Data Processing Addendum

1. Parties

This Data Processing Addendum ("DPA") is entered into between:

• Customer / Controller:the church, ministry, or nonprofit organization ("Church") that has an active subscription or contract with PrayerJar.
• Processor: The Prayer Jar ("PrayerJar"), operated by its owner/operator of record.

This DPA supplements and forms part of the PrayerJar Terms of Service.

2. Purpose

PrayerJar processes personal data on behalf of the Church to provide the PrayerJar platform — a web and mobile prayer-community service including prayer request collection, pastoral-care workflows, member care notes, church prayer walls, and related notification features.

PrayerJar acts as a data processor with respect to Church personal data. The Church remains the data controller and determines the purposes and means of processing.

This DPA is intended to be compatible with:

• EU General Data Protection Regulation (GDPR)
• UK GDPR and Data Protection Act 2018
• California Consumer Privacy Act / CPRA (to the extent applicable)
• Other comparable data-protection regimes

3. Data categories processed

Personal data processed under this DPA may include:

• Identifying data: name, email address, church role/membership
• Authentication data: magic-link tokens, session cookies
• User-generated content: prayer requests, testimonies, comments, pastoral notes, attached images or audio
• Contact metadata: prayer interactions ("I prayed"), partnership requests
• Device and usage data: IP address (limited retention), approximate country, browser/device type
• ChMS-integrated data (opt-in per church).When a Church elects to connect a supported Church Management System (e.g., Planning Center), PrayerJar will process member rosters, contact details, and small-group membership imported from the ChMS via OAuth-scoped API access. PrayerJar may optionally push a weekly prayer-activity summary back to the ChMS person record (e.g., as a Note) when the Church enables that feature. No ChMS data is imported without the Church's explicit connection step, and the connection can be revoked by the Church at any time. See the Sub-processor List for the current ChMS integration partner(s).

Special-category / sensitive data. Prayer content frequently contains health, religious, familial, or other sensitive information. PrayerJar treats all prayer and pastoral-care content as sensitive pastoral data and does not use it for model training, advertising, or any secondary purpose.

4. Processing terms

PrayerJar will:

1. Process personal data only on documented instructions from the Church, unless required by law.
2. Ensure personnel authorized to process personal data are bound by confidentiality.
3. Implement appropriate technical and organizational security measures including TLS, encryption at rest, access controls, and audit logs.
4. Assist the Church in responding to data-subject requests (access, rectification, erasure, portability, restriction, objection).
5. Notify the Church of any personal-data breach within 72 hours of becoming aware, where feasible.
6. Make available information necessary to demonstrate compliance with this DPA.
7. On termination, delete or return Church personal data as described in Section 9.

5. Sub-processors

The Church hereby authorizes PrayerJar to engage the sub-processors listed at /legal/subprocessors ("Sub-processor List").

PrayerJar will:

• Maintain an up-to-date, public Sub-processor List.
• Impose data-protection obligations on each sub-processor no less protective than those in this DPA.
• Remain liable for its sub-processors' acts and omissions.
• Provide the Church with at least 30 days' notice before adding a new sub-processor that processes Church personal data.

6. Data subject rights (DSAR)

PrayerJar will reasonably assist the Church in fulfilling its obligations to respond to data-subject requests, including access, deletion, and rectification. Standard response target: within 30 days of a verified request.

7. Breach notification

On becoming aware of a personal-data breach affecting Church data, PrayerJar will notify the Church's designated contact(s) within 72 hours, providing the nature of the breach, likely consequences, and measures taken or proposed.

8. Data location

PrayerJar currently hosts production workloads with Vercel (primary regions: United States) and stores primary data with Neon (United States). International transfers from the EEA, UK, or Switzerland are governed by the applicable Standard Contractual Clauses (SCCs).

9. Term and termination

This DPA takes effect upon Church acceptance and remains in effect for the duration of the Church's use of PrayerJar. On termination, PrayerJar will, within 30 days, return or delete all Church personal data, except where retention is required by applicable law.

10. Audit rights

No more than once per 12 months, and on at least 30 days' prior written notice, the Church may request reasonable information demonstrating compliance with this DPA.

11. Liability

Liability under this DPA is subject to the limitations of liability set out in the PrayerJar Terms of Service, except where applicable data-protection law prohibits such limitation.

12. Governing law

This DPA is governed by the governing-law and venue provisions of the PrayerJar Terms of Service, except to the extent applicable data-protection law of the Church's home jurisdiction requires otherwise.

13. Nonprofit compatibility

This DPA is drafted to be compatible with the operational realities of 501(c)(3) nonprofit organizations and other ministries. PrayerJar does not use Church data for advertising, resale, or AI-model training.

14. Order of precedence

If there is a conflict between this DPA and the PrayerJar Terms of Service or Privacy Policy, this DPA controls with respect to the processing of personal data.