Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Resolution to Standardize TDSA’s Data Use and Security Practices

Summary

This resolution motivates the need for more secure data management and security practices for Triangle DSA, and it adopts various practices and policies to address the most urgent needs.

It begins with (1) motivating the need for democratically adopted standards and practices, (2) identifying the most serious vulnerability we face due to the platform we use – the use of the Google Suite for general chapter list-work in light of the way that structure of the platform makes it incredibly easy to leak sensitive information –, and (3) making the case that a paid Airtable account solves this problem, while other solutions, although they may increase security, too severely limit the chapter’s ability to organize effectively. This part of the resolution is focused primarily on the general chapter list-work that involves sensitive information on members, of the sort done by AdComm and the Steering Committee for the purposes of onboarding, mobilization, and general coordination.

It then argues that (4) other chapter committees and bodies should be encouraged to experiment with other tools and practices, empowered to collect their own data on members, candidates, holders of elected office, and non-member allies, and the chapter should avoid over-prescribing tools and policies for their work. However, it argues that (5) there is a need for the chapter to maintain custody over all accounts to prevent the real threat of rogue actors.

Still, it motivates a number of (6) chapter-wide data policies that will increase chapter security, as well as (7) policies that strengthen the privacy rights of members.

Apart from the use of Airtable for general chapter list work, key changes include the requirements to sign a Chapter Data Use Agreement to access sensitive chapter information, to attend a Chapter Data Security Training, and follow various best practices in managing any sensitive information within the chapter, as well as TDSA maintaining custody over all accounts doing TDSA work and members having security rights related to their privacy and security.

1. The Need for Democratically Adopted Standards

Whereas

Efficiency and effectiveness in organizing across committees, campaigns, and all chapter work requires a centralized and well maintained database with personal and sensitive information about our members, including first, last, and preferred name, pronouns, phone number, email, communication preferences, location in the Triangle, general availability, accommodation needs, date of joining DSA, attendance records to TDSA activities, political interests, skills, profession, relationships within the chapter, any external political affiliations such as membership in another organization, and other details that may be relevant to organizing.

Whereas

Informed decision-making in our electoral work and beyond requires storing basic information about candidates and holders of elected office, including non-publicly available information about their strategies and priorities.

Whereas

Chapter members place their trust in TDSA to keep private and secure their personal and sensitive information, and growing and retaining our membership requires preserving that trust.

Whereas

TDSA-endorsed electeds and candidates seeking our endorsement place their trust in TDSA to keep private and secure their personal and non-publicly available information, and the continued success of our ongoing electoral work requires preserving that trust.

Whereas

Irresponsible data security practices open up members, candidates, and holders of elected office to unwanted solicitation and targeted harassment.

Whereas

The importance of privacy and security goes beyond the protection of individuals to protecting, as a whole, the real movement for socialism, including from hostile, opportunist, and/or reformist forces, who seek to undermine and/or redirect our struggle for socialism to buttress the capitalist status quo.

Whereas

TDSA lacks any democratically adopted standards, policies, and guidelines for managing data of members, candidates, and holders of elected office.

Whereas

TDSA members and member leaders have consistently requested standardized policies, guidelines, and training on managing members’ data.

Whereas

Following the approval of R09 at the 2025 National DSA Convention, the National Tech Committee is conducting an audit of the technologies being used by National DSA and local DSA chapters, but their recommendations for and migration plan to more private and secure tools will not be complete until the end of 2026, and the plan will not be implemented until the end of 2027 (provided it receives approval by the National Political Committee). So, although guidance from National is on the horizon, for nearly another 2 years, Triangle DSA must make decisions about managing sensitive data without guidance from National.

2. A Significant TDSA Data Security Need

Whereas

Google Suite offers a high-degree of functionality, familiarity, and ease of use for collecting and managing data and other information, but its prioritization of seamless sharing also makes it highly vulnerable to leaking data – e.g., via the ease with which users can make files viewable to anyone with a link, the way that permissions flow downward from parent folders in Google Drive, and the way that content owned by members that gets moved into the Triangle DSA Drive can interfere with policies established for the Triangle DSA Google Drive.

Whereas

The aforementioned security issues are not abstract possibilities but one of the most common causes of leaked data by users of the Google Suite generally, and these kinds of mistakes happen within TDSA far too frequently.

