EkkleiosEkkleiosSign in →
Legal Document

Data Processing Agreement

GDPR-compliant data processing terms.

Data Processing Agreement (DPA)

Effective Date: February 13, 2026
Last Updated: February 13, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Ekkleios, Inc. ("Processor," "we," "us," or "our") and the subscribing organization ("Controller," "you," or "your").

This DPA governs the processing of personal data in accordance with:

  • GDPR (General Data Protection Regulation - EU Regulation 2016/679)
  • UK GDPR (UK Data Protection Act 2018)
  • CCPA (California Consumer Privacy Act)
  • Other applicable data protection laws

By using the Service, you agree to the terms of this Data Processing Agreement.

2. Definitions

2.1 GDPR Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person
  • "Processing": Any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.)
  • "Controller": The organization that determines the purposes and means of processing personal data (You)
  • "Processor": The entity that processes personal data on behalf of the Controller (Ekkleios)
  • "Sub-processor": A third-party processor engaged by Ekkleios
  • "Data Subject": An individual whose personal data is processed
  • "Supervisory Authority": A data protection authority (e.g., ICO in UK, CNIL in France)

2.2 Roles and Responsibilities

  • You (Controller): Determine what data is collected and how it's used
  • Ekkleios (Processor): Process data on your behalf according to your instructions
  • Data Subjects: Your church members, donors, volunteers, and contacts

3. Scope and Purpose of Processing

3.1 Subject Matter

Processing of personal data necessary to provide the Ekkleios church management platform.

3.2 Duration

Processing will continue for the duration of your subscription and for 30 days after termination (to allow data export).

3.3 Nature and Purpose

Processing is necessary to:

  • Provide the Platform services
  • Store and manage your organization's data
  • Enable communication features
  • Process donations
  • Generate reports and analytics
  • Provide customer support

3.4 Types of Personal Data

Personal data processed may include:

  • Identity Data: Names, titles, dates of birth
  • Contact Data: Addresses, email addresses, phone numbers
  • Financial Data: Donation amounts, payment methods (tokenized), giving history
  • Demographic Data: Age, gender, family relationships
  • Engagement Data: Event attendance, group participation, interaction history
  • Spiritual Data: Discipleship stages, pathway progress, milestones
  • Communication Data: Email content, prayer requests, testimonies, posts

3.5 Categories of Data Subjects

  • Church members and attendees
  • Donors and contributors
  • Volunteers and staff
  • Event participants
  • Website visitors
  • Community group members

4. Controller and Processor Obligations

4.1 Controller Obligations (Your Responsibilities)

You, as the Controller, are responsible for:

Legal Basis

  • Ensuring you have a legal basis for processing personal data
  • Obtaining necessary consents from data subjects
  • Providing privacy notices to data subjects
  • Determining the purposes and means of processing

Data Accuracy

  • Ensuring data you input is accurate and up-to-date
  • Correcting inaccurate data promptly
  • Deleting data when no longer necessary

Data Subject Rights

  • Responding to data subject requests (access, deletion, correction, etc.)
  • Informing Ekkleios of any data subject requests that require our assistance
  • Ensuring lawful processing of personal data

Instructions

  • Providing clear, lawful instructions for data processing
  • Not instructing us to process data in violation of applicable laws

4.2 Processor Obligations (Ekkleios Responsibilities)

We, as the Processor, will:

Process Data According to Instructions

  • Process personal data only on your documented instructions
  • Not use personal data for our own purposes
  • Notify you if we believe an instruction violates applicable law

Confidentiality

  • Ensure persons authorized to process data are bound by confidentiality
  • Maintain strict confidentiality of all personal data

Security

  • Implement appropriate technical and organizational measures (see Section 6)
  • Ensure security of processing
  • Protect against unauthorized or unlawful processing
  • Protect against accidental loss, destruction, or damage

Sub-processors

  • Only engage sub-processors with your prior authorization (see Section 5)
  • Ensure sub-processors comply with the same obligations

Data Subject Rights

  • Assist you in responding to data subject requests
  • Provide necessary information and access to data

Data Breaches

  • Notify you without undue delay of any personal data breach
  • Provide information necessary for you to comply with breach notification obligations

Audits

  • Make available all information necessary to demonstrate compliance
  • Allow for and contribute to audits and inspections

Data Deletion

  • Delete or return all personal data upon termination of services
  • Delete existing copies unless required by law to retain

5. Sub-processors

5.1 Authorized Sub-processors

You authorize Ekkleios to engage the following sub-processors:

Sub-processorServiceLocationPurpose
Google Cloud Platform (Firebase)Cloud hosting, database, authenticationUSA, EUData storage and platform infrastructure
Stripe, Inc.Payment processingUSADonation and subscription processing
SendGrid (Twilio)Email deliveryUSATransactional and marketing emails
TwilioSMS deliveryUSASMS notifications (optional)
IntercomCustomer supportUSALive chat and support (optional)

5.2 Sub-processor Requirements

All sub-processors must:

  • Enter into written agreements with data protection obligations equivalent to this DPA
  • Implement appropriate technical and organizational security measures
  • Comply with GDPR and applicable data protection laws

5.3 Changes to Sub-processors

  • We will notify you of any intended changes to sub-processors
  • You have 30 days to object to new sub-processors
  • If you object, you may terminate your subscription without penalty

5.4 Sub-processor Liability

We remain fully liable for the performance of sub-processors' obligations.

