VestryVestry

Data Processing Agreement

Last updated: 13 June 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the church (the "Controller") and Shire Tech, operator of Vestry (the "Processor"), and applies whenever the Processor processes personal data on the Controller's behalf. It is intended to meet the requirements of Article 28 of the UK GDPR.

1. Roles

The Controller determines the purposes and means of processing the personal data it holds in Vestry. The Processor processes that data only on the Controller's documented instructions, which include the Controller's use of the service's features.

2. Subject matter and nature of processing

The processing covers the collection, storage, organisation and retrieval of church administration data for the purpose of operating the Vestry service. It continues for the duration of the agreement.

3. Categories of data and data subjects

  • Data subjects: church members, contacts, donors, volunteers, staff, group and event participants, and visitors.
  • Data: contact and household details, group and attendance records, giving and Gift Aid information, communications, and — where the church uses those modules — pastoral and safeguarding records, which may include special category data.

4. Processor obligations

  • Process personal data only on the Controller's instructions, unless required by law.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (see clause 6).
  • Assist the Controller, taking account of the nature of processing, in responding to data subject requests and in meeting its security, breach-notification and impact-assessment obligations.
  • At the Controller's choice, delete or return all personal data at the end of the service, and delete existing copies unless retention is required by law.
  • Make available information necessary to demonstrate compliance and allow for reasonable audits.

5. Sub-processors

The Controller authorises the Processor to engage sub-processors to deliver the service. Current sub-processors include Hetzner (EU hosting) and SMTP2GO (transactional email); where a church enables online giving, its own chosen payment provider acts under the church's arrangements. The Processor remains responsible for its sub-processors and will give notice of intended changes so the Controller may object.

6. Security

The Processor maintains measures including logical separation of each church's data, encryption of data in transit, access controls and role-based permissions, routine security updates, and daily encrypted backups. Measures are reviewed and improved over time.

7. International transfers

Personal data is hosted within the EU. The Processor will not transfer personal data outside the UK/EEA without an appropriate safeguard in place.

8. Personal data breaches

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and will provide information to help the Controller meet its own notification duties.

9. Contact

Matters relating to this DPA can be raised at support@shire-tech.co.uk.

This document is a plain-English template provided for transparency and should be reviewed by your own legal adviser before relying on it. Questions: support@shire-tech.co.uk.