Sub-processors

Every third-party service that processes data on ChurchLinker's behalf, what they do, where they're located and the safeguards in place. Last updated 10 May 2026.

We give 30 days' notice before adding a new sub-processor. Material changes are also notified by email to active customers.

A "sub-processor" is any third party that processes personal data on ChurchLinker's behalf. Each one below has signed a Data Processing Agreement with ChurchLinker that meets UK GDPR Art. 28 requirements. Where the sub-processor is outside the UK / EEA, an appropriate transfer mechanism is in place (UK IDTA appended to the European Commission's Standard Contractual Clauses).

Vercel, Inc.

Required: Always

Their DPA →

Purpose: Application hosting, serverless compute, scheduled jobs (cron)
Data categories: Application traffic in transit; ephemeral request data; runtime logs (no member personal data is persisted on Vercel itself)
Location: Global edge network. Production functions configured to run in UK / EEA regions where supported.
Transfer mechanism: UK IDTA + Standard Contractual Clauses
Certifications: SOC 2 Type IIISO 27001PCI DSS

Supabase, Inc.

Required: Always

Their DPA →

Purpose: PostgreSQL database, file storage (audio, photos, documents)
Data categories: All ChurchLinker member and tenant data at rest, including encrypted free-text fields; Supabase cannot decrypt the application-level encrypted columns.
Location: Hosted on AWS in the EU (eu-west-2 / eu-west-1).
Transfer mechanism: Data resident in UK/EEA. Sub-processor (AWS) UK IDTA in place.
Certifications: SOC 2 Type IIHIPAA-eligible

Clerk, Inc.

Required: Always

Their DPA →

Purpose: User authentication, sessions, password reset, MFA
Data categories: Email, hashed password (or OAuth tokens), name, IP, session metadata. No church member data.
Location: United States
Transfer mechanism: UK IDTA + Standard Contractual Clauses
Certifications: SOC 2 Type IICCPA

Stripe Payments UK Ltd

Required: Always

Their DPA →

Purpose: Payment processing for subscriptions and donations
Data categories: Transaction amount, payer email, last-4 of card, billing postcode. No full card numbers stored by ChurchLinker.
Location: Stripe entity is UK-based; some processing in the US.
Transfer mechanism: UK Adequacy Regulations apply (Stripe is certified). Where processing crosses borders, UK IDTA + SCCs apply.
Certifications: PCI DSS Level 1SOC 1 Type IISOC 2 Type II

Resend, Inc.

Required: Always

Their DPA →

Purpose: Transactional email delivery (welcome emails, receipts, notifications)
Data categories: Recipient email, sender info, message subject and body of the specific email being delivered. Retained 30 days.
Location: United States
Transfer mechanism: UK IDTA + Standard Contractual Clauses
Certifications: SOC 2 Type II

Twilio Inc.

Required: Plan-dependent

Their DPA →

Purpose: SMS and WhatsApp delivery (only if church enables)
Data categories: Recipient phone, message body, delivery status. Retained per Twilio retention policy (typically 13 months).
Location: United States, with EU regional routing for EU recipients
Transfer mechanism: UK IDTA + Standard Contractual Clauses
Certifications: SOC 2 Type IIISO 27001

Meta Platforms, Inc. (WhatsApp Business)

Required: Plan-dependent

Their DPA →

Purpose: WhatsApp Business API delivery (alternative to Twilio for WhatsApp)
Data categories: Recipient phone, message body, delivery status
Location: Ireland (EU operations); some transfer to US under SCCs.
Transfer mechanism: UK IDTA + Standard Contractual Clauses
Certifications: ISO 27001ISO 27018

OpenAI, L.L.C.

Required: Plan-dependent

Their DPA →

Purpose: AI features: sermon transcription and Q&A, pastoral summaries, message drafting, duplicate detection
Data categories: The minimum text necessary for the requested feature. ChurchLinker enforces a no-train flag in every API call. OpenAI retains API request logs for 30 days for abuse prevention, not for training.
Location: United States
Transfer mechanism: UK IDTA + Standard Contractual Clauses. OpenAI Enterprise / Business tier API agreement prohibits training on customer data.
Certifications: SOC 2 Type II

Cloudflare, Inc.

Required: Always

Their DPA →

Purpose: Bot protection (Turnstile) on public-facing forms (visitor cards, contact)
Data categories: Browser fingerprint signal and IP address from form submissions, used solely to detect automated abuse. Not retained beyond verification.
Location: Global edge network
Transfer mechanism: UK IDTA + Standard Contractual Clauses
Certifications: SOC 2 Type IIISO 27001

Ideal Postcodes

Required: Optional

Their DPA →

Purpose: UK postcode and address autocomplete
Data categories: Postcode and address strings entered into the address-lookup widget. Anonymous; no persistent identifier.
Location: United Kingdom
Transfer mechanism: UK-resident; no transfer.
Certifications: ISO 27001

ElevenLabs, Inc.

Required: Plan-dependent

Their DPA →

Purpose: Text-to-speech audio generation for the optional Communication Pack feature
Data categories: Text content of notices that the church chooses to convert to audio. No member personal data unless the church explicitly includes it in a notice.
Location: United States
Transfer mechanism: UK IDTA + Standard Contractual Clauses
Certifications: SOC 2 Type II

Want to object to a sub-processor?

If your church needs a specific sub-processor disabled (for example you don't want any AI features and therefore object to OpenAI being engaged), email dataprotection@churchlinker.com and we'll help. Optional sub-processors can be disabled per tenant from Settings → Integrations.