6. Security Measures

6.1 Technical Measures

We implement the following technical security measures:

Encryption

  • 256-bit SSL/TLS encryption for data in transit
  • Encryption at rest for stored data (Firebase default)
  • Encrypted backups

Access Control

  • Role-based access control (RBAC)
  • Multi-factor authentication (optional for users)
  • Unique user accounts (no shared credentials)
  • Automatic session timeouts

Network Security

  • Firewall protection
  • Intrusion detection and prevention
  • DDoS protection
  • Regular security monitoring

Application Security

  • Firestore security rules
  • Input validation and sanitization
  • Protection against common vulnerabilities (XSS, CSRF, SQL injection)
  • Regular security updates and patches

6.2 Organizational Measures

We implement the following organizational security measures:

Access Management

  • Least privilege access principle
  • Background checks for employees with data access
  • Confidentiality agreements for all employees
  • Access logging and monitoring

Policies and Procedures

  • Information security policy
  • Incident response plan
  • Business continuity plan
  • Data breach notification procedures

Training

  • Regular security awareness training for employees
  • GDPR and data protection training
  • Secure coding practices

Audits and Testing

  • Regular security assessments
  • Vulnerability scanning
  • Penetration testing (annual)
  • Third-party security audits

6.3 Data Backup and Recovery

  • Automated daily backups
  • Geographically distributed backup storage
  • Regular backup testing
  • Disaster recovery procedures

7. Data Breach Notification

7.1 Notification to Controller

In the event of a personal data breach, we will:

  • Notify you without undue delay (within 72 hours of becoming aware)
  • Provide the following information:
    • Nature of the breach
    • Categories and approximate number of data subjects affected
    • Categories and approximate number of records affected
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach
    • Contact point for more information

7.2 Controller Notification Obligations

You are responsible for:

  • Notifying affected data subjects if required by law
  • Notifying supervisory authorities if required by GDPR
  • Determining whether notification is required based on risk assessment

7.3 Cooperation

We will cooperate with you and provide all necessary information to fulfill your breach notification obligations.

8. Data Subject Rights

8.1 Assistance with Requests

We will assist you in responding to data subject requests, including:

  • Right of Access: Providing data exports in standard formats
  • Right to Rectification: Enabling data correction through the Platform
  • Right to Erasure: Deleting data upon your instruction
  • Right to Restriction: Limiting processing as requested
  • Right to Data Portability: Exporting data in machine-readable formats (CSV, JSON)
  • Right to Object: Ceasing processing upon your instruction

8.2 Response Time

We will respond to your requests for assistance within 5 business days.

8.3 Controller Responsibility

You remain responsible for:

  • Verifying the identity of data subjects making requests
  • Determining the validity of requests
  • Communicating with data subjects
  • Meeting legal deadlines (typically 30 days under GDPR)

9. Data Transfers

9.1 International Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States.

9.2 Transfer Mechanisms

For transfers from the EEA to third countries, we rely on:

  • Standard Contractual Clauses (SCCs): EU-approved model clauses
  • Adequacy Decisions: Where the destination country has been deemed adequate by the EU Commission
  • Sub-processor Safeguards: Our sub-processors (Google Cloud, Stripe) have implemented appropriate safeguards

9.3 Additional Safeguards

We implement additional safeguards including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Contractual obligations with sub-processors

9.4 Your Consent

By using the Service, you authorize these international data transfers.

10. Data Retention and Deletion

10.1 Retention Period

We will retain personal data only as long as necessary to provide the Service or as required by law.

10.2 Active Subscriptions

During your active subscription, data is retained as needed for platform functionality.

10.3 After Termination

Upon termination of your subscription:

  • You have 30 days to export your data
  • After 30 days, we will delete all personal data unless legally required to retain it
  • Backups containing deleted data will be purged within 90 days

10.4 Legal Retention

Some data may be retained longer if required by:

  • Tax laws (typically 7 years for financial records)
  • Legal proceedings or investigations
  • Regulatory requirements

10.5 Deletion Methods

Data deletion includes:

  • Permanent deletion from production databases
  • Removal from backups (within 90 days)
  • Secure deletion methods preventing recovery

11. Audits and Compliance

11.1 Right to Audit

You have the right to audit our compliance with this DPA, subject to:

  • Reasonable advance notice (at least 30 days)
  • Confidentiality agreements
  • Reasonable frequency (not more than once per year unless required by supervisory authority)
  • Reimbursement of our reasonable costs

11.2 Information Provision

We will provide:

  • Documentation of our security measures
  • Compliance certifications
  • Audit reports (subject to confidentiality)
  • Information necessary to demonstrate GDPR compliance

11.3 Third-Party Audits

We may provide third-party audit reports (e.g., SOC 2) in lieu of direct audits.

11.4 Supervisory Authority Audits

We will cooperate with supervisory authority audits and inspections.

