Holy ResourceHoly Resource
Legal

Data Processing Addendum

Terms that apply when Found CTRL processes Church Data on your behalf.

When This Applies

This DPA applies only where Found CTRL processes personal data on your behalf in connection with Holy Resource's connected or hosted features. If your deployment is fully local and no Church Data leaves your environment, this DPA may not apply to that local-only processing.

This Data Processing Addendum ("DPA") forms part of the Holy Resource Terms of Service and applies between Found CTRL Limited ("Found CTRL," "Processor," "we," "us," or "our") and the customer organization using Holy Resource ("Customer," "Controller," "you," or "your") where Found CTRL processes personal data on your behalf.

Found CTRL Limited is a company registered in England and Wales (company no. 17079973).

This DPA is intended to support compliance with applicable data protection laws, including the UK GDPR, the Data Protection Act 2018, and, where applicable, the EU GDPR and other substantially similar privacy laws that govern the processing covered by the Agreement.

1. Definitions

In this DPA:

  • "Agreement" means the Holy Resource Terms of Service and any related order, license, or written agreement governing your use of the Services.
  • "Church Data" means personal data and other records that you or your authorized users input, upload, sync, transmit, or otherwise make available through Holy Resource for your own ministry, administrative, or operational purposes.
  • "Controller" means the entity that determines the purposes and means of processing personal data.
  • "Processor" means the entity that processes personal data on behalf of a Controller.
  • "Subprocessor" means a third party engaged by Found CTRL to process personal data on behalf of the Customer.
  • "Data Protection Laws" means the privacy and data protection laws applicable to the processing covered by this DPA.

Capitalized terms not defined here have the meanings given in the Agreement.

2. Role of the Parties

The parties acknowledge that:

  • you act as Controller for Church Data processed through Holy Resource for your church, ministry, nonprofit, or organization;
  • Found CTRL acts as Processor only to the extent we process that Church Data on your behalf through connected or hosted Holy Resource features;
  • Found CTRL acts as an independent Controller for data we process for our own business purposes, such as account management, licensing, billing, fraud prevention, security logging, support administration, and legal compliance;
  • this DPA does not convert Found CTRL into a Processor for data that remains exclusively within your own local environment and is never processed by us or our subprocessors.

3. Scope of Processing

This DPA applies only to processing that Found CTRL performs on your behalf in connection with the Services, including where applicable:

  • license activation, validation, entitlement, owner verification, invite, and recovery workflows;
  • update delivery, release metadata access, and related operational security flows;
  • optional sync relay or server-backed synchronization features that process Church Data through Found CTRL-managed services;
  • support or troubleshooting workflows where you ask us to review logs, diagnostics, or submitted records;
  • optional communication, AI, automation, or other connected features to the extent requests are routed through Found CTRL-managed infrastructure.

This DPA does not apply to:

  • personal data processed solely within your local Holy Resource installation without transmission to Found CTRL or our subprocessors;
  • third-party providers you configure directly and use independently, such as your own SMTP server, payment gateway account, AI provider account, or externally hosted sync target, except where Found CTRL is itself in the processing chain;
  • data that Found CTRL processes as an independent Controller under the Agreement or our Privacy Policy.

4. Customer Instructions

Found CTRL will process personal data covered by this DPA only:

  • on your documented instructions, including the configuration choices, feature activations, API calls, sync actions, and support requests you initiate through the Services;
  • as necessary to provide, secure, maintain, and support the Services under the Agreement; or
  • as required by applicable law, in which case we will notify you unless legally prohibited from doing so.

You are responsible for ensuring that your instructions comply with applicable law. If we reasonably believe an instruction would violate Data Protection Laws, we may suspend the relevant processing and notify you.

5. Nature, Purpose, and Duration of Processing

The nature of the processing may include collection, recording, organization, storage, consultation, transmission, synchronization, retrieval, analysis for support, restriction, deletion, and other operations necessary to provide the connected parts of Holy Resource.

The purpose of the processing is to provide the Services you enable, including licensing continuity, connected feature delivery, optional synchronization, support, fraud prevention, and operational security.

Processing continues for as long as required to provide the relevant Services, comply with the Agreement, and satisfy legally required retention obligations, unless a shorter period applies under your documented instructions or applicable law.

6. Categories of Data and Data Subjects

Depending on your use of Holy Resource, the personal data processed under this DPA may include:

  • member, family, visitor, and volunteer records;
  • staff, admin, and branch-user account details;
  • attendance, event, ministry, pastoral-care, scheduling, and communication records;
  • donation, finance, receipt, and transaction-reference data;
  • device, sync, diagnostic, and operational metadata associated with connected features;
  • message content, recipient identifiers, and delivery metadata where communications are routed through applicable connected services;
  • prompts, context, and generated content where AI-assisted features are enabled and routed through Found CTRL-managed infrastructure.

