Terms of Service - RebuildNH

1. Acceptance of Terms

By accessing or using NH Civic CRM ("the Service"), operated by 1772 Strategies LLC ("Service Provider," "we," "our," or "us"), including our website, platform, APIs, and all related services, you ("Customer," "you," or "your") agree to be bound by these Terms of Service. If you do not agree to all terms, do not use the Service.

These terms apply to organizations ("Organizations") that subscribe to the Service and to individual users ("Users") who access the Service on behalf of an Organization. By creating an account or accepting an invitation to join an Organization, you confirm that you have the authority to bind that Organization to these terms.

2. Description of Services

NH Civic CRM is a multi-tenant software-as-a-service (SaaS) platform that provides civic engagement and constituent relationship management tools including:

Contact and supporter management
Online fundraising and donation processing
Email marketing and communications
Event management and RSVP tracking
Petition and action alert campaigns
Testimony submission tools
Legislative tracking and advocacy tools
SMS/text messaging (where enabled)
Surveys and data collection
Reporting and analytics

3. Data Ownership

Your data belongs to you. All data entered into or collected through the Service by your Organization - including but not limited to contacts, donor records, email lists, event attendees, petition signatures, survey responses, custom fields, notes, tags, and communication history - is and remains the sole property of your Organization ("Customer Data").

The Service Provider claims no ownership, intellectual property rights, or license over Customer Data beyond what is strictly necessary to operate the Service on your behalf.

You grant the Service Provider a limited, non-exclusive license to process, store, and transmit Customer Data solely for the purpose of providing the Service to you.

4. Data Isolation and Multi-Tenant Security

Your data is completely isolated from other organizations. NH Civic CRM is a multi-tenant platform, meaning multiple organizations use the same application. However, all Customer Data is strictly separated at the database level by Organization. Specifically:

No cross-organization visibility: Users of one Organization cannot view, access, search, or interact with the data of any other Organization under any circumstances.
Database-level isolation: Every data query is filtered by Organization ID. Contacts, donations, email lists, events, petitions, and all other records are scoped exclusively to the Organization that owns them.
User access is organization-bound: Users can only access the Organization(s) they have been explicitly invited to and granted access to by an Organization administrator.
No data aggregation across organizations: We do not aggregate, combine, analyze, or derive insights from Customer Data across different Organizations.

5. Data Privacy and Non-Disclosure

We do not sell, share, rent, trade, or disclose your data to any third party. This commitment is absolute and covers all Customer Data, including but not limited to:

Contact information (names, emails, phone numbers, addresses)
Donor and financial records
Email lists and communication history
Supporter activity and engagement data
Petition signatures and testimony submissions
Event attendance records
Survey responses
Custom fields and notes
Any other data collected through the Service

We will not disclose Customer Data to any third party except:

Payment processors: Donation and payment data is transmitted to Stripe for payment processing. Stripe's handling of this data is governed by Stripe's Privacy Policy.
Email delivery: Email addresses and message content are transmitted to Amazon Web Services Simple Email Service (AWS SES) for the sole purpose of delivering emails you send through the platform.
SMS messaging: When SMS features are enabled, phone numbers and message content are transmitted to Amazon Web Services Pinpoint for the sole purpose of delivering text messages you send through the platform.
Voice calling: When phone banking features are used, phone numbers are transmitted to Twilio for the purpose of facilitating calls initiated by your Organization's users.
Legal obligation: If required by a valid court order, subpoena, or other binding legal process, we will notify you before disclosing data unless legally prohibited from doing so.

We do not use Customer Data for advertising, marketing, profiling, data brokerage, or any purpose other than providing the Service to you.

6. Service Provider Access to Customer Data

The Service Provider may access Customer Data only under the following limited circumstances:

Technical support and troubleshooting: When you contact us for help with a technical issue, our support team may log into your account or access your data to diagnose and resolve the problem. We will only access the minimum data necessary to address the issue.
System maintenance and reliability: We may access data at the infrastructure level (e.g., database maintenance, backup verification, performance monitoring) to ensure the Service operates correctly. This access is performed by authorized personnel only.
Security incident response: In the event of a suspected security breach or abuse of the platform, we may review relevant data to investigate and mitigate the threat.
At your request: If you ask us to perform a specific action on your data (e.g., data migration, bulk updates, or custom queries), we will do so as directed.

