ChurchPlan Logo
← ChurchPlan Legal

Data Processing Agreement

Version
2.0
Effective
May 15, 2026
Table of contents

Preamble

This Data Processing Agreement (this "DPA") forms part of, and is incorporated by reference into, the Master Service Agreement (the "MSA") between ChurchPlan Inc. ("ChurchPlan") and the organization that subscribes to or uses the ChurchPlan Platform (the "Client"). This DPA governs the processing of Personal Information by ChurchPlan on behalf of the Client in connection with the Client’s use of the Platform.

Capitalized terms used in this DPA but not otherwise defined herein have the meanings given to them in the MSA. In the event of any conflict or inconsistency between this DPA and the body of the MSA with respect to the processing of Personal Information, this DPA prevails. In the event of any conflict between this DPA and any Order Form, this DPA prevails unless the Order Form expressly references and modifies a specific provision of this DPA.

This DPA is intended to satisfy the requirements of: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), in particular Article 28; (b) the UK General Data Protection Regulation as incorporated by the Data Protection Act 2018 ("UK GDPR"); (c) the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA") and Quebec’s Act respecting the protection of personal information in the private sector (Law 25); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); (e) the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles; and (f) other applicable data protection laws of the jurisdictions in which the Client operates.

At the Client’s reasonable request, ChurchPlan will execute a separately-signed copy of this DPA in substantially the form set out herein, which shall have the same legal effect as the version incorporated by reference into the MSA.

1. Definitions

In this DPA, the following definitions apply. Definitions not set out below have the meanings given in the MSA.

"Administrative User"has the meaning given in the MSA. Any employee, clergy member, volunteer, contractor, or other individual whom the Client Organization has authorized to access the Platform’s administrative or management functions on its behalf. Administrative Users may be assigned different roles, permissions, and access scopes within the Platform by the Client Organization. The Client Organization is solely responsible for determining which individuals are granted administrative access and for managing, modifying, or revoking such access at its discretion.
"Client Personal Data"Personal Information processed by ChurchPlan on behalf of the Client in connection with the Client’s use of the Platform. Client Personal Data forms part of "Client Data" as defined in the MSA.
"Constituent Church"A Client Church specifically affiliated with a Diocese. “Constituent Church” is used in this Agreement as a context-specific term for a Client Church that is part of a Diocese; references to Client Church otherwise apply equally.
"Data Controller" or "Controller"any entity (including a natural person, legal person, organization, public authority, or other body) which, alone or jointly with others, determines the purposes and means of processing Personal Information. In respect of Client Personal Data, the Client (each Client Church and, where applicable, each Diocese or Church Group) is the Data Controller.
"Data Processor" or "Processor"any entity (including a natural person, legal person, organization, public authority, or other body) which processes Personal Information on behalf of the Controller. In respect of Client Personal Data, ChurchPlan is the Data Processor, processing Client Personal Data on behalf of the Client and on the Client’s documented instructions as set out in this DPA.
"Data Subject"an identified or identifiable natural person to whom Personal Information relates, including church members, donors, event participants, family members, minors, administrators, and guests.
"Diocese"A Church Group that exercises ecclesiastical, denominational, canonical, regional, or organizational oversight over affiliated Client Churches or Church Groups within the Platform. The term includes, without limitation, a diocese, archdiocese, eparchy, metropolis, synod, presbytery, conference, district, association, convention, region, or province, regardless of denomination, tradition, or legal form, and regardless of whether the body is separately incorporated, registered as a charity, or organized as an unincorporated association.
"Church Administrator"The single Administrative User designated by a Client Church as the primary authority holder for that Client Church’s account within the Platform. The Church Administrator has unrestricted administrative access to the Client Church account, including authority to assign roles, manage permissions, configure settings, and appoint or remove Administrative Users. Each Client Church shall designate and maintain one (1) Church Administrator at all times. The Church Administrator role may be transferred to another Administrative User by the existing Church Administrator or, in limited recovery or legal circumstances described in this Agreement, by a ChurchPlan Administrator.
"Church Group"A group of two or more churches, parishes, sites, campuses, locations, congregations, missions, or affiliated church entities configured together within the Platform, whether or not such group forms part of a Diocese. Examples include multi-site churches, regional church groupings, ministry networks, affiliated congregational structures, and diocesan subdivisions. A Church Group may exist as a standalone Client Organization (for example, a multi-site church operated by a single legal entity) or as a subdivision within a Diocese. Where a Church Group is a subdivision within a Diocese, the Diocese Administrator retains unrestricted access to that Church Group’s account and to the Client Church accounts within it, and the Group Administrator’s authority is exercised within the broader scope of the Diocese’s authority.
"Diocese Administrator"The single Administrative User designated by a Diocese as the primary authority holder for the Diocese’s account within the Platform. The scope of the Diocese Administrator’s access to each affiliated Client Church (regardless of whether the affiliated Client Church is a separate legal entity or part of the same legal entity as the Diocese) is established by the Visibility Scope assigned to that Client Church in the Diocesan and Multi-Entity Supplement executed as part of the Custom Agreement Package, with three permitted tiers: “Operational” (full unrestricted access, including all Personal Information and the authority to assign, modify, or remove Administrative Users at the Client Church); “Dashboard Only” (access limited to aggregate counts and metric visualizations only, with no individual records, names, or other Personal Information accessible, and no administrative authority over the Client Church); or “None” (no access of any kind, with the Client Church not visible to the Diocese within the Platform). Where a Client Church is not listed in the Diocesan and Multi-Entity Supplement or has not affirmatively approved a Visibility Scope, the default tier is “Dashboard Only.” Each Diocese shall designate and maintain one (1) Diocese Administrator at all times. ChurchPlan does not impose or mandate any specific Visibility Scope; the Visibility Scope is established by the affirmative consent of each Client Church and is logged and auditable through the Platform.
"Group Administrator"The single Administrative User designated as the primary authority holder for a Church Group. The scope of the Group Administrator’s access to each affiliated Client Church within the Church Group is established by the same mechanism as for Diocese Administrators (see “Diocese Administrator”), with the three permitted Visibility Scope tiers (Operational, Dashboard Only, None) applying equally. Where the Church Group is a subdivision within a Diocese, the Group Administrator’s access scope is governed by the same Diocesan and Multi-Entity Supplement as the Diocese’s, and the Group Administrator may not access data of a Client Church beyond the Visibility Scope approved by that Client Church. Each Church Group shall designate and maintain one (1) Group Administrator at all times. ChurchPlan does not impose or mandate any specific Visibility Scope; the Visibility Scope is established by the affirmative consent of each Client Church and is logged and auditable through the Platform.
"EEA"the European Economic Area.
"Personal Data Breach"a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Client Personal Data.
"Personal Information"has the meaning given in the MSA. For the purposes of this DPA, "Personal Information" is treated as equivalent to "personal data" under GDPR and UK GDPR, "personal information" under PIPEDA and CCPA/CPRA, and "personal information" under the Australian Privacy Act, except where the local statutory definition is broader, in which case the broader definition applies.
"Restricted Transfer"a transfer of Client Personal Data from the Client’s jurisdiction to a third country or international organization that requires a transfer mechanism under applicable data protection law, including under GDPR Chapter V, UK GDPR Chapter V, PIPEDA cross-border provisions, or equivalent.
"SCCs"the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021. References to "Module Two" mean Module Two of the SCCs (Controller-to-Processor transfers).
"Subprocessor"a third party engaged by ChurchPlan to process Client Personal Data on ChurchPlan’s behalf in connection with the provision of the Platform.
"Supervisory Authority"a competent data protection authority under applicable law, including under GDPR Article 51 and UK GDPR.
"UK Addendum"the International Data Transfer Agreement to the EU Commission SCCs issued by the UK Information Commissioner’s Office and laid before Parliament on 2 February 2022, as updated from time to time.