Relevant data subjects may include:

  • church members and visitors;
  • staff, administrators, volunteers, and contractors;
  • donors and event participants;
  • guardians, children, and family contacts where your organization lawfully processes that data;
  • your end users and support contacts.

7. Confidentiality and Personnel

Found CTRL will ensure that personnel authorized to process personal data covered by this DPA are subject to appropriate confidentiality obligations and access controls.

8. Security Measures

Found CTRL will implement reasonable technical and organizational measures appropriate to the risk, taking into account the nature of the processing and the local-first design of Holy Resource. These measures may include:

  • encryption or secure transport for networked operations where appropriate;
  • access controls for Found CTRL-operated systems and support workflows;
  • signing and integrity controls for update and release workflows;
  • authentication, token, and ownership-verification controls for licensing flows;
  • logging, monitoring, rate limiting, and anti-abuse safeguards;
  • environment separation, credential handling, and secure development practices.

No security measure is perfect, and you remain responsible for the security of your own devices, local databases, credentials, backups, branch-access configuration, and internal governance.

9. Subprocessors

You authorize Found CTRL to use subprocessors where reasonably necessary to provide the Services covered by this DPA.

Found CTRL will:

  • impose data protection obligations on subprocessors that are materially protective of the personal data they process;
  • remain responsible for the performance of its subprocessors to the extent required by applicable law;
  • maintain a public subprocessor list describing relevant subprocessors and connected service categories.

The current public list is available in the Holy Resource legal documentation.

10. International Transfers

Because Holy Resource is offered globally, personal data covered by this DPA may be processed outside the United Kingdom or the country where you are located. Where Data Protection Laws require transfer safeguards, Found CTRL will use an appropriate mechanism, which may include adequacy regulations, standard contractual clauses, the UK Addendum, or another legally recognized safeguard.

11. Assistance to Customer

Taking into account the nature of the processing and the information available to us, Found CTRL will provide reasonable assistance to help you:

  • respond to data subject requests;
  • assess and respond to security incidents;
  • perform data protection impact assessments where required; and
  • consult with regulators where applicable and where the law requires Processor assistance.

12. Security Incident Notification

If Found CTRL becomes aware of a confirmed personal data breach affecting personal data processed under this DPA, we will notify you without undue delay and provide reasonably available information about:

  • the nature of the incident;
  • the categories of data involved, where known;
  • likely consequences, where reasonably understood; and
  • measures taken or proposed to mitigate the impact.

Nothing in this section requires disclosure of information that would compromise the security of other customers, violate law, or disclose another customer's confidential information.

13. Deletion and Return

At the end of the applicable processing relationship, Found CTRL will delete or return personal data covered by this DPA to the extent required by the Agreement, your documented instructions, and applicable law.

You acknowledge that:

  • Holy Resource is local-first, so you generally control your primary Church Data locally;
  • some records, logs, backups, or audit materials may need to be retained for legal, fraud-prevention, dispute-resolution, or security purposes;
  • residual backup copies may persist for a limited period before secure deletion in the ordinary course.

14. Audit Information

Upon reasonable written request, and subject to confidentiality, security, and proportionality limits, Found CTRL will provide information reasonably necessary to demonstrate compliance with this DPA. Where the law requires a more formal audit right, the parties will work in good faith to scope it so that it does not unreasonably disrupt operations or compromise the security of other customers.

15. Liability

Each party's liability under this DPA is subject to the liability framework and exclusions in the Agreement, to the extent permitted by applicable law.

16. Conflict and Priority

If there is a conflict between this DPA and the Agreement with respect to processing governed by this DPA, this DPA controls to the extent of that conflict.

17. Contact

For privacy or DPA questions, contact:

Found CTRL Limited
Registered in England & Wales (No. 17079973)
Email: holyresource@foundctrl.com
Website: foundctrl.com

Last updated on

Was this helpful?

Privacy Policy

How Holy Resource handles data and privacy.

Subprocessor List

Current subprocessor and connected-service transparency for Holy Resource.

On this page

1. Definitions2. Role of the Parties3. Scope of Processing4. Customer Instructions5. Nature, Purpose, and Duration of Processing6. Categories of Data and Data Subjects7. Confidentiality and Personnel8. Security Measures9. Subprocessors10. International Transfers11. Assistance to Customer12. Security Incident Notification13. Deletion and Return14. Audit Information15. Liability16. Conflict and Priority17. Contact