Data Processing Addendum
Effective date: June 15, 2026 Last updated: June 15, 2026
This Data Processing Addendum ("DPA") supplements and forms part of the Terms of Service or Master Subscription Agreement (the "Agreement") between Vestry LLC, a Virginia limited liability company located at 8401 Mayland Dr Ste A, Richmond, VA 23294-4648 ("Vestry" or "Processor"), and the customer that accepts the Agreement or uses the Service ("Customer" or "Controller"). It applies to the extent Vestry processes Personal Data on the Customer's behalf as a processor in connection with the Service.
How this DPA is entered into. The Customer enters into this DPA by accepting the Agreement or by using the Service; no separate signature is required for this DPA to be binding. Where a customer's compliance program requires a countersigned copy, the Customer may request one by contacting legal@getvestry.com.
In the event of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA controls.
1. Definitions
For purposes of this DPA:
-
"Applicable Data Protection Laws" means all applicable laws and regulations governing the processing of Personal Data, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK General Data Protection Regulation ("UK GDPR") and the UK Data Protection Act 2018, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Texas Data Privacy and Security Act ("TDPSA"), the Maryland Online Data Privacy Act ("MODPA"), the New Jersey Data Privacy Act ("NJDPA"), the Oregon Consumer Privacy Act ("OCPA"), and other comparable US state consumer privacy laws as enacted from time to time, Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA"), Quebec's Loi 25 ("Quebec Law 25"), Alberta's Personal Information Protection Act, British Columbia's Personal Information Protection Act, the Australian Privacy Act 1988 and Australian Privacy Principles, and other applicable privacy laws.
-
"Controller" means the Customer.
-
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
-
"Personal Data" means any information relating to a Data Subject that is processed by Vestry on behalf of the Customer in connection with the Service. Personal Data has the meaning given in Applicable Data Protection Laws (or equivalent terms such as "personal information" under CCPA).
-
"Process," "Processing," and "Processed" mean any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, deletion, or destruction.
-
"Processor" means Vestry, processing Personal Data on behalf of the Customer.
-
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
-
"Sub-Processor" means a third party engaged by Vestry to process Personal Data on Vestry's behalf in connection with the Service.
Capitalized terms not defined here have the meaning given in the Agreement or in Applicable Data Protection Laws.
2. Roles and Scope
2.1 Controller-Processor Relationship
For purposes of Applicable Data Protection Laws, the Customer is the Controller and Vestry is the Processor with respect to Personal Data Processed under the Agreement.
2.2 Subject Matter and Duration of Processing
The subject matter of Processing is the operation of the Service for the Customer's benefit. The duration of Processing is the term of the Agreement plus the data-retention periods described in Vestry's Privacy Policy.
2.3 Nature and Purpose of Processing
Vestry Processes Personal Data on the Customer's behalf for the purposes of: (a) providing, maintaining, and improving the Service; (b) authentication and access control; (c) payment processing; (d) error tracking and performance monitoring; (e) usability analytics; (f) communication with the Customer about the Service; (g) compliance with applicable law; and (h) other purposes described in the Privacy Policy.
2.4 Categories of Data Subjects
Personal Data Processed under this DPA may relate to: (a) the Customer's Authorized Users; (b) the Customer's church members or ministry contacts whose information is added to the Workspace; and (c) third parties whose information is included in Customer Content.
2.5 Categories of Personal Data
Personal Data Processed under this DPA may include: identification data (name, email address, role, profile image), authentication data (Supabase user ID, session tokens), contact data, device and connection metadata (IP address, browser, OS), worship-content data (services, song selections, prayer notes, custom song entries, imported song lists and their keys/tempo/notes, member rosters), payment data (handled by Stripe), and communications metadata.
2.6 Sensitive Personal Data
The Customer is solely responsible for ensuring that no sensitive personal data, special-category data, or regulated data (as described in the Vestry Acceptable Use Policy and the Vestry Privacy Policy) is contributed to the Service except as expressly authorized in the Agreement. Vestry has not represented or warranted that the Service is fit for the processing of HIPAA-regulated data, PCI-DSS data beyond Stripe's scope, or government-identifier data.
3. Vestry's Obligations as Processor
3.1 Compliance with Customer's Instructions
Vestry will Process Personal Data only on documented instructions from the Customer, including with regard to international transfers, except as required by Applicable Data Protection Laws. The Agreement, this DPA, and the Customer's configuration of the Service together constitute the Customer's documented instructions. If Vestry is required by law to Process Personal Data otherwise, Vestry will inform the Customer of that legal requirement before Processing, unless the law prohibits such notification.
