DPA

The DPA (Data Processing Agreement) is the contract that documents how Ministrium processes personal data on the church’s behalf. It is required by GDPR (Art. 28) when a European church contracts Ministrium, and recommended in any jurisdiction that recognizes the distinction between data controller and processor.

When to request the DPA

We recommend signing the DPA when:

• The church operates in the European Union, United Kingdom, or Switzerland (GDPR).
• The church operates in Brazil (LGPD).
• The church operates in Mexico and handles data of European data subjects (LFPDPPP + GDPR).
• The church is a denomination with international presence.
• The church’s legal counsel requires it as best practice.

For churches in the USA with local membership only, the BAA under HIPAA covers what’s needed for health data; the DPA is complementary but not mandatory.

What the DPA includes

Ministrium’s standard DPA documents:

Definitions and roles

• Church = controller.
• Ministrium = processor.
• Covered data, processing purposes, and duration.

Processor obligations

• Process data only following the church’s documented instructions.
• Ensure the confidentiality of personnel with data access.
• Implement appropriate technical and organizational measures (described in Encryption, MFA, and Audit).
• Assist the church in responding to data subject and supervisory authority requests.
• Notify security breaches in less than 72 hours.
• Return or delete data at the end of the contract.

Authorized subcontractors

List of subprocessors with their role, processing location, and guarantees:

We notify contracting churches at least 30 days in advance of any change in the list of subcontractors.

International transfers

• Standard Contractual Clauses (SCCs) of the European Commission attached for transfers outside the EEA.
• Transfer impact assessment (TIA) available under NDA.
• Binding Corporate Rules equivalent with subcontractors that have them.

Audits

• The church has the right to audit Ministrium’s compliance once a year, with 30 days’ prior notice.
• Instead of an on-site audit, the church can accept the SOC 2 Type II report as evidence. See SOC 2.

Return and deletion at the end of the contract

• Upon contract termination, the church can request a full data export in CSV or JSON.
• 30 days after the end of the contract, all of the church’s personal data is deleted from operational systems.
• Backups containing deleted data are purged in their next rotation cycle (maximum 90 days after).
• The audit of the process is delivered to the church.

How to request the DPA

1. Write to legal@ministrium.com from an institutional email, indicating:
   • Legal name of the church.
   • Primary jurisdiction and, if applicable, additional relevant jurisdictions.
   • Contact person for legal matters.
2. You’ll receive the standard template in Spanish or English within 3 business days.
3. If your legal counsel proposes modifications, we review and respond. Reasonable modifications are accepted; those that materially change obligations are discussed.
4. Qualified electronic signature (eIDAS) or wet signature, depending on preference.
5. Retroactive validity to the start of the subscription if requested.

Difference between DPA, BAA, and SCCs

• DPA: general framework under GDPR, LGPD, LFPDPPP. Applies to personal data processing in general.
• BAA: specific to HIPAA (USA) when processing Protected Health Information (PHI). See HIPAA.
• SCCs: European Commission’s standard clauses for international transfers outside the EEA. Attached to the DPA.

A church may need all three depending on its profile. Most need only DPA + SCCs.

Next steps

• GDPR and LGPD — the regulatory framework that supports the DPA.
• HIPAA — for churches in the USA with health data.
• SOC 2 — the attestation backing the controls documented in the DPA.
• legal@ministrium.com — direct contact to request the DPA.