Whereas

For the purposes of general, chapter-wide membership list work, particularly the list work involved in the chapter’s mobilization and onboarding programs administered by AdComm, it is desirable for security reasons to limit those with complete data access to the Steering Committee and anyone approved by the Steering Committee.

Whereas

It is also important that other chapter leaders are able to request and receive access to partial membership data, provided they include clear parameters, specify the purpose they will use the data for, the purpose is either an internal TDSA project or a chapter-approved external project, and anyone who will access the data is named.

Whereas

The distribution of said data should be accomplished in a way that is secure, e.g., via a password protected link, access should be removed once the data is no longer needed, and a record should be maintained of data requests and access.

Whereas

It’s important that mobilizers, chapter leadership, and the general membership be able to provide updates to chapter membership lists in an efficient way without having to access complete membership lists.

3. Airtable as the Solution

Whereas

Airtable is an application that meets the functionality needs required for the purposes of general chapter-wide list work and provides a way to increase the security of our sensitive data on members, candidates, and holders of elected office. Specifically, Airtable allows TDSA to:

  • Store and manage sensitive data on a centralized, encrypted server that only the Steering Committee and those approved by the Steering Committee have access to
  • Manage data requests via integrated form applications, grant partial, granular, or complete access to data requests via password protected links, easily track who has access to what sensitive data, and remove access when it is no longer needed
  • Allow members to update the centralized databases containing sensitive information without otherwise having access to the database to view the information it holds, either in full or in part

Whereas

The cost of AirTable’s Team and Professional plans are trivial compared with the chapter’s monthly and annual expenses, especially when compared to the invaluable increased security provided by the centralized platform.1

Whereas

Other Platforms exist, such as CryptPad and the Proton Suite, that provide even more robust security than Airtable because they are open-source, based outside the US, subject to laws that better respect user privacy (e.g., EU and Swiss privacy laws), and are not subject to US subpoenas. But these platforms provide insufficient functionality for the purposes of general chapter-wide list work.

Whereas

For TDSA and our current technological capacities and scale – e.g., that limit the feasibility of self-hosting –, the primary drawback of Airtable relative to platforms like Cryptpad and Proton is that it is a US-based company, and therefore subject to US data privacy laws and US subpoenas.

Whereas

Security agencies and hostile actors have other routes besides subpoenas and weak data privacy laws to access our data on members, candidates, and holders of elected office if they want to – e.g., other US-based tech services used by National DSA to store member data (Periscope, Action Network, etc.), phishing, infiltration, extortion of members with passwords. Thus, the reason for TDSA to avoid US-based companies is not so weighty that it merits giving up the functionality of the sort provided by Airtable where it is needed for effective chapter work.

4. Experimentation and Avoiding Overprescription

Whereas

The Solar Bond Campaign Committee has been using Cryptpad for several months, has had no issues, and are satisfied with Cryptpad as a means to store sensitive member data and other campaign information. But the same service may not be necessary or appropriate for the organizing activities of other chapter bodies.

Whereas

Efficient and effective campaigns, committees, and organizing require flexibility and varying degrees of autonomy, including in tools used and the data collected on members, supporters, candidates, and holders of elected office.

Whereas

Continued growth and development as a chapter – including in our data collection and security practices – requires that campaigns, committees, and members be empowered to experiment with new tools and practices.

5. The Need for Chapter Custody

Whereas

Both National DSA and Triangle DSA have faced security vulnerabilities due to rogue members who use chapter accounts for non-(T)DSA-approved purposes, including deleting important files, posting content of public platforms illicitly in the name of (T)DSA, changing passwords to undermine the will of the general membership, etc.

Whereas

All work done under the purview of TDSA ought to belong to TDSA.

