Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Sendifai Limited ("Processor") and the customer ("Controller") for the provision of the Sendifai platform and services ("Services").

This DPA is entered into pursuant to the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the UK Data Protection Act 2018 (collectively, "Data Protection Legislation").

By using the Services, the Controller agrees to this DPA. This DPA supplements and is incorporated into the Terms of Service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Art. 4(1) UK GDPR / EU GDPR.

"Processing" means any operation performed on Personal Data, as defined in Art. 4(2) UK GDPR / EU GDPR.

"Data Subject" means the individual to whom Personal Data relates.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope of Processing

2.1 Subject Matter and Duration

The Processor will process Personal Data for the duration of the Controller's use of the Services, unless otherwise agreed in writing.

2.2 Nature and Purpose of Processing

The Processor processes Personal Data to provide the Services, including:

• Storing and managing contact lists and CRM records
• Sending email campaigns, SMS messages, WhatsApp messages, and push notifications on behalf of the Controller
• Tracking message delivery, opens, clicks, bounces, and unsubscribes
• Processing automation workflows and triggered communications
• Managing pastoral care records, prayer requests, and care cases
• Managing family and household relationships between contacts
• Managing group memberships, attendance, and engagement data
• Providing AI-powered content generation and assistant features
• Providing analytics, reporting, and data export functionality

2.3 Types of Personal Data

Depending on the Controller's use of the Services, the following types of Personal Data may be processed:

• Contact identity data: names, titles, date of birth, gender
• Contact information: email addresses, phone numbers, physical addresses
• Organisational data: group memberships, roles, tags, custom fields
• Family and relationship data: household relationships, family members, marital status
• Engagement data: email opens, clicks, campaign interactions, attendance records
• Pastoral and care data: care case records, pastoral notes, prayer requests, life events
• Communication data: message content, campaign metadata, consent records, unsubscribe history
• AI interaction data: prompts submitted to AI features and generated outputs

2.4 Categories of Data Subjects

• Contacts, members, subscribers, and constituents of the Controller
• Families and households of the Controller's contacts
• Donors, supporters, and beneficiaries (for charitable organisations)
• Employees and volunteers of the Controller (where uploaded to the Platform)

3. Processor Obligations

The Processor shall:

3.1 Process Personal Data only on documented instructions from the Controller, unless required to do so by law. If the Processor is required by law to process Personal Data, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.

3.2 Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit (TLS) and at rest
• Row-level security ensuring each Controller's data is isolated
• Authentication and access controls
• Regular testing and evaluation of security measures
• Error monitoring and incident detection
• Documented incident response procedures

3.4 Not engage another processor (Sub-processor) without prior written authorisation from the Controller, subject to Section 6.

3.5 Assist the Controller, taking into account the nature of processing, in fulfilling the Controller's obligation to respond to Data Subject requests under Chapter III of the UK GDPR / EU GDPR.

3.6 Assist the Controller in ensuring compliance with obligations relating to security of processing (Art. 32), notification of Personal Data Breaches to the supervisory authority (Art. 33), communication of breaches to Data Subjects (Art. 34), and data protection impact assessments (Art. 35 and 36).

3.7 At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless storage is required by applicable law. The Controller has 30 days after termination to export data; after this period, data will be deleted.

3.8 Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.

4. Controller Obligations

The Controller shall:

4.1 Ensure that it has a lawful basis for processing under Data Protection Legislation and that all necessary consents have been obtained or other lawful bases apply.

4.2 Provide processing instructions to the Processor that comply with Data Protection Legislation.

4.3 Ensure the accuracy and quality of Personal Data uploaded to the Platform.

4.4 Comply with its obligations under Data Protection Legislation, including responding to Data Subject requests and notifying supervisory authorities of breaches where required.

4.5 Be responsible for determining appropriate retention periods for Personal Data and instructing the Processor accordingly.

5. Personal Data Breach Notification

5.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Controller's data.

5.2 The notification shall include, to the extent available:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach

5.3 The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

6. Sub-processors

6.1 The Controller provides general written authorisation to the Processor to engage Sub-processors. The current list of Sub-processors is:

6.2 The Processor shall notify the Controller of any intended changes to Sub-processors (additions or replacements) at least 14 days before the change takes effect, giving the Controller the opportunity to object.

6.3 If the Controller objects to a new Sub-processor on reasonable data protection grounds, the parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected Services without penalty.

6.4 The Processor shall impose data protection obligations equivalent to those in this DPA on each Sub-processor by way of a written agreement.

6.5 The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

7. International Data Transfers

7.1 The Processor shall not transfer Personal Data outside the United Kingdom or European Economic Area unless appropriate safeguards are in place in accordance with Chapter V of the UK GDPR / EU GDPR.

7.2 For transfers to Sub-processors outside the UK/EEA, the Processor relies on:

• UK International Data Transfer Agreements (IDTAs)
• EU Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor) and Module 3 (Processor to Sub-processor) as applicable
• Supplementary technical measures (encryption in transit and at rest)

7.3 The Processor shall conduct Transfer Impact Assessments where required by applicable guidance.

8. Audit Rights

8.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA.

8.2 The Controller may conduct an audit of the Processor's compliance, subject to reasonable notice (not less than 30 days), during business hours, and no more than once per calendar year unless a Personal Data Breach has occurred or a supervisory authority requires an audit.

8.3 The Controller shall bear the costs of any audit. Audits shall not unreasonably disrupt the Processor's operations.

9. AI Processing

9.1 Where the Controller uses AI features within the Platform, Personal Data contained in prompts may be transmitted to AI Sub-processors (OpenAI and Anthropic) for the purpose of generating outputs.

9.2 AI Sub-processors are contractually prohibited from using the Controller's data to train, improve, or develop their models.

9.3 AI-generated outputs are returned to the Controller and are treated as the Controller's Content. The Controller is responsible for reviewing AI outputs for accuracy before use.

9.4 The Controller should consider whether a Data Protection Impact Assessment is required for its use of AI features, particularly where processing involves automated decision-making or profiling.

10. Term and Termination

10.1 This DPA comes into effect when the Controller begins using the Services and remains in effect for the duration of the Controller's use of the Services.

10.2 Upon termination of the Services:

• The Controller has 30 days to export Personal Data using the Platform's export tools
• After 30 days, the Processor shall delete all Personal Data unless retention is required by applicable law
• The Processor shall confirm deletion in writing upon request

10.3 Obligations under this DPA that by their nature should survive termination shall survive, including confidentiality, liability, and audit provisions.

11. Liability

11.1 Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

11.2 Nothing in this DPA limits either party's liability for breaches of Data Protection Legislation to the extent such limitation is not permitted by law.

12. Governing Law

12.1 This DPA is governed by the laws of England and Wales.

12.2 Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Contact