FEC Coordination & Firewall Policy

Why We Maintain a Firewall
The Legal Basis
Who This Policy Covers
How the Firewall Works
Data & Technology Safeguards
AI-Specific Controls
What This Means for Clients
Breach Response
Questions & Contact

1. Why We Maintain a Firewall

BlueList.ai provides political data analytics, voter targeting, and media buying services to Democratic campaigns, committees, PACs, and independent expenditure organizations. Some of our clients operate in the same races. That creates a legal risk called coordination.

Under federal election law, if a vendor like BlueList passes strategic information from one client to another—even unintentionally—the resulting communication can be treated as an illegal in-kind contribution. The consequences fall on our clients as much as on us: contribution limit violations, prohibited contribution findings, FEC complaints, and reputational damage.

We maintain this firewall because protecting our clients from coordination risk is a non-negotiable part of the service we provide. It is not optional. It is how we operate.

2. The Legal Basis

This policy is built on the common vendor firewall safe harbor established by the Federal Election Commission at 11 CFR § 109.21(h). Here is what that regulation requires, in plain terms:

The FEC Safe Harbor

A commercial vendor that serves multiple political clients can avoid a coordination finding by designing and implementing a written firewall policy that prohibits the flow of information between the teams serving different clients—and distributing that policy to all affected employees, consultants, and clients.

The safe harbor is destroyed if, despite the firewall, information about a candidate’s campaign plans, projects, activities, or needs that is material to the creation, production, or distribution of a communication is used by or conveyed to another client. That is the line this policy exists to hold.

Key regulatory references

11 CFR § 109.21: Defines “coordinated communication” and establishes the content, conduct, and payment standards that determine whether a communication is coordinated.
§ 109.21(d)(4): The common vendor conduct standard—triggered when a vendor provides services to both the payor of a communication and the referenced candidate within a 120-day window.
§ 109.21(h): The firewall safe harbor—allows a vendor to avoid the common vendor standard by maintaining a qualifying written information barrier.

3. Who This Policy Covers

This policy applies to every person who performs work for or on behalf of BlueList.ai:

All owners, officers, and members of BlueList.ai LLC
All full-time and part-time employees
All independent contractors and consultants
All subcontractors and their personnel working under BlueList engagements
Temporary staff, interns, and volunteers with access to client information

We refer to these individuals collectively as Covered Persons. Every Covered Person receives a copy of this policy and signs a written acknowledgment before beginning work.

4. How the Firewall Works

Conflict screening

Before accepting any new engagement, we evaluate whether the prospective client creates a coordination risk with any existing client—specifically, whether both clients reference the same federal candidate (as supporter or opponent) or are active in the same race. If a conflict exists that we cannot safely manage under this policy, we decline the engagement.

Walled Teams

When we serve clients that present a coordination risk, we assign completely separate service teams to each client. We call these Walled Teams. The rules are strict:

No shared personnel. No person may simultaneously serve on two Walled Teams where a coordination risk exists between the clients.
No shared workspaces. Walled Teams do not share physical files, workstations, whiteboards, or other media where client information could be observed.
No shared digital access. Client data, files, targeting models, media plans, and analytics live in separate, access-controlled environments. Members of one team cannot access another team’s systems.

Protected Information

The following categories of information may never flow between Walled Teams, in any form—verbal, written, electronic, or through shared system access:

Campaign strategy, plans, and strategic direction
Planned communications, ad campaigns, and field operations
Scheduling, events, travel, and media appearances
Staffing, fundraising targets, vulnerability assessments, and resource allocation
Polling data, focus groups, survey results, and opposition research
Media plans, ad placement schedules, and buy strategies
Voter targeting models, audience segments, and contact universes built for a specific client
Donor lists and fundraising analytics specific to a client
AI model outputs and predictive analytics derived from client-specific data

Publicly available information

Consistent with FEC rules, information obtained exclusively from public sources—FEC filings, public voter files, published news, public social media—is not subject to this firewall. However, public information that has been enhanced or analyzed using a client’s Protected Information is treated as Protected. When in doubt, we treat information as Protected.

120-day cooling-off period

The FEC’s common vendor standard looks back 120 days. If a Covered Person transitions from one Walled Team to another involving a conflicting client, they go through a documented debriefing and cannot begin work on the new team until the Compliance Officer confirms appropriate safeguards are in place.

5. Data & Technology Safeguards

Information barriers only work if the technology enforces them. Our data controls include:

🔒

Isolated Storage

Client data lives in separate, access-controlled environments. No shared repository holds Protected Information from conflicting clients.

👥

Role-Based Access

Permissions are configured per Walled Team. Only team members can access their client’s data. Permissions are updated whenever assignments change.

📋

Audit Logging

All access to client data is logged with identity, timestamp, and nature of access. Logs are retained for at least three years.

🔄

Communications Separation

Walled Teams use separate communication channels. No shared email threads, messaging channels, or project boards across conflicting engagements.

6. AI-Specific Controls

BlueList uses AI and machine learning in its political analytics work. AI models can inadvertently carry information between clients if not properly managed. We apply additional safeguards:

Model isolation. Predictive models and targeting algorithms trained on one client’s data are never applied to or shared with a conflicting client.
Training data separation. Datasets used to train or fine-tune models for one client never include data derived from another client’s Protected Information.
Shared tools, not shared models. We may use the same underlying platforms and base tools across clients, but client-specific training data, model weights, configurations, and outputs remain fully segregated.
Documentation. We maintain records of which models serve which clients and what data sources inform each model.

7. What This Means for Clients

When you engage BlueList.ai, you receive:

Disclosure that BlueList serves multiple political clients and maintains this firewall policy.
A dedicated Walled Team if your engagement presents a coordination risk with another client. Your team works exclusively on your account within a segregated environment.
A copy of this policy attached to or referenced in your engagement letter, along with an acknowledgment of the information barriers in place.
Confidence that your campaign plans, targeting data, media strategy, and proprietary analytics will not be shared with, accessed by, or used to benefit any other client.

Client responsibility

We ask that clients also respect the firewall by not requesting information about other BlueList clients. Our engagement letters include this obligation.

8. Breach Response

Any Covered Person who becomes aware of a potential breach—any unauthorized disclosure, access, or use of Protected Information across Walled Teams—is required to report it to the Compliance Officer immediately. There is no retaliation for good-faith reporting.

When a potential breach is reported, we:

Immediately assess the scope and severity
Determine whether Protected Information was actually disclosed, accessed, or used
Identify all affected personnel and clients
Evaluate whether the breach may have resulted in a coordinated communication under 11 CFR § 109.21
Engage outside election law counsel when FEC implications are possible
Notify affected clients as appropriate

Remedial actions range from immediate reassignment and access revocation to engagement of outside counsel, client notification, and, in severe cases, withdrawal from conflicting engagements. Violations of this policy may result in termination of employment or contract.

9. Questions & Contact

If you have questions about this policy, how it applies to a specific engagement, or how BlueList.ai manages coordination risk, contact our Compliance Officer:

BlueList.ai LLC
Compliance Officer
compliance@bluelist.ai

This policy is reviewed and updated at least annually. Material changes are communicated to all Covered Persons and active clients. The internal version of this policy, which includes detailed operational procedures and the employee/contractor acknowledgment form, is available upon request to current and prospective clients.

Disclaimer. This policy reflects BlueList.ai LLC’s operational commitments under applicable FEC regulations as of the date above. It is published for transparency and does not constitute legal advice. Nothing in this policy creates an attorney-client relationship. Campaign committees and other political organizations should consult their own legal counsel regarding coordination compliance.