1. Introduction
This Data Processing Agreement ("DPA") is entered into between Aurnet Ltd ("Processor") and the church or organisation subscribing to the Aurnet platform ("Controller"). This DPA forms part of the Terms of Service and governs the processing of personal data by Aurnet on behalf of the Controller, in compliance with UK GDPR, the Data Protection Act 2018, and EU GDPR.
2. Definitions
- •Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of GDPR.
- •Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.
- •Data Subject: The identified or identifiable person to whom personal data relates (church members, attendees, visitors).
- •Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
3. Scope and Purpose of Processing
Aurnet processes personal data solely for the purpose of providing the church engagement platform services described in the Terms of Service. This includes:
- •Member registration, authentication, and profile management
- •Church communication (chat, notifications, announcements)
- •Event management and attendance tracking
- •Rota scheduling and duty assignment
- •Sermon and media content delivery
- •Donation processing via Stripe
- •Bible plan engagement and community notes
- •Prayer request and testimony management
4. Categories of Personal Data Processed
- •Identity Data: Name, email address, phone number, profile photo
- •Authentication Data: Password hashes (bcrypt), verification tokens
- •Special Category Data: Religious affiliation (church membership), prayer requests, testimonies — processed under Article 9(2)(d) and 9(2)(a)
- •Financial Data: Stripe customer identifiers, encrypted bank transfer details (AES-256-GCM)
- •Communication Data: Chat messages, sermon notes, Bible plan notes
- •Behavioural Data: Event RSVPs, attendance records, rota assignments, notification preferences
- •Technical Data: Push notification tokens, device platform, IP address (at consent time)
5. Obligations of the Processor (Aurnet)
Aurnet shall:
- •Process personal data only on documented instructions from the Controller, unless required by law
- •Ensure that persons authorised to process personal data have committed to confidentiality
- •Implement appropriate technical and organisational security measures (encryption, access controls, regular testing)
- •Not engage another processor without prior written authorisation of the Controller
- •Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
- •Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
- •Delete or return all personal data upon termination of services, at the choice of the Controller
- •Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28
6. Obligations of the Controller (Church)
The Controller shall:
- •Ensure there is a lawful basis for all personal data processing activities
- •Obtain appropriate consent from data subjects where required, particularly for special category data
- •Provide data subjects with privacy notices that accurately describe the processing activities
- •Inform Aurnet promptly of any data subject requests it receives directly
- •Ensure that instructions given to Aurnet comply with applicable data protection laws
- •Conduct Data Protection Impact Assessments where required
7. Sub-processors
The Controller provides general authorisation for Aurnet to engage the following sub-processors. Aurnet will inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
- •Stripe (US): Payment processing for donations — PCI-DSS Level 1 compliant
- •Amazon Web Services (EU/US): Cloud infrastructure, S3 file storage — ISO 27001, SOC 2 certified
- •Expo (US): Mobile push notification delivery
- •Mux (US): Video streaming and processing for sermons
- •SMTP Provider: Transactional email delivery
8. International Data Transfers
Where personal data is transferred outside the UK/EEA (e.g., to US-based sub-processors), Aurnet ensures adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO and European Commission, or reliance on the EU-US Data Privacy Framework where applicable.
9. Security Measures
Aurnet implements the following technical and organisational measures:
- •Encryption at Rest: Sensitive financial data encrypted with AES-256-GCM
- •Encryption in Transit: All communications over HTTPS/TLS
- •Password Security: Passwords hashed with bcrypt (cost factor 10+)
- •Access Control: Role-based access control with church-level data isolation
- •Multi-tenancy: Strict data scoping ensures churches cannot access each other's data
- •Rate Limiting: API rate limiting to prevent abuse
- •Security Headers: HSTS, CSP, X-Frame-Options via Helmet.js
- •Token Security: Short-lived JWT access tokens (15 min) with rotating refresh tokens
- •Audit Logging: Admin actions (role changes, member management) are logged for accountability
10. Data Breach Notification
In the event of a personal data breach, Aurnet will notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, approximate number of data subjects, likely consequences, and measures taken to address the breach.
11. Data Subject Rights
Aurnet provides built-in tools to support data subject rights, and will assist the Controller in fulfilling requests:
- •Right of Access (Art 15): Data export available via Settings > Export My Data (JSON format)
- •Right to Rectification (Art 16): Members can update their profile data directly in the app
- •Right to Erasure (Art 17): Account deletion available via Settings > Delete Account — cascades across all data
- •Right to Data Portability (Art 20): JSON export includes all personal data in structured format
- •Right to Withdraw Consent: Consent withdrawal available via Settings > Privacy — enforced in notification processing
12. Data Retention
Aurnet applies the following automated retention policies:
- •Verification Tokens: Deleted after 24 hours (daily at 03:00)
- •Notifications: Deleted after 90 days (daily at 03:30)
- •Stale Push Tokens: Deleted after 180 days of inactivity (weekly)
- •Withdrawn Consents: Retained for 1 year for audit, then deleted (weekly)
- •Revoked Auth Tokens: Deleted after 24 hours (daily at 05:00)
- •Account Data: Retained until account deletion, then permanently removed
13. Audit Rights
The Controller has the right to conduct audits, including inspections, to verify Aurnet's compliance with this DPA. Aurnet will cooperate with reasonable audit requests and provide access to relevant documentation, systems, and facilities.
14. Duration and Termination
This DPA remains in effect for the duration of the Controller's subscription to Aurnet. Upon termination, Aurnet will delete or return all personal data within 30 days, unless retention is required by law. The Controller may request a data export before termination.
15. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes arising from this DPA will be subject to the exclusive jurisdiction of the courts of England and Wales.
16. Contact
- •Data Protection Enquiries: privacy@aurnet.co.uk
- •General Enquiries: info@aurnet.co.uk
- •Legal Enquiries: legal@aurnet.co.uk
- •Postal Address: Aurnet Ltd, 10 Shepherds Green Road, B24 8EX, Birmingham, United Kingdom