Pastor HQ

Data Processing Addendum

Last updated 5 May 2026

Sets out the obligations Pastor HQ accepts when processing personal data on behalf of customer churches under the Australian Privacy Act, the GDPR, and the UK GDPR.

This Data Processing Addendum ("DPA") forms part of the Customer Agreement between Pastor HQ and the customer church ("Customer") and applies whenever Pastor HQ processes personal data on Customer's behalf. By using Pastor HQ's services, Customer accepts this DPA. If your jurisdiction requires a counter-signed DPA, request one at privacy@pastorhq.com.

1. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person processed under the Customer Agreement.
  • Sensitive / Special Category Data: information about religious belief, religious affiliation, attendance at religious services, donations to a religious organisation, health, sexual orientation, ethnic origin, or other categories defined as sensitive under applicable law.
  • Controller and Processor: as defined in the GDPR / UK GDPR. Customer is the Controller; Pastor HQ is the Processor.
  • Subprocessor: any third party Pastor HQ engages to process Personal Data on its behalf.
  • Sub-processing Schedule: the live list at pastorhq.com/legal/subprocessors.

2. Roles and scope

Customer is the Controller of Personal Data it (or its members and attenders) provides to Pastor HQ. Pastor HQ acts as Processor and processes Personal Data only:

  • To deliver the services described in the Customer Agreement.
  • On documented instructions from Customer (the Customer Agreement and configured settings within the platform are documented instructions).
  • As required by Australian, UK, or EU law — in which case Pastor HQ will notify Customer first unless that notice itself is prohibited.

3. Customer obligations

Customer warrants that it has the lawful basis (consent, contract, legitimate interests, etc.) to provide each category of Personal Data to Pastor HQ, including any Sensitive Data. Customer is responsible for the accuracy of the data it provides and for ensuring that data subjects' rights notices are appropriate.

4. Pastor HQ obligations

4.1 Confidentiality

Every Pastor HQ employee or contractor with access to Personal Data is bound by a written confidentiality undertaking and receives privacy and security training before being given access.

4.2 Security

Pastor HQ implements appropriate technical and organisational measures including those described in the Annex (Security Measures) and at pastorhq.com/legal/security. ChMS credentials and webhook secrets are envelope-encrypted under AWS KMS keys. Donation information is gated behind multi-factor authentication enforced at the database row level.

4.3 Subprocessors

Customer authorises Pastor HQ to engage the Subprocessors listed in the Sub-processing Schedule. Pastor HQ will:

  • Require each Subprocessor to provide at least the same level of data protection as this DPA.
  • Remain liable to Customer for the performance of every Subprocessor.
  • Give Customer at least 30 days' notice before adding or replacing a Subprocessor. During that window, Customer may object on reasonable data-protection grounds and terminate the affected services for a pro-rata refund if Pastor HQ cannot offer a mutually acceptable alternative.

4.4 Data subject requests

Pastor HQ provides Customer with self-service tools to access, correct, export, and delete Personal Data. Where a data subject contacts Pastor HQ directly, Pastor HQ will redirect the request to Customer where appropriate or otherwise assist Customer in responding within the timelines required by applicable law.

4.5 Personal data breach

Pastor HQ will notify Customer without undue delay (and in any event within 72 hours of becoming aware) of any breach of Personal Data on its systems, providing the information Customer needs to meet its own notification obligations to regulators and data subjects.

4.6 International transfers

Pastor HQ's primary infrastructure is in Australia (Sydney). Where Personal Data is transferred to Subprocessors operating outside the originating jurisdiction, Pastor HQ relies on Standard Contractual Clauses, the UK International Data Transfer Addendum, or other approved mechanisms.

4.7 Audit

Pastor HQ will respond promptly to Customer's reasonable enquiries about its compliance with this DPA. Customer may request copies of Pastor HQ's most recent third-party security attestations. On-site audits are limited to once per twelve months on at least 30 days' notice, scoped to verifying compliance, and at Customer's expense.

5. Deletion / return of data

On termination or expiry, Pastor HQ will (at Customer's choice) delete or return all Personal Data it processes for Customer within 30 days, and certify deletion if asked. Backup copies are purged within 35 days. Where retention is required by Australian law (for example, billing records for tax purposes), the retained data remains protected by this DPA.

6. Liability

Each party's liability under this DPA is subject to the exclusions and limitations set out in the Customer Agreement. Nothing in this DPA limits a data subject's right to compensation under applicable law.

7. Conflict

In any conflict between this DPA and the Customer Agreement, this DPA prevails for matters relating to the processing of Personal Data.

Annex — Security Measures

A summary; the live document lives at pastorhq.com/legal/security.

  • Encryption: TLS 1.2+ in transit; AES-256 at rest. Envelope encryption with AWS KMS keys for ChMS credentials and webhook secrets, with EncryptionContext binding payloads to the owning church.
  • Access control: row-level security on every tenant table, two roles (member and super_admin), and AAL2 (multi-factor) required for every read or write of donation information.
  • Audit logging: every access to Personal Data is logged with actor, action, resource, and timestamp. Logs are retained for 12 months.
  • Network: production traffic terminated behind Vercel's edge; database access is gated by row-level security; admin access requires SSO.
  • Backups: encrypted, cross-region for redundancy, rotated on a 35-day schedule.
  • Incident response: documented playbooks; on-call rotation; 72-hour notification commitment.
  • Personnel: confidentiality agreements, background checks where lawful, and annual privacy and security training.

Annex — Description of processing

  • Subject matter: provision of Pastor HQ's church management dashboard services.
  • Duration: the term of the Customer Agreement plus the retention windows described in Section 5.
  • Nature and purpose: synchronising data from connected church management systems; rendering reports and dashboards; powering opt-in features (eg. AI summaries).
  • Categories of data subjects: pastors, staff, members, attenders, visitors, household contacts, donors.
  • Categories of Personal Data: contact details, household relationships, attendance and check-in records, donation history, group memberships, custom fields the Customer maintains in its source ChMS.
  • Sensitive Data: religious affiliation and attendance at religious services (inherent to the service); donations to a religious organisation; data about children where collected by Customer; health information only where the Customer's ChMS captures it.

This DPA is a template suitable for most Customer Agreements. If your organisation requires a signed copy or modified terms (eg. specific country addenda, additional jurisdictions), contact privacy@pastorhq.com.