6. The Need for Other Standardized Practices

Whereas

Regardless of the platform used to store data on members, candidates, and holders of elected office, security is strengthened by best practices guidelines, including:

  • Never using sensitive or private data, or information obtained therefrom, to harass or mistreat individuals
  • Collecting and storing only the minimum information necessary to achieve the relevant organizing purpose
  • Never storing sensitive or private data on a personal computer, and if data must be downloaded to a personal computer for some reason, ensuring that it is removed promptly as soon as the purpose is accomplished
  • Never sharing sensitive or private information outside the chapter except with chapter approved third party tech services that we rely on for communications and list management, or with chapter approved data sharing coalition partners
  • Sharing only the minimum information needed to accomplish the relevant organizing purpose – e.g., only sharing the last two initials of members’ last names, only sharing the name of the municipality or neighborhood that they live in rather than their physical home address, etc.
  • Sharing sensitive or private information only via password protected links or links that restrict access to only those who have approval to access it
  • Updating permissions to remove access to sensitive or private data when such access is no longer needed
  • Tracking who has access to what data
  • Requiring all members accessing sensitive or private data to have gone through training detailing the best practices adopted by the chapter
  • Requiring all members accessing sensitive or private data to sign an agreement that they will comply with the democratically adopted, chapter-approved data standards

Whereas

There are best practice security guidelines specific to platforms like Google Suite, such as using Google Groups to manage access to any information, sensitive or otherwise.

Whereas

Applications and accounts that are supplied by National DSA and used chapter-wide – e.g., Action Network, Zoom, etc. – provide another security and privacy vulnerability, but the permissions on these platforms are easily set up to at least limit the information accessible to users, and in particular prohibit users from accessing complete member lists.

Whereas

Application and account security could be further improved via the maintenance of a centralized database tracking what members have access to an application or account, and ensuring that members don’t have access to an account or application unless they are actively going to use it in the foreseeable future.

7. Member Rights

Whereas

Respect for our members, increasing good will, and protecting the reputation of TDSA requires that we allow members the option to opt out of any means of communication (e.g., text message) and that we receive permission before sharing members’ likeness (images, videos, and other identifying information such as social media handles and names) in any public media.

Whereas

Respect for our members, increasing good will, and protecting the reputation of TDSA requires that we refuse to provide member data to any criminal investigations unless served by a warrant or subpoena.

1. Chapter-wide Data Collection and Use Policies

Resolved

TDSA and any of its bodies will not collect any additional, private information that members, candidates, and holders of elected office have not voluntarily given to DSA, and we will only collect information that is needed for organizing purposes.

Resolved

Membership lists and any private information collected by TDSA or any of its bodies will only be used to promote TDSA or TDSA-endorsed activities, and it will never be used to promote political candidates, third party organizations, or third-party activities unless the candidate, organization, or activity is endorsed by the chapter or the Steering Committee.

Resolved

Membership lists or any private information collected by TDSA and any of its bodies will never be shared outside the chapter – in whole, in part, or in aggregate – except with chapter approved third party tech services that we rely on for communications and list management, or with chapter approved data sharing coalition partners.

Resolved

Membership lists and any private information collected by TDSA or any of its bodies will never be stored on a personal computer, and if data must be downloaded to a personal computer for some reason, members must ensure that it is removed promptly as soon as the purpose is accomplished.

Resolved

Any information collected by TDSA and any of its bodies, or information obtained therefrom, will never be used to harass or otherwise mistreat individuals.

2. AdComm and General Chapter Listwork Policy

Resolved

TDSA establishes the Chapter Membership Coordinator and Chapter Secretary as Chapter Data Administrators, and empowers the Steering Committee to designate additional Chapter Data Administrators to expand capacity if needed. Chapter Data Administrators will be identified via a Discord role, the chapter Wiki, and other lists of chapter leadership. Chapter Data Administrators are responsible for processing, managing, and protecting all member data lists when received from National in line with the practices adopted by this resolution. Likewise, Chapter Data Administrators will manage and protect any chapter data that it collects or receives containing non-publicly available information about candidates and holders of elected office.

Resolved

TDSA adopts the following chapter data security practices, which apply particularly to AdComm and general chapter work (as distinct from other committees, sections, and associations and the work specific to these sub-bodies):

