Data Processing Agreement
Last updated: May 16, 2026
This Data Processing Agreement ("DPA") is entered into between the church, ministry, or organization using the AntiochCFM platform ("Data Controller" or "Customer") and Antioch Church Financial Management, LLC ("Data Processor" or "AntiochCFM"). This DPA supplements our Terms of Service and Privacy Policy.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed through the Service, including church member names, contact information, giving records, and financial data.
- "Data Controller" means the Customer (your church or organization) that determines the purposes and means of processing Personal Data.
- "Data Processor" means AntiochCFM, which processes Personal Data on behalf of the Data Controller.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
- "Data Breach" means any unauthorized access to, acquisition of, or disclosure of Personal Data.
2. Roles and Responsibilities
2.1 Data Controller (Customer)
As the Data Controller, you are responsible for:
- Ensuring you have a lawful basis for collecting and inputting Personal Data into the Service
- Obtaining any necessary consents from your church members before entering their data
- Determining the types and categories of data to be processed
- Responding to data subject access requests from your church members
- Complying with all applicable data protection laws in your jurisdiction
2.2 Data Processor (AntiochCFM)
As the Data Processor, AntiochCFM commits to:
- Processing Personal Data only as instructed by you and as necessary to provide the Service
- Not selling, renting, or sharing Personal Data with third parties for their own marketing purposes
- Not using Personal Data for any purpose other than providing the Service
- Implementing appropriate technical and organizational security measures
- Ensuring that personnel authorized to process Personal Data are bound by confidentiality obligations
- Assisting you in responding to data subject requests, where technically feasible
3. Categories of Data Processed
AntiochCFM processes the following categories of Personal Data on your behalf:
| Category | Examples |
|---|---|
| Identity Data | First name, last name |
| Contact Data | Email address, phone number, mailing address |
| Membership Data | Membership status, join date, notes |
| Financial Data | Donation amounts, fund categories, payment methods, expense records |
| Account Data | Login credentials (email, hashed password), authentication provider |
4. Sub-Processors
AntiochCFM uses the following sub-processors to deliver the Service. By agreeing to this DPA, you authorize the use of these sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and subscription billing | United States |
| Google LLC | Authentication (Google SSO) and analytics | United States |
| Cloud Infrastructure Provider | Application hosting and database storage | United States |
We will notify you before adding or replacing any sub-processor. Each sub-processor is bound by contractual obligations that provide a level of data protection no less than that described in this DPA.
5. Security Measures
AntiochCFM implements the following technical and organizational measures to protect Personal Data:
- Encryption: All data in transit is encrypted using TLS 1.2 or higher. Database storage uses encryption at rest.
- Access Controls: Role-based access control ensures users only access data within their church. Multi-tenant data isolation prevents cross-organization access.
- Authentication: Passwords are hashed using bcrypt with appropriate salt rounds. Optional Google SSO with OAuth 2.0/PKCE.
- Monitoring: Application and infrastructure monitoring for unauthorized access attempts and anomalies.
- Backups: Regular automated backups of application data to enable recovery.
6. Data Breach Notification
In the event of a Data Breach affecting your Personal Data, AntiochCFM will:
- Notify you without undue delay and no later than 72 hours after becoming aware of the breach
- Provide details of the nature of the breach, the categories and approximate number of records affected, and the likely consequences
- Describe the measures taken or proposed to mitigate the breach and prevent recurrence
- Cooperate with you and any supervisory authorities as required
7. Data Subject Rights
If AntiochCFM receives a request directly from one of your church members regarding their Personal Data (e.g., access, correction, or deletion), we will promptly redirect the individual to you, as the Data Controller. We will provide you with reasonable assistance to fulfill these requests, including:
- Exporting relevant data in a structured format upon your request
- Deleting specific records as instructed by you
- Correcting data as directed by you through the Service interface
8. Data Deletion and Return
- During the Term: You may delete data at any time through the Service interface.
- Upon Termination: Within 30 days of account cancellation, you may request a full export of your Customer Data. We will provide the data in CSV or JSON format.
- Post-Termination Deletion: After the 30-day retention period, all Customer Data will be permanently deleted from our active systems. Backup copies will be purged within 90 days.
9. Audits and Compliance
AntiochCFM will make available to you, upon reasonable request (no more than once per year), information necessary to demonstrate compliance with this DPA. This may include a summary of security measures, a description of data processing activities, and confirmation of sub-processor compliance.
10. International Data Transfers
All data processing occurs within the United States. If your church is located outside the United States, the transfer of Personal Data to the United States is governed by this DPA and the standard contractual clauses referenced herein. By using the Service, you consent to this transfer.
11. Duration and Termination
This DPA takes effect when you accept the Terms of Service and remains in effect for as long as AntiochCFM processes Personal Data on your behalf. The data protection obligations in this DPA survive termination of the Service agreement.
12. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of applicable data protection law to the extent such limitation is prohibited by law.
13. Contact
For questions or concerns about this Data Processing Agreement, contact our data protection team:
- Email: [email protected]
- Website: antiochcfm.com