
- Data subject rights: Sembr provides tooling for your organization to fulfill DSARs (access, deletion, rectification). See /dsar.
- Breach notification: Sembr notifies your organization within 72 hours of a confirmed breach affecting your data.
- Audit rights: annual SOC 2 Type II audit at Sembr's expense; report available on request under NDA.
- Sub-EU / sub-UK transfers: Standard Contractual Clauses (SCCs) for any transfer outside the EU/UK/Canada.
- Term: runs concurrent with the main subscription agreement. Survives termination for any retained data.
Request a signed copy
We are drafting the full legal text with privacy counsel ahead of public launch. To request a copy today, use the contact link in the footer. We will send the current draft and an electronic signature link.