2. Roles of the Parties

2.1 Controller and Processor

The Client is the Data Controller of Client Personal Data. Specifically, each Client Church is the Data Controller of the Client Personal Data of its own members, donors, and other Data Subjects; and where applicable, each Diocese or Church Group is the Data Controller of the Client Personal Data held at the Diocese or Church Group level (including data of its own administrators, donors, and other Data Subjects). ChurchPlan is the Data Processor of all such Client Personal Data and processes it on the Client’s behalf and on the Client’s documented instructions, except where otherwise required by applicable law (in which case ChurchPlan will inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).

ChurchPlan acts as an independent Data Controller only with respect to its own operational data, including: account credentials and authentication records of Administrative Users; billing and payment records pertaining to the Client’s subscription; system logs, audit trails, and security records generated by the Platform; aggregated and anonymized usage analytics; and correspondence with the Client and its Administrative Users relating to support, account management, and compliance. ChurchPlan’s processing of such operational data as a Controller is governed by the ChurchPlan Privacy Policy, not by this DPA.

2.2 Diocese and Group Administrator Access

Where a Client Church is affiliated with a Diocese or a Church Group through the Platform, the Client Church and the Diocese or Church Group acknowledge and agree that:

  • Each Client Church remains the sole Data Controller of its own Client Personal Data for all purposes of this DPA. Where a Church Group operates as a single legal entity (for example, a multi-site church), the Church Group is the Data Controller of the data of all its constituent campuses, sites, locations, or congregations.
  • The Diocese’s or Church Group’s administrative access to a Client Church’s data, exercised through the Diocese Administrator or Group Administrator (or through any Diocese-Level Administrative User or Group-Level Administrative User designated under the Diocesan and Multi-Entity Supplement) within the Visibility Scope assigned to that Client Church in the Diocesan and Multi-Entity Supplement, constitutes an authorized access arrangement instructed by the Client Church — not a transfer of controllership to the Diocese or Church Group, and not the creation of a joint controllership. This treatment applies regardless of whether the Client Church is a separate legal entity from the Diocese or Church Group or part of the same legal entity. References in this DPA to instructions of, or actions taken by, the Diocese Administrator or Group Administrator include instructions of, or actions taken by, any such designated Administrative User acting within their delegated scope.
  • For Client Churches at “Operational” Visibility Scope, the Diocese Administrator or Group Administrator’s access constitutes an authorized access arrangement instructed by the Client Church through the Diocesan and Multi-Entity Supplement — not a transfer of controllership to the Diocese or Church Group, and not the creation of a joint controllership. For Client Churches at “Dashboard Only,” only aggregate counts and metric visualizations are exposed to the Diocese, with no Personal Information accessible. For Client Churches at “None,” no data is exposed to the Diocese. ChurchPlan, as Processor for each Client Church, treats instructions issued through the Diocese Administrator or Group Administrator within the Visibility Scope approved by the affected Client Church as instructions of that Client Church, in reliance on the Diocesan and Multi-Entity Supplement.
  • Where applicable law would, on the facts of a particular processing activity, characterize the Diocese’s or Church Group’s access as a joint controllership or as a controller-to-controller transfer, the Diocese or Church Group and the affected Client Church shall determine between themselves the allocation of controller responsibilities in accordance with applicable law, and ChurchPlan shall be entitled to continue processing on the basis of the Diocesan and Multi-Entity Supplement until it receives joint written direction otherwise from both parties.
  • Any dispute between a Diocese or Church Group and a Client Church regarding the existence or scope of administrative authority, or any request to change a Visibility Scope, shall be resolved as follows: (i) requests to change a Visibility Scope may only be initiated by the Church Administrator on file for the affected Client Church or by the individual named as the “Approved By” party in the original Consent Matrix entry (in Section 5 of the Diocesan and Multi-Entity Supplement) for that Client Church, through a channel verified by ChurchPlan; (ii) all other disputes shall be resolved between the Diocese or Church Group and the Client Church directly, and ChurchPlan shall maintain the Visibility Scope as configured in the Diocesan and Multi-Entity Supplement until it receives joint written instruction or an order of a court of competent jurisdiction.