12. Liability and Indemnification

12.1 Processor Liability

We are liable for damages caused by processing that violates GDPR or this DPA, except where we are not responsible for the event giving rise to the damage.

12.2 Controller Liability

You are liable for damages caused by:

  • Your instructions that violate applicable law
  • Your failure to comply with controller obligations
  • Your misuse of the Platform

12.3 Limitation of Liability

Subject to applicable law, our total liability under this DPA is limited as specified in the Terms of Service.

12.4 Sub-processor Liability

We remain fully liable for the acts and omissions of our sub-processors.

13. Term and Termination

13.1 Term

This DPA takes effect on the date you first use the Service and continues until termination of your subscription.

13.2 Termination

This DPA terminates automatically upon termination of the Terms of Service.

13.3 Effect of Termination

Upon termination:

  • We will cease processing personal data (except for deletion/return)
  • We will delete or return all personal data as instructed
  • We will delete existing copies unless legally required to retain
  • Obligations regarding confidentiality and security survive termination

13.4 Data Return

Upon your request, we will:

  • Return all personal data in a standard format (CSV, JSON)
  • Provide confirmation of data deletion
  • Complete data return/deletion within 30 days

14. Governing Law and Jurisdiction

14.1 Governing Law

This DPA is governed by the laws specified in the Terms of Service, except where GDPR or other data protection laws require otherwise.

14.2 Jurisdiction

For GDPR-related disputes, the courts of the EU member state where you are established have jurisdiction.

14.3 Supervisory Authority

You have the right to lodge a complaint with your local supervisory authority.

15. Order of Precedence

In the event of conflict:

  1. This DPA takes precedence over the Terms of Service for data protection matters
  2. GDPR and applicable data protection laws take precedence over this DPA
  3. Standard Contractual Clauses (if applicable) take precedence over conflicting provisions

16. Amendments

16.1 Changes to DPA

We may update this DPA to:

  • Reflect changes in data protection laws
  • Reflect changes in our processing activities
  • Improve clarity or compliance

16.2 Notification

Material changes will be communicated with 30 days' advance notice via:

  • Email to your registered email address
  • Notice in your account dashboard
  • Posted on our website

16.3 Acceptance

Continued use of the Service after changes constitutes acceptance of the updated DPA.

17. Contact Information

17.1 Data Protection Officer

For GDPR-related inquiries:

Data Protection Officer Email: dpo@ekkleios.com Address: Ekkleios, Inc., [Address to be added]

17.2 General Inquiries

For questions about this DPA:

Email: privacy@ekkleios.com Legal: legal@ekkleios.com Support: support@ekkleios.com

17.3 Data Subject Requests

To exercise data subject rights:

Email: privacy@ekkleios.com Subject: "Data Subject Request - [Organization Name]"

18. Standard Contractual Clauses

18.1 Incorporation

Where required for international data transfers, the EU Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated into this DPA by reference.

18.2 Completion

The following details complete the Standard Contractual Clauses:

  • Module: Module 2 (Controller to Processor)
  • Clause 7 (Docking Clause): Optional
  • Clause 9 (Use of Sub-processors): General authorization with notification (Option 2)
  • Clause 11 (Redress): Option 1 applies
  • Clause 17 (Governing Law): Law of Ireland (EU member state)
  • Clause 18 (Choice of Forum): Courts of Ireland

18.3 Annexes

The following information completes the SCC Annexes:

  • Annex I.A (Data Exporter): Your organization details
  • Annex I.B (Data Importer): Ekkleios, Inc.
  • Annex I.C (Competent Supervisory Authority): Your local supervisory authority
  • Annex II (Technical and Organizational Measures): See Section 6 of this DPA
  • Annex III (Sub-processors): See Section 5 of this DPA

19. Specific Processing Activities

19.1 People Management

  • Purpose: Manage church members, contacts, and guests
  • Legal Basis: Legitimate interest, consent, contract performance
  • Data Categories: Identity, contact, demographic, engagement
  • Retention: Duration of membership + 1 year, or as instructed

19.2 Donation Processing

  • Purpose: Process and track donations
  • Legal Basis: Contract performance, legal obligation (tax records)
  • Data Categories: Identity, contact, financial
  • Retention: 7 years (tax law requirement)

19.3 Communications

  • Purpose: Send emails, SMS, and notifications
  • Legal Basis: Consent, legitimate interest
  • Data Categories: Contact, communication preferences
  • Retention: Until unsubscribe or account closure

19.4 Analytics

  • Purpose: Improve platform and understand usage
  • Legal Basis: Legitimate interest
  • Data Categories: Usage data, aggregated statistics
  • Retention: 26 months (anonymized)

20. Acknowledgment

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT:

  1. You have read and understood this Data Processing Agreement
  2. You agree to its terms and conditions
  3. You accept your role and responsibilities as Data Controller
  4. You authorize the processing activities and sub-processors described herein

This DPA is legally binding and forms part of your agreement with Ekkleios.

Version: 1.0 Effective Date: February 13, 2026 Last Updated: February 13, 2026

© 2026 Ekkleios, Inc. All rights reserved.