The Service Provider will NOT:

Browse, review, or access Customer Data for curiosity, marketing, competitive analysis, or any purpose unrelated to operating the Service
Share Customer Data with employees or contractors who do not have a legitimate need to access it
Use Customer Data to contact your supporters, donors, or contacts for any reason
Retain copies of Customer Data beyond what is needed for backups and disaster recovery

All Service Provider personnel with potential access to Customer Data are bound by confidentiality obligations.

7. Data Security

We implement industry-standard security measures to protect Customer Data, including:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS). HSTS is enforced on all domains.
Database security: PostgreSQL databases are configured to listen on localhost only and are not exposed to the internet. Authentication uses scram-sha-256.
Access controls: Server access is restricted to authorized personnel via SSH key authentication. Database connections are restricted to localhost only and are not exposed to the internet.
Firewall protection: Network firewalls restrict access to only necessary ports and services.
Intrusion prevention: Automated intrusion detection and prevention systems are in place (Fail2ban).
Automatic security updates: Server operating systems receive automatic security patches.
Password security: User passwords are hashed using industry-standard algorithms and are never stored in plaintext.
CSRF protection: Cross-site request forgery protection is enabled on all authenticated forms.
Webhook verification: All incoming webhooks (Stripe, Anedot, AWS SES) require cryptographic signature verification.
Rate limiting: Login and public form endpoints are rate-limited to prevent brute-force attacks.
File upload validation: Uploaded files are validated by both extension and content (magic byte verification).

8. Data Integrity

We are committed to maintaining the accuracy, consistency, and reliability of Customer Data:

Database integrity: We use PostgreSQL with ACID-compliant transactions to ensure data consistency. Foreign key constraints, unique constraints, and validation rules are enforced at the database level.
Backup and recovery: All databases are backed up daily to encrypted cloud storage (Amazon S3) with 90-day retention. In the event of data loss, we will restore from the most recent backup and notify affected Organizations promptly.
No unauthorized modification: Customer Data is only modified through authenticated actions by authorized Users of the Organization, through authorized API integrations, or through Service Provider maintenance as described in Section 6.
Audit trail: The platform maintains activity logs of significant actions (contact creation, donations, email sends, etc.) to support accountability and troubleshooting.
Uptime commitment: We make commercially reasonable efforts to maintain Service availability. Scheduled maintenance will be communicated in advance when possible.

9. Data Export

Organization administrators can export their data at any time. The Service provides built-in data export functionality including:

Full contact list export (CSV) with all fields, tags, custom fields, and activity data
Donation and financial records export (CSV/XLSX)
Event attendee and RSVP export (CSV)
Petition signature export (CSV)
Email campaign recipient and engagement data export (CSV)
Survey response export (CSV)

Only Users with appropriate access levels can perform data exports.

If you need a complete data export in a format not available through the platform, contact us at support@nhcivicrm.com and we will provide it within a reasonable timeframe at no additional charge.

10. Data Deletion

Organization administrators can delete their data at any time. You have full control over your data:

Individual record deletion: Administrators can delete contacts, donations, events, email blasts, surveys, lists, and other records through the platform at any time.
Bulk deletion: Administrators can perform bulk deletions of contacts as needed.
Account cancellation: Upon cancellation of your subscription, you may request complete deletion of all Customer Data by contacting support@nhcivicrm.com.
Deletion timeline: Upon receiving a complete deletion request, all Customer Data will be permanently removed from our production systems within 30 days.
Deletion is irreversible: Once data is deleted, it cannot be recovered. We recommend exporting your data before requesting deletion.

11. Data Retention After Cancellation

If your subscription is canceled or expires:

60-day grace period: After cancellation, you have 60 days to log in, view your data, and export everything you need. During this period, email sending and contact creation are disabled, but all viewing and export features remain available.
After grace period: After 60 days, account access will be restricted. Contact support@nhcivicrm.com to request a data export or reactivation.
Data retention: Your data will be retained on our systems after the grace period. It will not be deleted unless you request it.
Reactivation: If you reactivate your subscription at any time, all previously stored data will be available.
Deletion on request: You may request complete deletion of all Customer Data at any time by contacting support@nhcivicrm.com. We recommend exporting your data first.

