This Data Processing Agreement ("DPA") forms part of the Terms & Conditions ("Principal Agreement") between:
CompassionCloud ("Processor," "Provider," "we," or "us")
and
The Church or Organization Using the CompassionCloud Platform ("Controller," "Church," "you," or "your").
This DPA governs how the Processor handles, stores, and processes data on behalf of the Controller.
1. Definitions
- "Processor" means CompassionCloud, the provider of the outreach management platform.
- "Controller" means the church or organization that inputs and manages data through the platform.
- "Personal Data" means any information relating to an identified or identifiable individual, entered by the Controller.
- "Processing" means any operation performed on Personal Data, such as storage, organizing, updating, or retrieval.
- "Subprocessors" means third-party service providers used by the Processor for hosting, email, or platform functionality.
2. Purpose of Processing
The Processor processes Personal Data solely to provide the CompassionCloud platform, including:
- Outreach case management
- Family need tracking
- Volunteer coordination
- Follow-up scheduling
- Reporting and analytics
- User account management
The Processor does not use Personal Data for marketing, profiling, or unrelated activities.
3. Responsibilities of the Controller (Church)
The Church acknowledges and agrees:
3.1 Sole Responsibility for Data Entered
The Controller is fully responsible for all Personal Data entered into the platform, including:
- Family details
- Volunteer information
- Addresses
- Case notes
- Photos or documents
- Follow-up interactions
3.2 Consent & Legality
The Controller is responsible for ensuring all data entry is lawful and that appropriate permissions are obtained when required.
3.3 Accuracy of Data
The Controller must ensure the data submitted is accurate and up to date.
3.4 No Regulated Data
The Controller agrees NOT to store:
- Social Security numbers
- Medical records
- Financial account numbers
- Government ID numbers
- Highly regulated or confidential legal documents
3.5 User Access Control
The Controller must:
- Limit access to authorized personnel
- Manage permissions responsibly
- Use strong passwords
- Notify the Processor of unauthorized account access
The Processor is not responsible for data breaches caused by user negligence.
4. Responsibilities of the Processor (CompassionCloud)
4.1 Processing Only on Instructions
The Processor will only process Personal Data as directed by the Controller and as required to operate the platform.
4.2 Security Measures
The Processor will implement and maintain commercially reasonable technical and organizational safeguards, including:
- Encrypted databases
- Secure hosting environments
- Access controls
- Regular system updates
- Data backups for service continuity
4.3 Subprocessors
The Processor may use trusted third parties for:
- Hosting
- Cloud storage
- Email delivery
- Payment processing
- System monitoring
A list of subprocessors is available upon request.
The Processor ensures all subprocessors are bound by similar data protection obligations.
4.4 Data Breach Notification
In the event of a confirmed platform-wide breach, the Processor will:
- Notify the Controller without undue delay
- Provide relevant details as available
- Assist the Controller in meeting legal obligations
The Processor is not responsible for breaches caused by weak user passwords, shared accounts, or unauthorized Church-side access.
5. Data Location
Data may be stored or processed in:
- The United States
- Data centers used by subprocessors
All data is governed by the laws of the State of Indiana.
6. Assistance to the Controller
Where applicable and reasonable, the Processor will assist the Controller with:
- Data access or export
- Correction or deletion of records
- Responding to legal data requests
Assistance does not include legal advice.
7. Data Retention & Deletion
Upon termination of the Church's account:
- The Church may request a data export
- The Processor may delete stored data after a defined retention period
- Backup copies may remain temporarily as part of standard server backups
Deletion is final and unrecoverable once completed.
8. Confidentiality
The Processor ensures that employees and subcontractors with access to Personal Data are:
- Bound by confidentiality obligations
- Trained on data protection practices
The Processor will never sell, rent, or disclose Personal Data for profit.
9. Limitation of Liability
To the fullest extent permitted by law:
- The Processor is not liable for decisions, actions, or outcomes resulting from church outreach activities
- The Processor is not liable for user-submitted data inaccuracies
- The Processor's total liability is limited to amounts paid by the Controller in the last 12 months
The Church agrees to indemnify the Processor for any claims arising from improper or unlawful data entry.
10. Governing Law
This DPA is governed by the laws of the State of Indiana.
Any disputes shall be resolved in Indiana courts.
11. Duration
This DPA remains in effect as long as:
- The Church uses the CompassionCloud platform,
- Or any Personal Data remains stored within the system.
12. Acceptance
By creating an account or checking the consent box during registration, the Controller acknowledges:
- They have read and understood this DPA
- They agree to its terms
- They are authorized to accept it on behalf of their organization