Skip to main content

UK GDPR Art. 28. Data Processing Agreement

Data Processing Agreement

This is the standard agreement between ChurchLinker (Limelai Limited) and each church that uses the service. It supplements our Terms of Service and applies automatically to every paid plan from the date the customer accepts these terms or signs a counter-signed copy.

Need a counter-signed PDF for your church's records? Email dataprotection@churchlinker.com with your church name and we'll return one within one working day.

Version 1.0. Effective 10 May 2026. Replaces all previous versions.

1. The parties and definitions

This Data Processing Agreement ("DPA") is entered into between:

  • Limelai Limited, a company registered in England and Wales (Company number 16486216), trading as ChurchLinker, with registered office at 86-90 Paul Street, London, EC2A 4NE ("ChurchLinker", the "Processor"); and
  • The church or organisation that has opened a ChurchLinker account (the "Customer", the "Controller").

In this DPA, "UK GDPR" means the UK General Data Protection Regulation as defined in section 3(10) of the Data Protection Act 2018, read with the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", "Special Category Data", and "Personal Data Breach" have the meanings given in UK GDPR.

2. Roles

The Customer is the Data Controller of all personal data it (or its users) enters into ChurchLinker about its members, visitors, donors, volunteers, staff and any other individual. ChurchLinker is the Data Processor and processes such personal data only on the Customer's documented instructions, including with regard to international transfers, except where required by UK or EU law (in which case ChurchLinker will inform the Customer of that legal requirement before processing, unless that law prohibits such notification).

ChurchLinker is the Data Controller for the Customer's own administrator account information (name, email, role, billing information). That processing is governed by ChurchLinker's Privacy Policy, not this DPA.

3. Scope of Processing

ChurchLinker processes personal data on behalf of the Customer for the duration of the Customer's subscription, plus a 90-day grace period after termination, and only for the following purposes:

  • Providing the ChurchLinker service as described at churchlinker.com and the Customer's subscription plan;
  • Allowing the Customer's administrators and members to use the platform;
  • Generating service emails, SMS, or WhatsApp messages where configured by the Customer;
  • Producing analytics and reports for the Customer;
  • Detecting and preventing fraud, abuse, or security incidents;
  • Complying with applicable law (including HMRC's six-year retention rule for Gift Aid records);
  • Acting on the Customer's instructions in support of Data Subject rights (access, erasure, etc.).

The categories of Data Subject and types of personal data processed are described in the schedule at the end of this DPA.

4. Customer instructions

The Customer instructs ChurchLinker to process personal data: (a) as documented in this DPA, the Terms of Service, and the Customer's configuration of the platform; (b) as required to perform the service; and (c) as the Customer instructs in writing from time to time. If ChurchLinker believes an instruction infringes UK GDPR or other UK data protection law, it will inform the Customer without undue delay.

5. Confidentiality

ChurchLinker ensures that all personnel authorised to process personal data on the Customer's behalf are bound by appropriate confidentiality obligations and have received training on their data protection responsibilities.

6. Security measures (Art. 32)

ChurchLinker maintains the technical and organisational measures described at churchlinker.com/gdpr, which include without limitation:

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256);
  • Application-level field encryption for sensitive free-text fields (prayer requests, visitor prayer needs, pastoral notes, allergies, medical notes), with per-church keys derived via HKDF;
  • Role-based access control with granular per-user permission flags and a tamper-evident audit log;
  • Daily encrypted backups with point-in-time recovery;
  • MFA-protected access to production systems, restricted to a minimum number of authorised personnel;
  • Annual security review;
  • Documented incident response and breach notification procedure.

ChurchLinker may update these measures from time to time, provided the updates do not reduce the overall level of protection.

7. Sub-processors

The Customer authorises ChurchLinker to engage the sub-processors listed at churchlinker.com/sub-processors (the "Sub-processor List"). ChurchLinker:

  • Will give at least 30 days' advance notice on the Sub-processor List before engaging a new Sub-processor or changing one materially;
  • Imposes obligations on each Sub-processor that are no less protective than those in this DPA;
  • Remains liable to the Customer for the acts and omissions of its Sub-processors as if they were its own.

The Customer may object to a new Sub-processor by emailing dataprotection@churchlinker.com within the 30-day notice period. If the parties cannot agree a resolution, the Customer may terminate the affected service with a pro-rata refund of any unused subscription fees.