12. User Accounts and Access Control

Organizations are responsible for managing their own users and access levels:

Role-based access: The platform supports multiple user roles (Administrator, Manager, Coordinator, Viewer) with different permission levels. Administrators should assign the minimum necessary permissions to each user.
User management: Organization administrators can add, remove, and modify user access at any time.
Account security: Users are responsible for maintaining the security of their login credentials. Enable strong passwords and do not share accounts.
Deactivation: When a user leaves your Organization, administrators should promptly remove their access.

13. Subscription and Payment

Subscriptions are billed monthly or annually as selected at signup. All plans include a 30-day free trial. Payment is processed securely by Stripe. You may upgrade, downgrade, or cancel your subscription at any time through the billing portal. Cancellations take effect at the end of the current billing period.

14. Donations and Payment Processing

When your Organization collects donations through the platform, those transactions are processed by Stripe using your Organization's connected Stripe account. The Service Provider does not hold, control, or have access to funds donated to your Organization. Donation data (amounts, donor information, transaction records) is stored as Customer Data subject to all protections described in these terms.

15. SMS/Text Messaging Program

Program Name: RebuildNH SMS Alerts

Program Description: By opting in, supporters will receive recurring SMS/text messages from your Organization. Messages may include event invitations, fundraising appeals, legislative updates, volunteer opportunities, and other civic engagement content.

Message Frequency: Message frequency varies. Recipients may receive multiple messages per week during active periods.

Message and Data Rates: Message and data rates may apply. Recipients should check with their mobile carrier for details.

Opt-In: Recipients may opt in by: (1) checking the SMS opt-in checkbox on website forms, (2) texting JOIN to the messaging number, or (3) providing consent at in-person events. Consent to receive SMS messages is not a condition of any purchase, donation, or service.

Opt-Out: Recipients can opt out at any time by texting STOP. A confirmation message will be sent and no further messages will be delivered unless the recipient re-subscribes.

Help: For help, text HELP in reply to any message, or contact info@rebuildnh.com.

Supported Carriers: Major US carriers including AT&T, T-Mobile, Verizon, and others. Carriers are not liable for delayed or undelivered messages.

Privacy: Phone numbers and SMS opt-in consent are not sold, rented, or shared with third parties or affiliates for marketing purposes. See our Privacy Policy for full details.

16. Acceptable Use

You agree not to:

Submit false or misleading information
Use the Service for illegal activities or to violate any applicable laws
Send unsolicited messages (spam) or violate the CAN-SPAM Act or TCPA
Attempt to access data belonging to other Organizations
Interfere with or disrupt the Service or its infrastructure
Attempt to gain unauthorized access to systems, accounts, or data
Reverse-engineer, decompile, or attempt to extract source code from the Service
Use the Service to store or transmit malicious code
Exceed reasonable usage limits that degrade service for other customers

Violation of these terms may result in suspension or termination of your account.

17. Intellectual Property

The Service, including its design, code, features, and documentation, is the intellectual property of 1772 Strategies LLC. Your subscription grants you a non-exclusive, non-transferable right to use the Service during your subscription term. Customer Data and content you create remain your property as described in Section 3.

18. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE SERVICE PROVIDER SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING FROM YOUR USE OF THE SERVICE. THE SERVICE PROVIDER'S TOTAL LIABILITY FOR ANY CLAIM ARISING UNDER THESE TERMS SHALL NOT EXCEED THE AMOUNT YOU PAID FOR THE SERVICE IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.

The Service is provided "as is" without warranties of any kind, whether express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

19. Indemnification

You agree to indemnify and hold harmless the Service Provider from any claims, damages, losses, or expenses (including reasonable attorney's fees) arising from your use of the Service, your violation of these terms, or your violation of any third-party rights.

20. Changes to Terms

We may modify these terms at any time. Material changes will be communicated via email to Organization administrators at least 30 days before taking effect. Continued use of the Service after changes take effect constitutes acceptance of the updated terms. If you do not agree with the changes, you may cancel your subscription and request data export and deletion.

21. Governing Law and Disputes

These terms are governed by the laws of the State of New Hampshire without regard to conflict of law principles. Any disputes arising under these terms shall be resolved in the state or federal courts located in Merrimack County, New Hampshire.

22. Severability

If any provision of these terms is found to be unenforceable, the remaining provisions will continue in full force and effect.

23. Contact

For questions about these terms, data privacy, or to request data export or deletion:
Email: support@nhcivicrm.com
Operator: 1772 Strategies LLC, Concord, NH