2.3 Documented Instructions

The Client’s documented instructions to ChurchPlan with respect to processing Client Personal Data are set out in:

  • this DPA;
  • the MSA, including any Order Form and any other Schedules;
  • configurations made by the Client (or by its Administrative Users, including the Church Administrator, Diocese Administrator, and any Group Administrators) within the Platform interface; and
  • any additional written instructions agreed between the parties in writing.

ChurchPlan shall promptly inform the Client if, in its opinion, an instruction infringes GDPR, UK GDPR, or other applicable data protection law.

3. Scope of Processing

The subject matter, nature, purpose, duration, categories of Personal Information, and categories of Data Subjects of the processing performed by ChurchPlan on behalf of the Client are set out in Annex 1 (Processing Details). The Client and ChurchPlan acknowledge that Annex 1 is intended to satisfy the descriptive requirements of GDPR Article 28(3) and equivalent obligations under other applicable laws.

4. Processor Obligations

ChurchPlan, as Data Processor, shall:

  • process Client Personal Data only on the Client’s documented instructions as described in Section 2.3, including with regard to Restricted Transfers, except where required by applicable law (in which case ChurchPlan will inform the Client of that legal requirement before processing, unless that law prohibits such notification);
  • ensure that all personnel authorized to process Client Personal Data are bound by appropriate obligations of confidentiality, whether by contract or statute;
  • implement and maintain the technical and organizational security measures described in Annex 2 (Technical and Organizational Measures), and not materially reduce the overall level of protection of Client Personal Data during the term of this DPA;
  • engage Subprocessors only in accordance with Section 5 (Subprocessors);
  • assist the Client, taking into account the nature of the processing and the information available to ChurchPlan, in fulfilling the Client’s obligations to respond to requests by Data Subjects to exercise their rights under applicable law, as described in Section 6 (Data Subject Rights Assistance);
  • assist the Client in ensuring compliance with the Client’s obligations under Articles 32 to 36 of GDPR (and equivalent provisions of other applicable law), including in relation to security of processing, notification of Personal Data Breaches, communication of Personal Data Breaches to Data Subjects, data protection impact assessments, and prior consultation with Supervisory Authorities, in each case taking into account the nature of the processing and the information available to ChurchPlan;
  • at the Client’s choice, delete or return all Client Personal Data to the Client after the end of the provision of the Platform services, and delete existing copies, unless applicable law requires storage of the Client Personal Data (in which case ChurchPlan shall continue to comply with this DPA in respect of such retained Client Personal Data); and
  • make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits and inspections in accordance with Section 8 (Audits and Inspections).

5. Subprocessors

5.1 General Authorization

The Client grants ChurchPlan general written authorization to engage Subprocessors to assist in the provision of the Platform, subject to the conditions in this Section 5. The Subprocessors engaged by ChurchPlan as of the Effective Date are listed in Annex 3 (Subprocessors).

5.2 Notification of Changes

ChurchPlan shall notify the Client at least thirty (30) days in advance of any intended addition or replacement of a Subprocessor that processes Client Personal Data. Notification may be given by email to the Administrative User(s) identified by the Client for compliance notifications, or by another means reasonably calculated to bring the change to the Client’s attention. For changes to Subprocessors disclosed by name in Annex 3, notification will identify the new or replacement Subprocessor by name. For changes within the categories of Subprocessors described in Annex 3 by category, notification will identify the change in functional terms, and the specific name of the new or replacement Subprocessor will be made available to the Client on the same disclosure-on-request basis described in Annex 3, Section A. The Client may also subscribe to receive Subprocessor change notifications by emailing privacyofficer@churchplan.com.

5.3 Right to Object

The Client may object to a proposed addition or replacement of a Subprocessor on reasonable data protection grounds within fifteen (15) days of receiving notice. The parties will work together in good faith to address the objection — for example, by ChurchPlan implementing additional safeguards, by identifying an alternative Subprocessor, or by adjusting the scope of processing performed by the proposed Subprocessor. If the parties are unable to resolve the objection within thirty (30) days of the Client’s objection, the Client may terminate the affected service or, where the Subprocessor is integral to the Platform, the MSA, on ninety (90) days’ written notice, without penalty and with a pro-rata refund of any prepaid fees attributable to the period after termination.

5.4 Subprocessor Obligations

ChurchPlan shall impose on each Subprocessor, by written contract, data protection obligations that are no less protective of Client Personal Data than those imposed on ChurchPlan under this DPA — in particular, the obligation to provide sufficient guarantees to implement appropriate technical and organizational measures. ChurchPlan shall remain fully liable to the Client for the performance of each Subprocessor’s obligations under such written contract.

6. Data Subject Rights Assistance

Taking into account the nature of the processing, ChurchPlan shall assist the Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising Data Subjects’ rights laid down in applicable law, including the rights of access, rectification, erasure, restriction of processing, data portability, objection, and not to be subject to automated decision-making.