  1. Protected information is defined as member information and non-publicly available information that TDSA collects or receives from candidates and holders of elected office.
  2. TDSA will manage all protected information on a secure, private Airtable database accessible only by the Steering Committee and those approved by the Steering Committee.2
  3. Aggregated member data may be made available to members, such as data visualizations of member density, certain survey or voting responses, or demographic information of the chapter. This data will only be available via channels such as Discord, the Cardinal Points newsletter, or TDSA meetings.
  4. The Steering Committee or Chapter Data Administrators may grant partial or complete access to protected information to other members of TDSA for the purposes of chapter business, such as the newsletter, event turnout, or deliberation about whether to endorse a candidate running for political office. Complete member lists generated for committees, sections, associations, or other miscellaneous projects must be approved through a vote of the Steering Committee.
  5. Member leaders may request member lists, or other protected information, from the Chapter Data Administrators, provided they include clear parameters, specify the purpose they will use the data for, the purpose is either an internal TDSA project or a chapter-approved external project, and anyone who will access the data is named.
  6. Chapter Data Administrators are responsible for using Airtable to respond to data access requests in a timely manner. All access must be limited to the smallest amount necessary to accomplish the intended purposes – e.g., only sharing the first two letters of the last names of members (unless additional characters are needed to differentiate members), only sharing the name of the municipality or neighborhood that members live in rather than their physical home address, etc. All protected information must be shared via password protected links, a record should be kept of who has access to what information, and permissions should be updated to remove access to data when such access is no longer needed.
  7. Before being entrusted with data access, any member must sign a TDSA Data Use Agreement. Members who are not member leaders may receive limited, temporary data access for purposes of neighborhood, inreach, and turnout organizing, but more extensive or permanent access is limited to member leaders. No member may share any protected information that they have been given access to with anyone other than those named in the initial data request.
  8. Before being entrusted with data access, any member must have been trained on the appropriate use and handling of personal data via the Security Skills Training that will be developed within one month of this policy’s adoption – any security training developed prior to this training, including the earlier iteration of TDSA’s security training is insufficient for meeting the training requirement.
  9. Any member found to be consistently inactive in the chapter, to have knowingly violated the policies adopted by this resolution, to have behaved as a poor representative of DSA, or to lack the relevant skills and knowledge to handle private and sensitive data may be prohibited by the Steering Committee from accessing any protected information. Members who have had their access revoked may appeal to the Steering Committee at any time or by motion at a General Meeting of the chapter.

Resolved

Within one month of the approval of this resolution, the Steering Committee will have subscribed to Airtable’s Team plan, and the Chapter Data Administrators will have set up a TDSA Data Request Form, the TDSA Data Use Agreement Form, and begin the management of all protected information on Airtable. In the event that Airtable’s Professional plan is needed for the purposes outlined in this resolution, then the Steering Committee will update the plan accordingly.

Resolved

Within one month of the approval of this resolution, the Membership Coordinator, in collaboration with the other Chapter Data Administrator(s), will deliver the Security Skills Training required for members to receive data access, and the Security Skills Training will be delivered at least two more times in 2026. In subsequent years, the training will be delivered at least twice a year, at least once in the first half of the year, and at least once in the second half of the year.

Resolved

Following the launch of the TDSA Data Request Form, the TDSA Data Use Agreement Form, and the delivery of the TDSA Security Skills Training – and only then –, the 9 numbered policies and practices articulated in the resolved clause above are effective.

3. Policies Applicable to Other TDSA Bodies

Resolved

Committees, sections, associations, and TDSA members may, for organizing purposes, collect information about members, candidates, holders of elected office, and non-member community allies, but they must store these records securely according to following guidelines:

  1. Access to this data will be given only to chapter members who need it for chapter organizing and chapter-approved organizing projects, such as to those in elected or appointed leadership, those doing inreach or other forms of organizing, or deliberation about an endorsement. If a member in a non-leadership position is not actively going to use the data in the foreseeable future, the leadership of the relevant body should ensure that their access is removed.
  2. Only the minimum information needed to accomplish the relevant organizing purpose will be distributed to members accessing the data – e.g., only sharing the last two initials of members’ last names, only sharing the name of the municipality or neighborhood that they live in rather than their physical home address, etc.
  3. Anyone handling any personal or sensitive information must agree to the TDSA Data Use Agreement and complete the TDSA Security Skills Training.
  4. When reasonable, changes to member contact details or other new information acquired about members will be communicated with the Chapter Data Administrators so that the TDSA central database is as accurate as possible. Members can update their own information or information on other members through the designated form on Airtable.

Resolved

TDSA bodies are permitted flexibility and autonomy in choosing the specific platform and the practices they adopt in collecting and storing personal information, and they are empowered to experiment with new tools and practices.

