LAST UPDATED: SEPTEMBER 26, 2023
EFFECTIVE FROM: SEPTEMBER 01, 2021
To support delivery of The Service we, ChurchSuite Ltd., may engage and use data processors with access to certain Service data (each, a “Sub-processor”). This page provides important information about the identity, location and role of each Sub-processor.
Definitions we use in this document
"Data Protection Law" means all data protection laws and regulations applicable to the UK including (i) the UK Data Protection Act 2018; (ii) UK General Data Protection Regulation ("UK GDPR"); (iii) the Privacy & Electronic Communications Regulations 2003 ("the PECR") relating to electronic communications; (iv) In the event that the EU GDPR (as defined in the Data Protection Act 2018) applies to activities, we will comply with the EU GDPR; and applicable national implementations of (iii) and (iv).
"The Service" means our ChurchSuite software, which is accessed online through a web browser, or by using our mobile applications (Apps). Access is provided through a unique username/password/PIN.
"your Organisation" means your church, charity or other type of organisation that has opened a ChurchSuite account. In the relationship between us, your Organisation should be considered the Data Controller as defined within the context of Data Protection Law as to the users nominated by you in accordance with our Terms of Service.
"us", "we" and "our" refer to ChurchSuite Ltd. In the relationship between us, ChurchSuite Ltd should be considered the Data Processor as defined within the context of General Data Protection Regulation Data Protection Law as to the Personal Data concerning your users, account contact and data that they upload.
"user" means your account contact, all end-users of The Service that you have enabled to have access whether staff, workers, agents, volunteers, members, or contractors to the extent permitted by our Terms of Service to access and use The Service and /or our website.
"you" means the Organisation that is the contracted subscriber of The Service.
What is a sub-processor?
A sub-processor is a third party data processor engaged by us who has, or potentially will have access to, or process Service data (which may contain Personal Data). We engage different types of Sub-processors to perform various functions, some of which are required for use of The Service, as explained in the tables below.
Due diligence
We undertake to use a commercially reasonable selection process by which we evaluate the security, privacy and confidentiality practices of proposed Sub-processors that will or may have access to, or process, Service data.
Contractual Safeguards
We require all Sub-processors to satisfy equivalent obligations as those required from us (as a Data Processor) as set forth in either our Terms of Service, or the corresponding Sub-processor’s equivalent Data Processing Addendum (“DPA”), incorporating Standard Contractual Clauses ("SCC") where appropriate, including but not limited to the requirements to:
process Personal Data in accordance with our instructions;
in connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
implement and maintain appropriate technical and organisational measures (including measures consistent with those to which we are contractually committed to adhere insofar as they are equally relevant to the Sub-processor’s processing of Personal Data on our behalf);
promptly inform us about any actual or potential security breach; and
cooperate with us in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
This document does not give users of The Service any additional rights or remedies and should not be construed as a binding agreement. The information here is provided for transparency purposes, to illustrate our engagement process for Sub-processors and to provide an up-to-date list of third party Sub-processors currently used by us (as of the effective date of this document) that we may use in the delivery and support of The Service.
Process to engage new sub-processors
As our business grows and evolves, the Sub-processors we engage may change. We will provide relevant users of The Service with notice of any new Sub-processors to the extent required under the Terms of Service by posting such updates here.
We will provide notice via this document of updates to the list of Sub-processors that are utilised or which we propose to utilise to deliver The Service. We undertake to keep this list updated regularly to enable users of The Service to stay informed of the scope of sub-processing associated with The Service. Please check back frequently for updates.
Service data storage sub-processors (required for using The Service)
Our development, testing, staging (pre-production) and production systems for The Service are located in secure data centre facilities in the UK. We use the following Sub-processors to host Service data and provide other infrastructure that helps with the delivery of The Service.
Entity name | Sub-processing activities | Country | Adequacy |
Amazon Web Services, Inc. | Cloud service provider | United Kingdom (London) |
Other sub-processors required for using The Service
ChurchSuite works with certain third parties to provide specific functionality around and within The Service and to provide customer support services. These providers are the Sub-processors detailed below. In order to provide the relevant functionality or support service, we may transfer Service data or data identifying you/your organisation to these Sub-processors. Their use is limited to the indicated activities.
Entity name | Sub-processing activities | Country | Adequacy |
Ably | Real time messaging for event check-in and child check-in | United States (East Virginia) | |
Acuity | Online support appointment booking system | United States (New York) | |
Basecamp | Developer and customer support project management tools | United States (Chicago, Illinois) | |
Cloudflare | Forward proxy, traffic monitoring and service security | United States | |
Filestack | File upload and storage API | United States (Texas) | |
Freeagent | Customer automated billing | Ireland | |
GoCardless | Customer billing payment processing | European Economic Area | |
Google Inc. | Cloud service provider for inbound email and some customer support applications | United States | |
Google Maps Platform | Google Maps Content | United States | |
Grafana Cloud | Service monitoring and reporting | Europe, United States | |
Helpscout | Support ticketing and response handling | United States (Boston, Massachusetts) | |
Mailchimp (Mandrill) | Email delivery service | United States | |
Mailgun | Email delivery service | European Economic Area | |
New Relic | Server performance monitoring and reporting | United Stated (Illinois) | |
OpenStreetMap Foundation | Open Street Maps Content | United Kingdom, Netherlands | |
Sentry | Application monitoring and reporting | United States | |
Stripe | Customer invoice payment processing | United States | |
Textlocal | Customer SMS messaging | United Kingdom (London) |
Other sub-processors not required for using The Service
ChurchSuite also works with certain third parties to provide specific support services around use of The Service. These providers are the Sub-processors detailed below. In order to provide the relevant functionality, we may transfer some of your data to these Sub-processors. Their use is limited to the indicated activities.
Entity name | Sub-processing activities | Country | Adequacy |
Digital Ocean | Website hosting, trial signup and mailing list hosting | United States | |
Mailchimp | Mailing list hosting | United States |
Sub-processors and payment processing
ChurchSuite does not store payment card or direct debit bank payment information or your bank account access details. Payment processing and account access information is handled directly by the following third parties according to their respective Privacy Policies and Terms of Service.
Entity name | Sub-processing activities | Country | Policy |
Stripe | Outsourced payment management | United States; Europe | |
GoCardless | Outsourced payment management | Europe |