If ChurchPlan receives a request from a Data Subject relating to Client Personal Data, ChurchPlan shall:

  • promptly notify the Client of the request — ordinarily within five (5) business days of receipt;
  • not respond to the request directly, except as instructed by the Client or as required by applicable law (in which case ChurchPlan shall inform the Client of that legal requirement to the extent permitted);
  • provide the Client with the information reasonably necessary to enable the Client to respond to the request, including by making available Platform functionality through which the Client (acting through its Administrative Users) may locate, export, correct, or delete the relevant Client Personal Data; and
  • where the Client requests additional assistance beyond that available through Platform functionality, provide such assistance on terms to be agreed, including reimbursement of ChurchPlan’s reasonable costs where the request exceeds standard support.

7. Personal Data Breach Notification

7.1 Notification to the Client

ChurchPlan shall notify the Client without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Client Personal Data. Such notification shall be made by email to the Administrative User(s) identified by the Client for compliance notifications and, where the breach is severe or time-sensitive, also by email and telephone to the Church Administrator, Diocese Administrator, or Group Administrator on record.

7.2 Contents of Notification

The notification shall, to the extent known to ChurchPlan at the time of notification:

  • describe the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and records concerned;
  • communicate the name and contact details of ChurchPlan’s Privacy Officer or other contact point from which more information can be obtained;
  • describe the likely consequences of the Personal Data Breach; and
  • describe the measures taken or proposed to be taken by ChurchPlan to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide the information at the same time, the information may be provided in phases without further undue delay.

7.3 Client Responsibility

The Client, as Data Controller, remains solely responsible for notifying any Supervisory Authority and affected Data Subjects of the Personal Data Breach to the extent required by applicable law. ChurchPlan shall provide reasonable cooperation to the Client in connection with any such notifications. ChurchPlan shall not make any public statement, regulatory filing, or notification to Data Subjects regarding a Personal Data Breach affecting Client Personal Data without the Client’s prior written consent, except where required by applicable law (in which case ChurchPlan shall inform the Client of that legal requirement before disclosure to the extent permitted).

8. Audits and Inspections

8.1 Audit Information

ChurchPlan shall make available to the Client all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA. In particular, ChurchPlan shall provide the Client, on request and subject to reasonable confidentiality undertakings:

  • the then-current ChurchPlan Security Overview and a summary of the technical and organizational measures described in Annex 2;
  • the executive summary of ChurchPlan’s most recent SOC 2 Type II report (once ChurchPlan has obtained such a report) or equivalent independent third-party audit report covering ChurchPlan’s relevant systems and controls;
  • responses to reasonable security and data-protection questionnaires submitted by the Client, not more than once per twelve (12) month period (excluding questionnaires required in connection with a Personal Data Breach or regulatory investigation, which are not subject to the frequency limit); and
  • subprocessor information and updates as described in Section 5.

8.2 Audit Rights

Where the information and reports made available under Section 8.1 are not sufficient to demonstrate compliance, the Client may, at its own expense and on at least thirty (30) days’ prior written notice, conduct (or appoint an independent third-party auditor bound by confidentiality obligations to conduct) an audit of ChurchPlan’s processing of Client Personal Data, subject to the following:

  • audits shall be conducted no more than once per twelve (12) month period, except where required following a Personal Data Breach, regulatory investigation, or material change in processing;
  • audits shall be conducted during normal business hours, with reasonable care to minimize disruption to ChurchPlan’s operations and the operations of other customers;
  • the auditor shall not be a competitor of ChurchPlan and shall enter into a confidentiality undertaking reasonably acceptable to ChurchPlan;
  • the scope of the audit shall be agreed in advance between the parties and shall be limited to ChurchPlan’s compliance with this DPA in relation to the Client’s Client Personal Data; the audit shall not access data of other customers of ChurchPlan and shall not include penetration testing or other intrusive testing of ChurchPlan’s production systems without ChurchPlan’s prior written consent; and
  • the Client shall promptly share any audit findings with ChurchPlan and, where the audit identifies remediable deficiencies, allow ChurchPlan a reasonable period to remediate before drawing conclusions of non-compliance.

8.3 Regulatory Audits

Notwithstanding Sections 8.1 and 8.2, ChurchPlan shall cooperate with any audit or inspection mandated by a competent Supervisory Authority or other regulatory body of competent jurisdiction, to the extent required by applicable law.

9. International Transfers

9.1 General

ChurchPlan is headquartered in Toronto, Ontario, Canada. The Platform infrastructure is hosted on cloud regions as described in Annex 3. The Client acknowledges that the provision of the Platform involves the processing of Client Personal Data in Canada and, depending on the Client’s configuration and the Subprocessors used, may involve processing in other jurisdictions.

9.2 Transfers Subject to GDPR / UK GDPR

Where the Client is established in the EEA, Switzerland, or the United Kingdom, or where Client Personal Data is otherwise subject to GDPR or UK GDPR and is transferred to ChurchPlan or a Subprocessor located outside the EEA, Switzerland, or the United Kingdom, the parties agree that:

  • Where Canada is the destination jurisdiction and the relevant Client Personal Data falls within the scope of the European Commission’s adequacy decision for Canada applicable to commercial organizations subject to PIPEDA, the parties rely on that adequacy decision for the transfer.
  • Where no adequacy decision applies, the parties incorporate by reference the Standard Contractual Clauses (Module Two — Controller to Processor), as set out in Annex 4 (EU Standard Contractual Clauses — Module Two), and they shall apply to the transfer. Annex 4 also provides the Annex I (List of Parties; Description of Transfer; Competent Supervisory Authority), Annex II (Technical and Organizational Measures), and Annex III (List of Subprocessors) of the SCCs.
  • For transfers subject to the UK GDPR, the UK Addendum is incorporated by reference and shall apply to the transfer in conjunction with the SCCs as set out in Annex 4. The information required by Tables 1 to 4 of the UK Addendum is set out in Annex 4.
  • For transfers subject to Swiss data protection law, the SCCs shall apply with the modifications described in the Swiss Federal Data Protection and Information Commissioner’s guidance, including substitution of references to "GDPR" with references to the Swiss Federal Act on Data Protection where applicable, and references to "Member State" being interpreted to include Switzerland.

