Legal
Data Processing Addendum
A plain-language summary of how EJAD processes personal data on your church's behalf, and who else touches it.
1. Purpose of this page
Most churches using EJAD are themselves responsible for personal data protection law compliance for their members — as the "data controller." This page summarizes the Data Processing Addendum ("DPA") terms under which EJAD acts as a "data processor" (or "service provider," under CCPA terminology) on your church's behalf. It's provided for transparency; churches that need a countersigned DPA — for example to satisfy a board policy, a denominational requirement, or cross-border transfer rules — can request one at privacy@ejad.app.
2. Roles
- Your church (Customer) is the data controller: it decides what personal data to collect from members, donors, volunteers, and guests, and why.
- EJAD is the data processor: we process that data only to provide the platform, following your instructions as configured in the app and our Terms of Service — never for our own independent purposes.
3. Subject matter, duration & purpose
Processing covers the personal data your church stores in EJAD (people, families, attendance, giving, communications, and related records) for the duration of your subscription, for the sole purpose of operating the church management platform you've subscribed to.
4. Categories of data subjects & data
Data subjects typically include church members, regular attenders, visitors, donors, volunteers, staff, and — where Kids Check-in is enabled — children, whose information is entered by a parent, guardian, or authorized staff member. Categories of data include contact and household information, attendance and group participation, donation and pledge history, volunteer scheduling, communications sent through the platform, and, for kids ministry, safety-relevant notes such as allergies and authorized pickup persons.
5. Subprocessors
EJAD uses a small set of well-known providers to operate the platform. We only share the minimum data each provider needs to perform its function, under contract.
We'll update this list and notify active customers by email at least 30 days before adding or replacing a subprocessor that materially changes how data is processed. If you object, contact privacy@ejad.app to discuss options.
6. International transfers & Latin America
EJAD's infrastructure and subprocessors operate primarily in the United States. If your church is located outside the U.S. — including in Latin America — and using EJAD involves transferring personal data of members or donors into the U.S., we make available a signed Data Processing Addendum with contractual safeguards appropriate for that transfer, comparable in spirit to GDPR Standard Contractual Clauses. Request one at privacy@ejad.app and we'll countersign it alongside your order form.
7. Security measures
Encryption in transit and at rest, role-based access control, optional two-factor authentication, daily backups, and audit logging — see the full detail on our Security page.
8. Sub-processing & deletion on termination
Subprocessors are bound by confidentiality and data protection obligations no less protective than this addendum. On termination of your subscription, we retain data for a limited export window and then delete or anonymize it, except where retention is required by law (e.g. financial records).
9. Requesting the full signed DPA
This page is a summary for transparency, not the executed legal agreement. Churches that need a countersigned DPA — including Standard Contractual Clauses-equivalent terms for cross-border transfers — can request one by emailing privacy@ejad.app; we typically turn these around within a few business days.
Need the signed
DPA on file?
We'll countersign it alongside your order form — no extra fee.