LAST UPDATED: FEBRUARY 2025
To support delivery of The Service we, ChurchSuite Ltd., may engage and use data processors with access to certain Service data (each, a “Sub-processor”). This page provides important information about the identity, location and role of each Sub-processor.
Definitions we use in this document
"Data Protection Law" means all data protection laws and regulations applicable to the UK including (i) the UK Data Protection Act 2018; (ii) UK General Data Protection Regulation ("UK GDPR"); (iii) the Privacy & Electronic Communications Regulations 2003 ("the PECR") relating to electronic communications; (iv) In the event that the EU GDPR (as defined in the Data Protection Act 2018) applies to activities, we will comply with the EU GDPR; and applicable national implementations of (iii) and (iv).
"The Service" means our ChurchSuite software, which is accessed online through a web browser, or by using our mobile applications (Apps). Access is provided through a unique username/password/PIN.
"your Organisation" means your church, charity or other type of organisation that has opened a ChurchSuite account. In the relationship between us, your Organisation should be considered the Data Controller as defined within the context of Data Protection Law as to the users nominated by you in accordance with our Terms of Service.
"us", "we" and "our" refer to ChurchSuite Ltd. In the relationship between us, ChurchSuite Ltd should be considered the Data Processor as defined within the context of General Data Protection Regulation Data Protection Law as to the Personal Data concerning your users, account contact and data that they upload.
"user" means your account contact, all end-users of The Service that you have enabled to have access whether staff, workers, agents, volunteers, members, or contractors to the extent permitted by our Terms of Service to access and use The Service and /or our website.
"you" means the Organisation that is the contracted subscriber of The Service.
What is a sub-processor?
A sub-processor is a third party data processor engaged by us who has, or potentially will have access to, or process Service data (which may contain Personal Data). We engage different types of Sub-processors to perform various functions, some of which are required for use of The Service, as explained in the tables below.
Due diligence
We undertake to use a commercially reasonable selection process by which we evaluate the security, privacy and confidentiality practices of proposed Sub-processors that will or may have access to, or process, Service data.
Contractual Safeguards
We require all Sub-processors to satisfy equivalent obligations as those required from us (as a Data Processor) as set forth in either our Terms of Service, or the corresponding Sub-processor’s equivalent Data Processing Addendum (“DPA”), incorporating Standard Contractual Clauses ("SCC") where appropriate, including but not limited to the requirements to:
process Personal Data in accordance with our instructions;
in connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
implement and maintain appropriate technical and organisational measures (including measures consistent with those to which we are contractually committed to adhere insofar as they are equally relevant to the Sub-processor’s processing of Personal Data on our behalf);
promptly inform us about any actual or potential security breach; and
cooperate with us in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
This document does not give users of The Service any additional rights or remedies and should not be construed as a binding agreement. The information here is provided for transparency purposes, to illustrate our engagement process for Sub-processors and to provide an up-to-date list of third party Sub-processors currently used by us (as of the effective date of this document) that we may use in the delivery and support of The Service.
Process to engage new sub-processors
As our business grows and evolves, the Sub-processors we engage may change. We will provide relevant users of The Service with notice of any new Sub-processors to the extent required under the Terms of Service by posting such updates here.
We will provide notice via this document of updates to the list of Sub-processors that are utilised or which we propose to utilise to deliver The Service. We undertake to keep this list updated regularly to enable users of The Service to stay informed of the scope of sub-processing associated with The Service. Please check back frequently for updates.
Sub-processors required for using The Service
ChurchSuite works with certain third parties to provide specific functionality around and within The Service and to provide customer support services. These providers are the Sub-processors detailed below. In order to provide the relevant functionality or support service, we may transfer Service data or data identifying you/your organisation to these Sub-processors. Their use is limited to the indicated activities.
Entity name | Sub-processing activities | Country |
Ably | Real time messaging | United States |
Acuity | Support appointment booking system | United States |
Amazon Web Services | Cloud service provider | United Kingdom |
Basecamp | Project and document management | United States |
Cloudflare | Service security | United States |
Digital Ocean | Mailing list management | United Kingdom |
Filestack | Email attachment management | United States |
Freeagent | Billing management | European Economic Area |
GoCardless | Billing payment processing | European Economic Area |
Google Cloud | Real time messaging | Global |
Google Inc. | Email service | United States |
Google Maps Platform | Google Maps content | United States |
Grafana Cloud | Service monitoring | European Economic Area |
Helpscout | Support ticketing | United States |
Mandrill (Mailchimp) | Email delivery service | United States |
Mailgun | Email delivery service | European Economic Area |
New Relic | Service monitoring | United Stated |
OpenStreetMap Foundation | OpenStreetMap content | United Kingdom, European Economic Area |
Sentry | Service monitoring | United States |
Stripe | Billing payment processing | European Economic Area |
Textlocal | SMS messaging | United Kingdom |
Twilio | SMS messaging | United States |