9.3 Transfers Subject to PIPEDA, Australian Privacy Act, or Other Laws

Where Client Personal Data is subject to PIPEDA, the Quebec Law 25, the Australian Privacy Act, or other applicable data protection law that imposes cross-border transfer requirements, ChurchPlan shall: (a) provide the Client with information reasonably necessary to satisfy any notification obligations the Client may have to its Data Subjects regarding cross-border transfers; (b) ensure that contractual measures of comparable protection are in place with each Subprocessor; and (c) cooperate with the Client to put in place additional transfer mechanisms reasonably required by the Client’s jurisdiction.

10. CCPA / CPRA Service Provider Terms

Where this DPA applies to "personal information" of California residents subject to the CCPA/CPRA:

  • ChurchPlan acts as a "service provider" within the meaning of CCPA/CPRA and processes Client Personal Data only for the limited and specified purposes set out in the MSA and this DPA.
  • ChurchPlan shall not sell Client Personal Data, and shall not share Client Personal Data for cross-context behavioral advertising.
  • ChurchPlan shall not retain, use, or disclose Client Personal Data for any purpose other than for the specific purpose of performing the services specified in the MSA and this DPA, or as otherwise permitted by CCPA/CPRA.
  • ChurchPlan shall not retain, use, or disclose Client Personal Data outside of the direct business relationship between ChurchPlan and the Client.
  • ChurchPlan shall not combine Client Personal Data received from the Client with personal information received from any other source or collected from ChurchPlan’s own interactions with consumers, except where permitted by CCPA/CPRA.
  • ChurchPlan certifies that it understands and will comply with the restrictions set out in this Section 10.

11. Liability

Each party’s liability arising out of or in connection with this DPA shall be subject to the limitations of liability set out in the MSA. For the avoidance of doubt, the liability limitations in the MSA apply to claims by either party against the other arising out of breach of this DPA, except where mandatory applicable data protection law provides otherwise.

12. Term and Termination

This DPA shall remain in effect for so long as ChurchPlan processes Client Personal Data on behalf of the Client under the MSA. Upon termination or expiration of the MSA:

  • ChurchPlan shall, at the Client’s choice (to be communicated in writing within thirty (30) days of MSA termination), delete or return all Client Personal Data to the Client, and delete existing copies, subject to applicable law requiring continued retention;
  • the return of Client Personal Data shall be effected using standard Platform export functionality, in a structured, commonly-used, machine-readable format. Custom export formats or media may be provided on terms to be agreed, including reimbursement of ChurchPlan’s reasonable costs;
  • the Client may exercise its Platform-based data export functionality at any time up to the date of MSA termination and for a grace period of thirty (30) days thereafter, after which time the Client’s access to the Platform shall be deactivated;
  • ChurchPlan may retain Client Personal Data after MSA termination only to the extent required by applicable law, in which case ChurchPlan shall continue to apply the protections of this DPA to such retained Client Personal Data and limit further processing to that necessary to comply with the retention requirement.

13. General

13.1 Amendments

ChurchPlan may amend this DPA from time to time to reflect changes in applicable data protection law, new or modified Subprocessor arrangements, updates to the SCCs or UK Addendum, or operational improvements to the protections afforded by this DPA. Material amendments will be communicated to the Client with at least thirty (30) days’ advance notice. Amendments required by binding law take effect on the date required by the law. Non-material amendments (including changes to Annex 3 to reflect new or replaced Subprocessors notified in accordance with Section 5) take effect when notified.

13.2 Severability

If any provision of this DPA is held to be invalid or unenforceable by a court of competent jurisdiction or a Supervisory Authority, the remaining provisions shall remain in full force and effect, and the parties shall negotiate in good faith a replacement provision that achieves the original intent of the invalid provision to the maximum extent permitted by law.

13.3 Order of Precedence

In the event of any conflict between (a) the body of this DPA and (b) any Annex to this DPA, the body of this DPA prevails, except that Annex 4 (EU Standard Contractual Clauses — Module Two) shall prevail with respect to processing involving Restricted Transfers from the EEA, UK, or Switzerland.

13.4 Governing Law

This DPA shall be governed by the laws specified in the MSA, except that the SCCs incorporated into Annex 4 shall be governed by the law specified in those SCCs (and the UK Addendum shall be governed by the law specified therein).

Execution

This Data Processing Agreement is incorporated by reference into the Master Service Agreement and forms part of it without requiring separate signature. At the Client’s request, ChurchPlan will provide a separately-executed copy of this DPA in substantially the form set out herein, using the signature block below.

CHURCHPLAN INC.
By: __________________________________
Name: ________________________________
Title: _________________________________
Date: _________________________________		CLIENT
By: __________________________________
Name: ________________________________
Title: _________________________________
Date: _________________________________

Annex 1 — Processing Details

This Annex sets out the details of processing as required by GDPR Article 28(3), and serves as Annex I of the SCCs where applicable.

A. Subject Matter

The subject matter of the processing is the provision of the ChurchPlan Platform — a software-as-a-service platform that supports churches, parishes, dioceses, charities, and faith-based organizations in managing their members, events, donations, communications, and administrative operations.

B. Duration

The duration of the processing is the term of the MSA, including the Subscription Term and the post-termination data retention and return period described in Section 12 of this DPA and the corresponding provisions of the MSA.