8. International transfers

Personal data is hosted in the UK and EEA. Where a Sub-processor processes personal data outside the UK / EEA, ChurchLinker relies on one of the following transfer mechanisms (whichever is appropriate to the receiving country):

  • An adequacy regulation made by the UK Government under Art. 45 UK GDPR;
  • The UK International Data Transfer Addendum to the European Commission's Standard Contractual Clauses (UK IDTA);
  • The UK's standalone International Data Transfer Agreement.

Copies of executed transfer agreements are available on request.

9. Assistance with Data Subject rights

ChurchLinker provides the following self-service tools that satisfy most Data Subject rights without ChurchLinker's involvement:

  • Member-facing data export (Art. 15) from the member's own profile;
  • Admin-triggered data export for any member record;
  • Admin-triggered right-to-erasure flow that anonymises the Person record while preserving HMRC-mandated donation retention.

For any request that cannot be fulfilled through these tools, ChurchLinker will provide reasonable assistance to the Customer taking into account the nature of the processing and the information available.

10. Personal data breach notification

ChurchLinker will notify the Customer without undue delay, and in any event within 48 hours of becoming aware of a Personal Data Breach affecting the Customer's personal data. The notification will include the information required by Art. 33(3) UK GDPR to the extent known at the time, with updates as the investigation progresses.

ChurchLinker will report Personal Data Breaches that meet the notification threshold to the ICO as the Processor of the affected data, where required, and will assist the Customer in fulfilling its own notification obligations under Art. 33 and Art. 34 UK GDPR.

11. Data Protection Impact Assessments & prior consultation

On request, ChurchLinker will provide reasonable assistance to the Customer with any Data Protection Impact Assessment (Art. 35 UK GDPR) or prior consultation with the ICO (Art. 36) relating to the Customer's use of the platform.

12. Audit and inspection

ChurchLinker will, upon reasonable written request and not more than once per twelve-month period, make available to the Customer the information necessary to demonstrate compliance with this DPA, including (at ChurchLinker's discretion) summary reports from ChurchLinker's most recent independent security assessments. The Customer may, at its own cost, conduct an audit of ChurchLinker's processing through a mutually agreed independent auditor, subject to reasonable confidentiality obligations and not unreasonably interrupting the service.

13. Return and deletion of personal data

On termination of the subscription, ChurchLinker will retain the Customer's personal data for a 90-day grace period. The Customer may export its data at any time during this window using the standard export tools or by request. After 90 days, ChurchLinker will:

  • Permanently delete personal data for which there is no continuing legal retention requirement;
  • Anonymise personal data subject to a continuing legal retention requirement (for example HMRC's six-year retention rule for Gift Aid records);
  • Delete or anonymise corresponding data held by Sub-processors, subject to their own retention obligations.

14. Liability

Each party's liability under or in connection with this DPA is subject to the limits set out in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited by law (including fraud, fraudulent misrepresentation, or death / personal injury caused by negligence).

15. Term

This DPA takes effect on the date the Customer first accepts the Terms of Service or signs a counter-signed copy, and remains in effect for as long as ChurchLinker processes personal data on the Customer's behalf.

16. Governing law

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.

Schedule 1. Description of processing

Subject matter

Processing of personal data by ChurchLinker as part of providing the ChurchLinker church-management service.

Duration

The duration of the Customer's subscription plus a 90-day grace period.

Nature and purpose

Storage, organisation, retrieval, transmission, and presentation of personal data through a multi-tenant SaaS platform; sending of transactional and pastoral communications on the Customer's instructions; reporting and analytics for the Customer.

Categories of Data Subject

  • The Customer's church members and regular attendees;
  • Visitors to the Customer's services and events;
  • Volunteers and rota team members;
  • Staff and lay leaders of the Customer;
  • Children of members, where the Customer chooses to register them;
  • Donors (whether members or third parties).

Types of personal data

  • Identity: name, date of birth, gender, marital status, photo (optional)
  • Contact: email, phone numbers, postal address, household relationships
  • Membership: join date, baptism date, membership status, group memberships
  • Financial: donations, Gift Aid declarations, payment references
  • Special Category Data (Art. 9): religious belief (implicit in church membership), prayer requests, pastoral notes, allergies, medical notes, safeguarding / DBS records, ethnic origin (optional)
  • Communications: emails / SMS / WhatsApp messages sent through the platform, two-way conversation history
  • Engagement and behaviour: event attendance, engagement scoring, automation enrolment status

Sub-processors

As listed at churchlinker.com/sub-processors, updated from time to time on 30 days' notice as set out in clause 7.

Need a counter-signed PDF for your records, or have a question about any clause?

dataprotection@churchlinker.com
Accessibility
Text Size
High Contrast
Reduce Motion
Reading Width
Accessibility