Data Processing Agreement

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between Climax Enterprises LLC (“Processor,” “we,” “us,” or “our”) and the subscribing organization (“Controller,” “you,” or “your”) for the provision of the SteepleOS platform and related services.

This DPA governs the processing of personal data by the Processor on behalf of the Controller and is designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the California Consumer Privacy Act (“CCPA”), and other applicable data protection legislation.

This DPA is incorporated into and subject to the Terms of Service and the Privacy Policy. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below, aligned with the definitions provided in the GDPR:

• “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”), including but not limited to names, email addresses, phone numbers, demographic information, donation records, and attendance data.
• “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• “Data Subject” means an identified or identifiable natural person whose Personal Data is processed under this DPA.
• “Controller” means the subscribing organization that determines the purposes and means of the Processing of Personal Data.
• “Processor” means Climax Enterprises LLC, which processes Personal Data on behalf of the Controller.
• “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

3. Scope and Purpose

The Processor processes Personal Data solely for the purpose of providing the SteepleOS platform and related services as described in the Terms of Service. The Processor shall not process Personal Data for any other purpose unless expressly instructed by the Controller in writing.

The categories of Data Subjects whose Personal Data may be processed under this DPA include:

• Church members and congregants
• Visitors and guests
• Donors and financial contributors
• Volunteers
• Staff and employees of the Controller

The types of Personal Data processed may include:

• Names (first, last, preferred)
• Contact information (email addresses, phone numbers, mailing addresses)
• Demographic information (date of birth, gender, family relationships)
• Donation and giving records
• Event attendance and check-in data
• Group and ministry membership information
• Communication history (emails, SMS messages sent through the platform)

4. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing unless prohibited by law.
• Ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, as further described in Section 8 of this DPA.
• Assist the Controller, taking into account the nature of the processing, in fulfilling the Controller’s obligation to respond to requests from Data Subjects exercising their rights under applicable data protection laws.
• Upon termination of the service agreement, delete or return all Personal Data to the Controller at the Controller’s choice, and delete existing copies unless applicable law requires storage of the Personal Data.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable data protection laws.
• Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting the Controller’s Personal Data.

5. Controller Obligations

The Controller shall:

• Ensure that there is a lawful basis for the processing of Personal Data, whether by obtaining appropriate consent from Data Subjects, establishing legitimate interest, or relying on another lawful basis as defined under applicable data protection laws.
• Provide the Processor with clear, documented instructions regarding the processing of Personal Data.
• Be responsible for responding to requests from Data Subjects exercising their rights, with the assistance of the Processor as described in this DPA.
• Maintain records of processing activities as required by applicable data protection laws.
• Ensure compliance with all applicable data protection laws in connection with its use of the SteepleOS platform and its instructions to the Processor regarding the processing of Personal Data.
• Notify the Processor promptly of any changes in data protection legislation that may affect the Processor’s obligations under this DPA.

6. Sub-processors

The Controller hereby provides general written authorization for the Processor to engage Sub-processors for the processing of Personal Data. The following Sub-processors are currently engaged:

The Processor shall notify the Controller at least thirty (30) days prior to engaging any new Sub-processor or replacing an existing Sub-processor. The Controller may object to the appointment of a new Sub-processor within fourteen (14) days of receiving such notice. If the Controller objects on reasonable grounds related to data protection, the Processor shall work with the Controller to find a mutually acceptable resolution. If no resolution can be reached, the Controller may terminate the affected services without penalty.

The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA.

7. International Transfers

Personal Data processed under this DPA is stored and processed in the United States. The Processor has implemented appropriate safeguards to ensure that international transfers of Personal Data comply with applicable data protection laws.

Where required by applicable law, the Processor will enter into Standard Contractual Clauses (SCCs) approved by the European Commission for the transfer of Personal Data from the European Economic Area or the United Kingdom to the United States. Copies of the applicable SCCs are available upon request.

