Back to Home

Data Processing Agreement

Last updated: January 1, 2025

Effective date: January 1, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and Church Compliance Manager ("Processor") and governs the processing of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Definitions

  • Controller: The Customer (church or religious organization) using our services
  • Processor: Church Compliance Manager and its authorized personnel
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data
  • Data Subject: The individual whose personal data is being processed

3. Scope and Purpose of Processing

3.1 Categories of Personal Data

We process the following categories of personal data on behalf of the Customer:

  • Contact details (names, email addresses, phone numbers)
  • Professional information (job titles, roles, responsibilities)
  • Organizational data (church membership, volunteer status)
  • Compliance-related information (training records, certifications)

3.2 Categories of Data Subjects

  • Church staff and employees
  • Volunteers and contractors
  • Board members and trustees
  • Authorized users of the compliance system

3.3 Purpose of Processing

Personal data is processed for the following purposes:

  • Managing compliance records and documentation
  • Sending reminders and notifications
  • Generating reports and analytics
  • Providing customer support
  • Ensuring system security and integrity

4. Processor Obligations

4.1 Processing Instructions

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to third countries or international organizations.

4.2 Confidentiality

The Processor ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

The Processor implements appropriate technical and organizational measures to ensure:

  • Encryption of personal data in transit and at rest
  • Ability to ensure ongoing confidentiality, integrity, availability and resilience
  • Ability to restore availability and access to personal data in a timely manner
  • Regular testing, assessing and evaluating security measures

5. Sub-Processing

5.1 Authorized Sub-Processors

The Controller provides general authorization for the engagement of sub-processors. Current sub-processors include:

  • Supabase: Database and authentication services
  • AWS/Google Cloud: Infrastructure and hosting services
  • Email Service Providers: Notification and communication services

5.2 Sub-Processor Obligations

The Processor ensures that any sub-processor is bound by the same data protection obligations as set out in this DPA.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject rights:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object

7. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach, and in any case within 24 hours. The notification shall include:

  • Description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

8. Data Protection Impact Assessments

The Processor shall assist the Controller in carrying out data protection impact assessments and consultations with supervisory authorities where required.

9. International Transfers

Any transfer of personal data to third countries shall be subject to appropriate safeguards, such as:

  • Adequacy decisions by the European Commission
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules
  • Approved codes of conduct or certification mechanisms

10. Data Retention and Deletion

Upon termination of services, the Processor shall, at the choice of the Controller, delete or return all personal data and delete existing copies unless EU or Member State law requires storage of the personal data.

11. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections.

12. Liability and Indemnification

Each party shall be liable for damage caused by processing that infringes data protection law only where it has not complied with obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions.

13. Term and Termination

This DPA shall remain in effect for as long as the Processor processes personal data on behalf of the Controller. Either party may terminate this DPA with 30 days' written notice.

14. Contact Information

For questions about this Data Processing Agreement, please contact our Data Protection Officer:

  • Email: dpo@churchcompliancemanager.com
  • Address: [Your Business Address]
  • Phone: [Your Phone Number]