Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the PewPrep Terms of Service and governs the processing of personal data by PewPrep on behalf of the Customer ("Controller"). Where applicable, this DPA incorporates the Standard Contractual Clauses (SCCs) for international transfers.

1. Roles

The Customer is the Data Controller. PewPrep is the Data Processor. PewPrep processes personal data solely on the documented instructions of the Customer as set out in the Terms of Service and this DPA.

2. Categories of data

Personal data processed may include: names, email addresses, phone numbers, postal addresses, household relationships, giving history, attendance, prayer requests, and metadata associated with use of the Service.

3. Sub-processors

PewPrep engages the following sub-processors: Vercel (hosting), Supabase (database + storage), Anthropic (AI inference), OpenAI (Whisper transcription), Stripe (payments), Resend (transactional email), Twilio (SMS). Current list maintained at privacy@pewprep.com. Customer will be notified of any changes with 30 days' notice.

4. Security measures

PewPrep implements appropriate technical and organizational measures including TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access controls, audit logging, vulnerability disclosure program, and incident response procedures.

5. Data subject rights

PewPrep will assist the Customer in responding to data subject rights requests (access, erasure, portability, correction, restriction) within reasonable timeframes and at no additional cost for standard requests.

6. International transfers

Where personal data is transferred outside the EEA, UK, or other jurisdictions with data transfer restrictions, the parties agree to be bound by the Standard Contractual Clauses, available on request.

7. Audits

On reasonable written notice, PewPrep will make available information necessary to demonstrate compliance with this DPA. For Enterprise customers, on-site or remote audits may be arranged subject to mutually agreed conditions.

8. Termination + return/deletion

Upon termination of the Service, PewPrep will provide a complete data export and securely delete Customer Data within 30 days, except where retention is required by applicable law.

Signing

This DPA is automatically incorporated for Enterprise contracts. Customers on Essential, Plus, or Pro tiers may request a counter-signed copy by emailing legal@pewprep.com.