C. Nature and Purpose

The nature and purpose of the processing includes:

  • hosting and operating the Platform on behalf of the Client;
  • storing, organizing, and structuring Client Personal Data within the Client’s tenant of the Platform;
  • processing donations and event payments through tokenizing third-party payment processors;
  • generating and delivering tax receipts and donor statements in accordance with applicable charitable tax law;
  • managing member, household, and community records;
  • supporting Church administrative functions, including the assignment and management of administrative roles described in the MSA;
  • facilitating affiliation between a Diocese or Church Group and its Client Churches and the corresponding Diocese Administrator and Group Administrator access;
  • maintaining the security, integrity, availability, and operational performance of the Platform;
  • responding to Client and Data Subject requests in accordance with this DPA; and
  • complying with applicable legal obligations of ChurchPlan as Processor.

D. Categories of Data Subjects

CategoryDescription
Church members and communityIndividuals affiliated with a Client Church, Church Group, or Diocese (including parishioners, congregants, regular attendees, registered members, families, and ministry participants).
DonorsIndividuals making one-time or recurring donations through the Platform, including non-members and anonymous-by-name donors who provide contact information for receipting purposes.
Event participantsIndividuals registering for, attending, or supervising events, services, retreats, missions, classes, or other Activities hosted through the Platform.
Minors and dependentsChildren and other dependents whose information appears in family profiles managed by their parents or legal guardians through the Platform.
Administrative Users and personnelClergy, staff, volunteers, and other personnel of the Client granted administrative access to the Platform, including the Church Administrator, Diocese Administrator, Group Administrators, and other Administrative Users.
GuestsIndividuals who interact with the Platform without holding a member account (for example, one-time event registrants or guest donors).

E. Categories of Personal Information

Category of Data SubjectCategories of Personal Information
Church members and communityName, email address, telephone number, home and mailing address, date of birth, gender, marital status, household relationships, ministry involvement, attendance records, communication preferences, photograph (where uploaded).
DonorsName, contact details, mailing address, donation history, transaction records, payment method tokens (no full card data stored), tax receipt records, donor designations.
Event participantsName, contact details, registration details, emergency contact information, dietary preferences, medical or allergy information (where voluntarily provided), consent records, photo release indicators.
Minors and dependentsName, date of birth, gender, school year, medical or allergy information, dietary preferences, parental or guardian contact details, safeguarding-relevant indicators set by Administrative Users.
Administrative Users and personnelName, contact details, role and permissions, login credentials (hashed; no plaintext stored), session tokens, access logs, audit-trail records of administrative actions, IP address of session origin.
GuestsName, email address, mailing address (for receipting), transaction records.

F. Sensitive or Special Category Data

The Platform supports the optional collection of the following categories of data that may be considered sensitive or special category data under applicable law:

  • Religious affiliation — inherent to the nature of the Platform; the Client’s lawful basis for processing is typically that the Data Subject has made the information manifestly public by joining the religious community, or other lawful basis available to non-profit religious organizations under applicable law (e.g., GDPR Article 9(2)(d)).
  • Medical or allergy information — optionally provided by Data Subjects (or their parents or guardians, in the case of minors) in connection with event registration or safeguarding. The Client is responsible for ensuring a lawful basis for processing such information.
  • Safeguarding-relevant information — optionally recorded by Administrative Users to support child-protection or vulnerable-adult-protection responsibilities. The Client is responsible for ensuring a lawful basis (typically substantial public interest under GDPR Article 9(2)(g) or equivalent).

ChurchPlan does not collect or process biometric data, genetic data, or data concerning sexual orientation, except to the extent that such information may be inadvertently included in free-text fields, in which case ChurchPlan processes it solely as part of the broader Client Personal Data on the same terms as other Client Personal Data.

G. Frequency of Processing

Continuous, throughout the term of the MSA, in accordance with the Client’s use of the Platform.

H. Retention Period

Client Personal Data is retained for the duration of the MSA, plus the post-termination return-or-delete period described in Section 12 of this DPA, plus any retention period required by applicable law.

I. Competent Supervisory Authority

Where the SCCs apply (Annex 4), the competent Supervisory Authority shall be determined in accordance with Clause 13 of the SCCs. The Client and ChurchPlan acknowledge that, for most Client engagements where the Client is established in an EEA Member State, the competent Supervisory Authority is that of the EEA Member State in which the Client is established. For Clients established in the United Kingdom, the competent authority is the Information Commissioner’s Office.

Annex 2 — Technical and Organizational Measures

This Annex describes the technical and organizational security measures implemented by ChurchPlan and serves as Annex II of the SCCs where applicable.

A. Encryption and Cryptographic Controls

  • Encryption of Client Personal Data in transit using TLS 1.2 or higher (with TLS 1.3 enabled where supported by the client), with cipher suites providing at least 256-bit equivalent security.
  • Encryption of Client Personal Data at rest using AES-256 or equivalent industry-standard encryption.
  • Cryptographic hashing of all user passwords using bcrypt (or stronger) with per-credential salts. Plaintext credentials are never stored or transmitted in the clear within the Platform.
  • Session tokens secured with HTTP-only and Secure flags; automatic expiration of tokens, and immediate invalidation of all session tokens for a user upon any change to that user’s role or permissions.

B. Access Controls

  • Role-based access controls (RBAC) implementing the principle of least privilege, with separate permission scopes for end users, treasurers, service supervisors, Administrative Users, Group Administrators, Diocese Administrators, and Church Administrators.
  • Email-address verification required before users access privileged Platform features.
  • Support for multi-factor authentication on administrator accounts (where enabled by the Client).
  • Strict tenant isolation — each Client’s data is logically and technically separated from all other Clients at the database level. Authentication and authorization checks ensure that no Administrative User of one Client can access data of another Client.
  • Internal access by ChurchPlan personnel is restricted to authorized individuals with a documented business need, subject to confidentiality obligations, periodic access review, and immediate revocation upon role change or departure.