The Processor shall promptly inform the Controller if, in the Processor’s opinion, any instruction regarding international data transfers infringes applicable data protection laws.

8. Security Measures

The Processor implements and maintains the following technical and organizational security measures to protect Personal Data:

• Encryption at Rest: All Personal Data stored in databases is encrypted using AES-256 encryption.
• Encryption in Transit: All data transmitted between the platform and users is protected using TLS 1.2 or higher.
• Multi-tenant Data Isolation: Each organization’s data is logically isolated to prevent unauthorized cross-tenant access.
• Role-Based Access Control (RBAC): Access to Personal Data within the platform is governed by granular, role-based permissions.
• Audit Logging: All access to and modifications of Personal Data are logged for audit and compliance purposes.
• Regular Security Assessments: Periodic vulnerability assessments and security reviews are conducted to identify and remediate potential risks.
• Employee Background Checks: Personnel with access to Personal Data undergo background checks as part of the hiring process.
• Incident Response Procedures: A documented incident response plan is maintained and tested to ensure rapid and effective response to security events.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller.

The notification shall include, to the extent reasonably available at the time of notification:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects affected.
• The categories and approximate number of Personal Data records concerned.
• A description of the likely consequences of the Data Breach.
• A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach. The Processor shall also assist the Controller in fulfilling its obligations to notify supervisory authorities and affected Data Subjects where required by applicable law.

10. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including:

• Right of Access: The right to obtain confirmation of whether Personal Data is being processed and to access such data.
• Right to Rectification: The right to have inaccurate Personal Data corrected without undue delay.
• Right to Erasure (Right to Be Forgotten): The right to have Personal Data erased under certain circumstances.
• Right to Restriction of Processing: The right to restrict the processing of Personal Data under certain circumstances.
• Right to Data Portability: The right to receive Personal Data in a structured, commonly used, and machine-readable format.
• Right to Object: The right to object to processing of Personal Data under certain circumstances, including processing for direct marketing purposes.

The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to such request without the Controller’s prior written authorization, unless required to do so by applicable law.

11. Audit Rights

The Controller, or an independent third-party auditor appointed by the Controller, may audit the Processor’s compliance with this DPA. The following conditions apply to any such audit:

• The Controller shall provide at least thirty (30) days’ written notice prior to any audit.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor’s operations.
• All costs and expenses of the audit shall be borne by the Controller.
• The Controller shall be entitled to conduct no more than one audit per twelve-month period, unless a Data Breach has occurred or a supervisory authority requires an additional audit.
• The auditor shall be bound by appropriate confidentiality obligations.

The Processor shall cooperate with the Controller during any audit and shall make available all information, systems, and personnel reasonably necessary to verify compliance with this DPA.

12. Term and Termination

This DPA shall remain in effect for the duration of the service agreement between the Controller and the Processor. This DPA shall automatically terminate upon the termination or expiration of the service agreement.

Upon termination of the service agreement, the Processor shall, at the Controller’s written election:

• Return: Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; or
• Delete: Securely delete all Personal Data and certify such deletion in writing to the Controller.

The Processor shall complete the return or deletion of Personal Data within ninety (90) days of termination. Copies of Personal Data retained in backup systems shall be purged within one hundred eighty (180) days of termination, unless retention is required by applicable law.

The obligations of the Processor with respect to confidentiality and data protection shall survive the termination of this DPA.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Georgia, United States of America, without regard to its conflict of law provisions, consistent with the governing law provisions of the Terms of Service.

To the extent that any provision of this DPA conflicts with mandatory provisions of applicable data protection laws (including the GDPR), the applicable data protection law shall prevail.

14. Contact

For questions, concerns, or requests related to this Data Processing Agreement, please contact us at:

By using SteepleOS, you acknowledge that you have read and understood this Data Processing Agreement and agree to its terms as part of your service agreement with Climax Enterprises LLC.