Resolved

For non-personal and non-sensitive information, all other chapter work should be stored on the shared Triangle DSA Google Drive, and permissions should be set using the “triangle-migs” and “Triangle DSA Member-Leaders” Google Groups. Chapter Data Administrators are responsible for keeping these Google Groups up to date each month and responding to instances where chapter members in good standing and member leaders need to be added to the groups. Chapter Data Administrators should reference official, up-to-date lists before adding anyone to these Google Groups.

For public-facing files, cross-chapter, or cross-organization collaboration, general access permissions may be used. Triangle DSA members who are members in good standing but not member leaders may be granted edit permissions to specific files where needed.

Historical chapter information that serves to guide chapter activity may be made available on the NCTDSA Wiki site. This includes successfully passed chapter resolutions, but it excludes proposals or resolutions that have not been voted on by the chapter, as well as those that failed. When published on the NCTDSA Wiki site, all member names included in passed resolutions will be redacted or replaced with non-identifying information, such as “Person A” or “Triangle DSA member”. This includes authors, co-signers, and any members mentioned in the resolution text. The contents of the passed proposal or resolution will be available as rendered pages on the site. But the NCTDSA Wiki site includes a link to a folder with all passed resolutions in their full, unredacted form that can be accessed by any Triangle DSA member in good standing via membership in the “triangle-migs” Google Group.

Resolved

No later than July 2026, the Chapter Data Administrators will conduct a systematic review of the Triangle DSA Google Drive to ensure Google Groups permissions are set appropriately for files existing on the Google Suite.

4. Chapter Custody

Resolved

Any account made by TDSA or a TDSA body for the purposes of conducting chapter work – e.g., a separate, secure drive for storing sensitive information, a social media account, etc. – belongs to TDSA, and the Steering Committee must have access to the account passwords, a recovery email to recover the passwords in the event that the passwords are lost or changed, and the ability to get past any 2-factor-authentication measures.

Resolved

Within one month of the adoption of this resolution, Chapter Data Administrators will create an inventory of all such accounts, add any login to the TDSA Vault Warden account (which is accessible only to the Steering Committee), and take any necessary steps to ensure that the Steering Committee can access the accounts.

5. Chapter Accounts and Access Permissions

Resolved

Chapter Data Administrators and the Steering Committee, and only these individuals, are authorized to grant access to chapter-wide applications and accounts, such as Action Network, Zoom, and Google Calendar, but they must ensure that permissions are properly set so that those given access to these platforms cannot access complete member lists (particularly on Action Network). This does not include accounts set-up by individual committees, sections, and associations, such as Cryptpad, Proton, or any social media accounts.

Resolved

A database will be maintained by Chapter Data Administrators to track what members have access to an application or account. This database will be maintained by the Chapter Data Administrators as they update access.

Resolved

No member will have access to an account or application unless they are actively going to use it in the foreseeable future. A member’s access rights will change to accommodate their role in the organization, and the Steering Committee and Chapter Data Administrators should distribute access so members can organize effectively, while still maintaining chapter data security.

6. Member Rights

Resolved

Any member may opt out of any communication method at any time, and that information will be conveyed as rapidly as possible to the Chapter Data Administrators to update the database accordingly. But the chapter is not responsible for chapter subbodies that use their own records to contact members via communication methods they have opted out of.

Resolved

It is the responsibility of TDSA leadership and members alike to secure permission before sharing their comrades’ likeness (images, videos, or other identifiable information such as social media handles or names) in any public media, including and especially public social media. Members can request at any time that any image, post, or other such public communication that includes their likeness in public media be removed or obfuscated. Such requests should be honored in a timely fashion, to the best of one’s ability.

Resolved

TDSA will not provide member data to any criminal investigations unless served by a warrant or subpoena. We expect but cannot guarantee the same protection from any third party services.

7. Policy Transparency

Resolved

The newly adopted TDSA Data Policy contained in this resolution is articulated here and will be made publicly available on the chapter website following the approval of this resolution, no later than March 2026.

  1. As of January 2026, Airtable’s Team Plan is $20 per month (annual plan), and the Professional Plan is $45 per month (annual plan). But the Team Plan is likely sufficient for TDSA’s needs.

  2. National DSA manages our chapter member data on Action Network and Periscope, and they sometimes send member data to the chapter email managed by the Steering Committee via email attachment. This resolution does not change the practices of National, but it does cover how the chapter manages access to these platforms and the protected information contained on them.