Third party sub-processors

LAST UPDATED: SEPTEMBER 01, 2021

EFFECTIVE FROM: SEPTEMBER 01, 2021

To support delivery of The Service we, ChurchSuite Ltd., may engage and use data processors with access to certain Service data (each, a “Sub-processor”). This page provides important information about the identity, location and role of each Sub-processor.

Definitions we use in this document

  • "Data Protection Law" means all data protection laws and regulations applicable to the UK including (i) the UK Data Protection Act 2018; (ii) UK General Data Protection Regulation ("UK GDPR"); (iii) the Privacy & Electronic Communications Regulations 2003 ("the PECR") relating to electronic communications; (iv) In the event that the EU GDPR (as defined in the Data Protection Act 2018) applies to activities, we will comply with the EU GDPR; and applicable national implementations of (iii) and (iv).

  • "The Service" means our ChurchSuite software, which is accessed online through a web browser, or by using our mobile applications (Apps). Access is provided through a unique username/password/PIN.

  • "your Organisation" means your church, charity or other type of organisation that has opened a ChurchSuite account. In the relationship between us, your Organisation should be considered the Data Controller as defined within the context of Data Protection Law as to the users nominated by you in accordance with our Terms of Service.

  • "us", "we" and "our" refer to ChurchSuite Ltd. In the relationship between us, ChurchSuite Ltd should be considered the Data Processor as defined within the context of General Data Protection Regulation Data Protection Law as to the Personal Data concerning your users, account contact and data that they upload. 

  • "user" means your account contact, all end-users of The Service that you have enabled to have access whether staff, workers, agents, volunteers, members, or contractors to the extent permitted by our Terms of Service to access and use The Service and /or our website.

  • "you" means the Organisation that is the contracted subscriber of The Service.

What is a sub-processor?

A sub-processor is a third party data processor engaged by us who has, or potentially will have access to, or process Service data (which may contain Personal Data). We engage different types of Sub-processors to perform various functions, some of which are required for use of The Service, as explained in the tables below.

Due diligence

We undertake to use a commercially reasonable selection process by which we evaluate the security, privacy and confidentiality practices of proposed Sub-processors that will or may have access to, or process, Service data.

Contractual Safeguards

We require all Sub-processors to satisfy equivalent obligations as those required from us (as a Data Processor) as set forth in either our Terms of Service, or the corresponding Sub-processor’s equivalent Data Processing Addendum (“DPA”), incorporating Standard Contractual Clauses ("SCC") where appropriate, including but not limited to the requirements to:

  • process Personal Data in accordance with our instructions;

  • in connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;

  • implement and maintain appropriate technical and organisational measures (including measures consistent with those to which we are contractually committed to adhere insofar as they are equally relevant to the Sub-processor’s processing of Personal Data on our behalf);

  • promptly inform us about any actual or potential security breach; and

  • cooperate with us in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.

 

This document does not give users of The Service any additional rights or remedies and should not be construed as a binding agreement. The information here is provided for transparency purposes, to illustrate our engagement process for Sub-processors and to provide an up-to-date list of third party Sub-processors currently used by us (as of the effective date of this document) that we may use in the delivery and support of The Service.

Process to engage new sub-processors

As our business grows and evolves, the Sub-processors we engage may change. We will provide relevant users of The Service with notice of any new Sub-processors to the extent required under the Terms of Service by posting such updates here.

 

We will provide notice via this document of updates to the list of Sub-processors that are utilised or which we propose to utilise to deliver The Service. We undertake to keep this list updated regularly to enable users of The Service to stay informed of the scope of sub-processing associated with The Service. Please check back frequently for updates.

Service data storage sub-processors (required for using The Service)

Our development, testing, staging (pre-production) and production systems for The Service are located in secure data centre facilities in the UK. We use the following Sub-processors to host Service data and provide other infrastructure that helps with the delivery of The Service.

Entity name

Sub-processing activities

Country

Adequacy

Amazon Web Services, Inc.

Cloud service provider

United Kingdom (London)

ISO 27001

GDPR Link

DPA with SCC

Other sub-processors required for using The Service

ChurchSuite works with certain third parties to provide specific functionality around and within The Service and to provide customer support services. These providers are the Sub-processors detailed below. In order to provide the relevant functionality or support service, we may transfer Service data or data identifying you/your organisation to these Sub-processors. Their use is limited to the indicated activities.

Entity name

Sub-processing activities

Country

Adequacy

Ably

Real time messaging for event check-in and child check-in

United States (East Virginia)
Europe (Ireland)
Asia (Singapore)

DPA with SCC

Acuity

Online support appointment booking system

United States (New York)

DPA with SCC

Basecamp

Developer and customer support project management tools

United States (Chicago, Illinois)

DPA with SCC

Filestack

File upload and storage API

United States (Texas)

GDPR Link

DPA with SCC

Freeagent

Customer automated billing

Ireland

DPA

DPA with SCC

GoCardless

Customer billing payment processing

European Economic Area

ISO 27001

GDPR Link

Google Inc.

Cloud service provider for inbound email and some customer support applications

United States

ISO 27001

GDPR Link

DPA with SCC

Helpscout

Support ticketing and response handling

United States (Boston, Massachusetts)

DPA with SCC

Mailchimp (Mandrill)

Email delivery service

United States

GDPR Link

DPA with SCC

Mailgun

Email delivery service

European Economic Area

GDPR Link

New Relic

Server performance monitoring and reporting

United Stated (Illinois)

GDPR Link

DPA with SCC

Stripe

Customer invoice payment processing

United States
Europe

DPA with SCC

Textlocal

Customer SMS messaging

United Kingdom (London)

ISO 27001

GDPR Link

Other sub-processors not required for using The Service

ChurchSuite also works with certain third parties to provide specific support services around use of The Service. These providers are the Sub-processors detailed below. In order to provide the relevant functionality, we may transfer some of your data to these Sub-processors. Their use is limited to the indicated activities.

Entity name

Sub-processing activities

Country

Adequacy

Digital Ocean

Website hosting, trial signup and mailing list hosting

United States

DPA with SCC

Mailchimp

Mailing list hosting

United States

DPA with SCC

Sub-processors and payment processing

ChurchSuite does not store payment card or direct debit bank payment information or your bank account access details. Payment processing and account access information is handled directly by the following third parties according to their respective Privacy Policies and Terms of Service.

Entity name

Sub-processing activities

Country

Policy

Stripe

Outsourced payment management

United States; Europe

Privacy Policy

GoCardless

Outsourced payment management

Europe

Privacy Policy

Start your free trial today!
Don’t just take our word for it. Try it for yourself! We’d love you to take up this 30 day free trial so you can see how ChurchSuite will benefit you.