C. Application Security

  • Input validation, output encoding, and parameterized queries to protect against injection attacks.
  • Cross-site scripting and cross-site request forgery protections.
  • Rate limiting on authentication, password-reset, and other sensitive endpoints to mitigate brute-force and abuse attacks.
  • Sanitization and dedicated cloud storage of uploaded files, segregated from application servers.
  • Regular static and dynamic application security testing as part of the software development lifecycle.

D. Infrastructure and Network Security

  • Containerized deployments on managed cloud infrastructure with automated health checks, auto-recovery, and real-time error monitoring.
  • Network segmentation between application, database, and management tiers.
  • Web application firewall and distributed denial-of-service protections at the network edge.
  • Hardened operating system images with regular security patching.

E. Payment Security

  • PCI-DSS-compliant payment processing through tokenizing third-party processors (currently Stripe). No full credit card numbers, CVV codes, or full bank account credentials are stored or processed within ChurchPlan systems.

F. Logging, Monitoring, and Audit

  • Immutable audit logging of all authenticated requests, recording user identity, timestamp, action performed, originating IP address, and (where applicable) the affected record.
  • Centralized security monitoring with alerts for anomalous patterns (e.g., unusual login locations, bulk data export volumes, repeated authentication failures).
  • Regular review of audit logs by security personnel; retention of audit logs for at least twelve (12) months or longer as required by applicable law.

G. Resilience, Backup, and Recovery

  • Automated weekly backups of Client Personal Data and Platform configuration data, with backup integrity verification (consistent with the backup frequency specified in MSA Schedule A, Section A.6).
  • Documented backup retention policy and recovery point / recovery time objectives consistent with the SLA.
  • Business continuity and disaster recovery procedures, tested periodically.
  • Geographically redundant backup storage where supported by the cloud infrastructure provider.

H. Physical Security

  • Production infrastructure hosted in data centres operated by cloud infrastructure Subprocessors that maintain SOC 2, ISO 27001, or equivalent third-party certifications and that implement physical security controls including access control, surveillance, environmental monitoring, and 24/7 manned security.

I. Organizational Measures

  • Documented information security policy reviewed at least annually.
  • Confidentiality obligations imposed on all personnel with access to Client Personal Data.
  • Ongoing security awareness training for personnel with access to Personal Information.
  • Incident response procedures with defined roles, escalation paths, and external notification timelines aligned with this DPA.
  • Vendor management procedures, including security review of new Subprocessors.
  • Documented data protection impact assessment process for material changes to the Platform.

J. Privacy by Design and Default

  • Pseudonymization and anonymization applied where technically feasible and appropriate (e.g., in aggregated analytics and operational dashboards).
  • Data minimization principles applied to the design of new Platform features.
  • Default settings configured to provide the highest practical level of data protection.

K. Continuous Improvement

  • Regular vulnerability assessments and periodic penetration testing of the Platform.
  • Tracking and remediation of identified vulnerabilities according to severity-based timelines.
  • Alignment with the SOC 2 framework for Security, Availability, and Confidentiality trust services criteria, with progress toward formal SOC 2 Type II attestation.

Annex 3 — Subprocessors

This Annex describes the categories of Subprocessors engaged by ChurchPlan as of the Effective Date of this DPA, and serves as Annex III of the SCCs where applicable. ChurchPlan will update this Annex in accordance with Section 5 of this DPA. Subprocessor name disclosure follows the rules set out in Section A below.

A. Subprocessor Identities

Subprocessors with which the Client or its end users interact directly are named in the table below. Other Subprocessors are described by category, function, processing region, and the categories of Personal Information processed; their specific names and contact details are available to the Client on written request to privacyofficer@churchplan.com, where appropriate subject to a reasonable confidentiality undertaking.

B. Subprocessor Categories

SubprocessorRole / ServiceProcessing RegionCategories of Personal Information Processed
Stripe, Inc. (named)Tokenized payment processing for donations and event paymentsUnited States; other regions where Stripe operates in accordance with Stripe’s applicable terms.Donor and payer identifying information (name, email, mailing address), payment-method tokens, transaction records. No full payment-card data is processed by, or shared with, ChurchPlan.
Cloud infrastructure provider — name disclosed on request (subject to Section A)Hosting of Platform application, database, and storage infrastructureUnited States and Canada. For Clients established in Canada, Canada is the primary processing region. For other Clients, processing region is determined by Client configuration and operational requirements.All categories of Client Personal Data, processed as part of the hosted Platform infrastructure.
Transactional email provider — name disclosed on request (subject to Section A)Delivery of transactional emails (tax receipts, system notifications, communications initiated by Administrative Users through the Platform)United States and Canada. For Clients established in Canada, Canada is the primary processing region.Recipient name and email address; email subject and body contents as generated by the Platform or composed by Administrative Users.
Error monitoring and operational telemetry provider — name disclosed on request (subject to Section A)Real-time error monitoring, performance telemetry, and security observabilityUnited States and Canada. For Clients established in Canada, Canada is the primary processing region.Technical telemetry data; incidental Personal Information that may be included in error messages, logs, or stack traces, processed solely to support the operation, security, and reliability of the Platform.

Where this Annex serves as Annex III of the SCCs (Module Two), the data exporter’s general authorization to engage the Subprocessors listed above (whether named or described by category in accordance with Section A) is given as part of the Client’s acceptance of this DPA. The mechanism for adding or replacing Subprocessors is set out in Section 5 of this DPA.

