logo

Data Processing Agreement (DPA)

1. Parties

This Data Processing Agreement ("DPA") is entered into on the effective date (the date when the Controller purchases the services) between:

Flocklink ("Processor"), a company incorporated in England & Wales as Byte River Ltd, trading as Flocklink, Company Number: 14472223, Henleaze House Business Centre, 13 Harbury Road, Bristol, England, BS9 4PN.

The Church ("Controller"), who purchases Flocklink Church Management System.

2. Definitions

  • "Controller" means the Church that determines the purposes and means of the processing of Personal Data.
  • "Processor" means Flocklink, which processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation or set of operations performed on Personal Data.
  • "GDPR" means the EU General Data Protection Regulation (Regulation (EU) 2016/679).
  • "UK Data Protection Act 2018" means the UK legislation implementing the GDPR.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Default Instruction Set" means the documented processing instructions provided by the Processor and agreed to by the Controller as outlined in Appendix A.

3. Scope of Processing

3.1. Processor shall process Personal Data solely on documented instructions from the Controller, as specified in the Default Instruction Set (Appendix A) and the main service agreement dated [Date of Service Agreement] ("Services").

3.2. Any changes to the scope of processing or the documented instructions must be agreed to in writing and appended to this DPA. The Processor shall not be obliged to follow any instruction that it reasonably believes would violate applicable data protection laws.

3.3. Processing shall continue for the duration specified in the service agreement or until the termination of services, unless otherwise agreed.

4. Processor Obligations

4.1. Processor shall process Personal Data only in accordance with the Controller's documented instructions.

4.2. All individuals authorised to process Personal Data shall be bound by confidentiality obligations, either contractual or statutory.

4.3. Processor shall implement appropriate technical and organisational measures, including:

  • Encryption of Personal Data at rest and in transit.
  • Access controls, role-based permissions, and audit logs.
  • Disaster recovery and business continuity plans.
  • Regular security testing, including penetration testing and risk assessments.
  • Adherence to recognised security standards.

4.4. Processor shall assist the Controller in meeting their obligations under GDPR and the UK DPA 2018, including:

  • Responding to Data Subject access, rectification, erasure, and objection requests.
  • Conducting Data Protection Impact Assessments (DPIAs) where necessary.
  • Ensuring the accuracy of the data processed by implementing correction mechanisms as directed by the Controller.
  • Promptly forwarding any Data Subject requests received directly to the Controller within 3 working days.
  • Cooperating with the Controller in responding to such requests, provided the Controller supplies any necessary context or supporting information in a timely manner.

4.5. Processor shall notify the Controller without undue delay (and in any case within 48 hours) upon becoming aware of any Personal Data breach and shall assist in mitigation efforts.

4.6. Processor shall make available to the Controller all necessary information to demonstrate compliance with this DPA.

4.7. Processor shall allow for audits by the Controller or a mandated auditor. Audits must be requested with 30 days' written notice, limited to once per year unless triggered by a breach or regulator request. Immediate audits shall be permitted without notice in the event of a confirmed or suspected critical security breach, data loss incident, or regulatory investigation.

4.8. Processor may engage sub-processors only with prior written consent of the Controller. The Processor shall maintain a publicly accessible list of sub-processors and provide at least 30 days' notice before appointing any new sub-processor. The Processor shall impose the same data protection obligations on sub-processors as set out in this DPA. The Processor shall regularly monitor the compliance of sub-processors and reserves the right to audit sub-processors upon reasonable notice.

4.9. Upon termination of the agreement, Processor shall, at the Controller's choice, delete or return all Personal Data and delete all existing copies within 30 days unless storage is required by law. Processor shall confirm in writing the deletion of data.

4.10. Processor shall ensure that only the minimal amount of Personal Data necessary to fulfil the documented purposes is processed, in accordance with the principle of data minimisation.

5. Controller Obligations

5.1. The Controller warrants that it has a lawful basis for the transfer and processing of Personal Data. Where relying on legitimate interest, the Controller shall ensure that a Legitimate Interest Assessment (LIA) has been conducted and documented. The Processor may request a copy of the LIA where appropriate.

5.2. The Controller shall ensure that all processing instructions are lawful and comply with applicable data protection laws.

5.3. The Controller is responsible for managing and responding to Data Subject rights requests.

5.4. The Controller agrees to notify the Processor of any changes to its operations, practices, or organisational structure that may affect the processing of Personal Data under this DPA.

6. International Data Transfers

6.1. Processor shall not transfer Personal Data to any third country or international organisation without prior written consent of the Controller.

6.2. Where such transfers are necessary, Processor shall ensure they are conducted using legally approved safeguards including:

  • Standard Contractual Clauses (SCCs) issued by the European Commission;
  • UK International Data Transfer Agreement (IDTA);
  • Binding Corporate Rules, or other valid mechanisms recognised under applicable data protection law.

6.3. If a transfer is required by law, Processor shall inform the Controller prior to processing unless prohibited by law.

7. Liability

7.1. Each party shall be liable for its own breaches of this DPA and shall indemnify the other party for any damages, fines, or legal costs arising from such breach.

7.2. Where both parties are responsible for the harm caused by a breach, liability shall be apportioned according to the parties' respective responsibility. For example, if a breach occurs due to both the Controller's improper configuration and the Processor's technical failure, each party shall bear responsibility in proportion to their contribution to the breach.

8. Governing Law and Jurisdiction

8.1. This DPA shall be governed by and construed in accordance with the laws of England & Wales.

8.2. Any disputes shall be subject to the exclusive jurisdiction of the courts of England & Wales

9. Changes to this Agreement

9.1. This DPA may only be amended by a written agreement signed by authorised representatives of both parties.

9.2. Both parties agree to update this DPA as needed to comply with future changes in data protection legislation, including regulations or guidance issued by relevant supervisory authorities.

10. Entire Agreement

10.1. This DPA, together with the main service agreement and Appendix A, constitutes the entire agreement relating to data processing between the parties.

Appendix A: Default Instruction Set

Types of Personal Data

Name, email address, phone number, address, date of birth, donation history, volunteer records, attendance logs.

Categories of Data Subjects

Church members, visitors, donors, volunteers, staff, event participants.

Purposes of Processing

Membership management, group and event registration, communications (email, SMS, app notifications), donation tracking, safeguarding, and reporting.

Duration of Processing

For the duration of the service agreement or until deletion is requested and confirmed.

Security Measures

As detailed in section 4.3.