Data Processing Agreement

1. Definitions

"Controller" means the church or organisation that determines the purposes and means of processing personal data (you, our customer).

"Processor" means ChurchStacks Inc., which processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person, including church members, donors, and staff.

"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

"Sub-processor" means any third party engaged by ChurchStacks to process personal data.

2. Scope and purpose

ChurchStacks processes personal data solely for the purpose of providing the Services described in the Terms of Service. We process data only on documented instructions from the Controller (you), except where required by law.

3. Our obligations as Processor

• ·Process personal data only on your documented instructions.
• ·Ensure all staff with access to personal data are bound by confidentiality obligations.
• ·Implement appropriate technical and organisational security measures (see our Security page).
• ·Assist you in responding to data subject rights requests (access, deletion, correction, portability).
• ·Delete or return all personal data at the end of the service relationship.
• ·Provide all information necessary to demonstrate compliance with GDPR Article 28.
• ·Notify you without undue delay (within 72 hours) upon becoming aware of a personal data breach.

4. Your obligations as Controller

• ·Ensure you have a lawful basis for processing personal data you enter into ChurchStacks.
• ·Ensure all member data entered into the platform has been obtained in compliance with applicable law.
• ·Obtain appropriate consent where required (e.g. for minor members, sensitive pastoral data).
• ·Provide accurate information when requested for data subject rights fulfilment.

5. Sub-processors

We use the following sub-processors to provide the Service. By using ChurchStacks, you authorise their use:

We will notify you of any changes to sub-processors with at least 10 days notice.

6. International data transfers

Our infrastructure is primarily based in the United States. Data transfers from the EU/EEA to the USA are covered by Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated by reference into this DPA.

7. Security measures

We implement and maintain the following technical and organisational measures:

• ·AES-256 encryption at rest for all stored data.
• ·TLS 1.3 encryption in transit.
• ·Row-level security enforced at database level (Supabase RLS).
• ·Role-based access control with principle of least privilege.
• ·Multi-factor authentication available on all accounts.
• ·Daily automated backups with 30-day retention.
• ·Access logs and audit trails for all admin actions.
• ·Vulnerability disclosure policy and responsible disclosure program.

8. Data breach notification

In the event of a personal data breach, we will notify you without undue delay and within 72 hours of becoming aware. Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

9. Deletion and return of data

Upon termination of the Service, we will delete all personal data within 30 days unless retention is required by law. You may export all data before termination using the self-service export tool in Settings.

10. Requesting a signed DPA

A signed copy of this DPA is available on request for Apollos, Priscilla, and Antioch plan customers. Email privacy@churchstacks.com with your church name and account email. We will respond within 2 business days.