Annex 4 — EU Standard Contractual Clauses (Module Two)

This Annex incorporates the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller-to-Processor transfers), where the Client is the data exporter and ChurchPlan is the data importer. This Annex also provides the UK International Data Transfer Addendum to apply to transfers subject to UK GDPR.

A. Incorporation by Reference

The Standard Contractual Clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller-to-Processor), are incorporated by reference into this DPA and form part of it. The full text of the Module Two SCCs is publicly available at the URL set out in the Commission Implementing Decision (https://eur-lex.europa.eu/eli/dec_impl/2021/914) and is available on request from ChurchPlan at privacyofficer@churchplan.com. The Client may at any time request that ChurchPlan execute a separate copy of the SCCs incorporating the information set out in Sections B through G below.

B. Module and Optional Clauses

The parties have selected the following modules and options:

  • Module: Module Two (Controller-to-Processor).
  • Clause 7 (Docking clause): Included.
  • Clause 9 (Subprocessors), Option 2 (General written authorization): Selected. The time period for prior notice of Subprocessor changes is thirty (30) days, as set out in Section 5.2 of this DPA.
  • Clause 11(a) (Optional independent dispute-resolution language): Not selected.
  • Clause 17 (Governing law): The SCCs shall be governed by the law of Ireland.
  • Clause 18 (Choice of forum and jurisdiction): Any dispute arising from the SCCs shall be resolved by the courts of Ireland.

C. Annex I.A — List of Parties

Data Exporter (Controller)Data Importer (Processor)
NameThe Client, as identified in the MSA or Order Form.ChurchPlan Inc.
AddressAs set out in the MSA or Order Form.1200 Bay St. Suite 1201, Toronto, Ontario M5R 2A5, Canada.
Contact person’s name, position and contact detailsThe Administrative User(s) identified by the Client for compliance notifications, or, in the absence of such designation, the Church Administrator, Diocese Administrator, or Group Administrator on record.Privacy Officer, ChurchPlan Inc., privacyofficer@churchplan.com, Tel: 1-800-420-1140.
Activities relevant to the data transferredUse of the ChurchPlan Platform for the management of church, parish, mission, diocesan, or charitable operations, including member records, donations, events, and communications.Provision of the ChurchPlan Platform (software as a service) and ancillary support services to the Client.
Role (controller / processor)ControllerProcessor

D. Annex I.B — Description of Transfer

The categories of data subjects, categories of personal data, sensitive data (if any), frequency, nature, and purpose of the transfer, period for retention, and (for transfers to subprocessors) subject matter, nature, and duration of subprocessor processing are as set out in Annex 1 (Processing Details) and Annex 3 (Subprocessors) of this DPA, which are incorporated into this Annex by reference.

E. Annex I.C — Competent Supervisory Authority

The competent Supervisory Authority is as set out in Annex 1, Section I of this DPA. Where the Client is established in an EEA Member State, the competent Supervisory Authority is that of the EEA Member State in which the Client is established. Where the Client is established outside the EEA but is subject to GDPR by virtue of Article 3(2) GDPR, the competent Supervisory Authority is that of the EEA Member State in which the Client’s representative under Article 27 GDPR is established. Where neither basis applies but the Client invokes Module Two, the competent Supervisory Authority shall be the Data Protection Commission of Ireland.

F. Annex II — Technical and Organizational Measures

The technical and organizational measures applied by the data importer (ChurchPlan) are set out in Annex 2 (Technical and Organizational Measures) of this DPA, which is incorporated into this Annex by reference. The measures address access controls, encryption (at rest and in transit), pseudonymization, system resilience, regular testing, certifications, logging and monitoring, data minimization, retention, return and deletion, and the security of subprocessor relationships.

G. Annex III — List of Subprocessors

The Subprocessors authorized by the data exporter are set out in Annex 3 (Subprocessors) of this DPA, which is incorporated into this Annex by reference. The mechanism for adding or replacing Subprocessors is set out in Section 5 of this DPA.

H. UK International Data Transfer Addendum

For transfers of Client Personal Data subject to UK GDPR from the United Kingdom to ChurchPlan in Canada (or to a Subprocessor outside the United Kingdom), the parties incorporate the UK International Data Transfer Addendum (the "UK Addendum") to the EU Commission SCCs, in the form issued by the UK Information Commissioner’s Office and laid before Parliament on 2 February 2022, as updated from time to time.

The information required by the UK Addendum is as follows:

  • Table 1 — Parties: As set out in Section C of this Annex (Annex I.A).
  • Table 2 — Selected SCCs, Modules and Selected Clauses: EU Commission SCCs, Module Two, as modified by Sections A and B of this Annex.
  • Table 3 — Appendix Information: As set out in Annex 1, Annex 2, and Annex 3 of this DPA.
  • Table 4 — Ending the Agreement: Either party may end the UK Addendum as set out in Section 19 of the UK Addendum, where the UK ICO issues a revised approved agreement that the receiving party considers materially detrimental.

I. Swiss Modifications

For transfers subject to Swiss data protection law: (i) references in the SCCs to "GDPR" shall be deemed to include the Swiss Federal Act on Data Protection where applicable; (ii) references to "Member State" shall be interpreted to include Switzerland; and (iii) the competent Supervisory Authority for Swiss transfers shall be the Swiss Federal Data Protection and Information Commissioner (FDPIC).

J. Execution of SCCs

Where the Client is established in the EEA, Switzerland, or the United Kingdom and requires a separately-executed copy of the SCCs (with this Annex 4 as the populated Annex I, II, and III), ChurchPlan will provide one on request. Such separately-executed copy shall have the same legal effect as the version incorporated into this DPA by reference.

Last updated: May 19, 2026

© 2026 ChurchPlan