3.2 Confidentiality
Vestry will ensure that personnel authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Security Measures
Vestry will implement appropriate technical and organizational measures to protect Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects. These measures include:
- Encryption of Personal Data in transit (TLS) and at rest;
- Access controls (role-based access, multi-factor authentication for administrative access, principle of least privilege);
- Continuous monitoring for security incidents;
- Regular review and update of security practices;
- Backup and recovery procedures;
- Personnel training on data-protection responsibilities;
- A documented incident-response process; and
- Periodic review of security posture against industry frameworks.
A more detailed description of Vestry's security measures is available on request and may be incorporated by reference as Annex II to this DPA.
3.4 Sub-Processors
The Customer authorizes Vestry to engage the Sub-Processors listed at getvestry.com/subprocessors (the "Sub-Processor List"), as updated from time to time. Vestry will:
(a) ensure that each Sub-Processor is bound by data-protection obligations no less protective than those in this DPA;
(b) notify the Customer at least 30 days before engaging a new Sub-Processor or replacing an existing one in a way that materially changes how Personal Data is handled, by email to the Customer's privacy contact and by updating the Sub-Processor List;
(c) provide the Customer a reasonable opportunity to object to a new Sub-Processor on data-protection grounds during the 30-day notice period, in which case the parties will work in good faith to resolve the objection (and if not resolved, the Customer may terminate the affected portion of the Agreement); and
(d) remain liable to the Customer for the acts and omissions of its Sub-Processors as if they were Vestry's own.
3.5 Data Subject Rights
Vestry will assist the Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws (including rights of access, rectification, deletion, portability, restriction, and objection) by providing reasonable technical and operational assistance. Where the Customer's Authorized Users can fulfill such requests through the self-service controls in the Service (account settings, deletion flow, export request), Vestry's assistance is limited to maintaining those controls.
If Vestry receives a Data Subject request directly, Vestry will: (a) promptly notify the Customer of the request; and (b) not respond to the request itself except as required by Applicable Data Protection Laws or with the Customer's instruction.
3.6 Security Incident Notification
In the event of a Security Incident affecting the Customer's Personal Data, Vestry will notify the Customer without undue delay and in any event within 72 hours after Vestry confirms the Security Incident, where feasible. The notification will include:
(a) a description of the nature of the Security Incident, including (where possible) the categories and approximate number of Data Subjects and records concerned;
(b) the name and contact details of the Vestry contact point for further information;
(c) a description of the likely consequences of the Security Incident; and
(d) a description of the measures Vestry has taken or proposes to take to address the Security Incident, including measures to mitigate its possible adverse effects.
If Vestry cannot provide all of this information within 72 hours, Vestry will provide what is available and supplement it as additional information becomes available.
3.7 Data Protection Impact Assessments
Vestry will provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments and prior consultations with supervisory authorities, where required by Applicable Data Protection Laws.
3.8 Audit Rights
Vestry will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. The Customer may, on reasonable prior written notice and no more than once per year (except in the event of a Security Incident or where required by a regulator), audit Vestry's compliance with this DPA. Where Vestry maintains a current SOC 2 Type II report or equivalent independent third-party audit, Vestry may satisfy this obligation by providing that report; until such a report is available, Vestry will reasonably cooperate with the Customer's audit, including by responding to a reasonable security questionnaire.
3.9 Deletion and Return of Personal Data
Upon termination of the Agreement, Vestry will, at the Customer's choice, delete or return all Personal Data Processed on the Customer's behalf, in accordance with the retention provisions of the Privacy Policy and the Agreement, except where Applicable Data Protection Laws require continued storage. The Customer may exercise this choice for up to 30 days after termination; thereafter, deletion proceeds automatically per the Privacy Policy.
4. International Data Transfers
4.1 Transfers from the EEA, UK, and Switzerland
Where Vestry transfers Personal Data of Data Subjects in the European Economic Area, the United Kingdom, or Switzerland to a country that does not benefit from an adequacy decision, the transfer is governed by the following lawful transfer mechanisms, applied in order:
(a) the EU-U.S. Data Privacy Framework (and the UK Extension and Swiss-U.S. DPF), where applicable Sub-Processors are self-certified — adopted by Commission Implementing Decision (EU) 2023/1795 and upheld by the EU General Court on September 3, 2025;
(b) the EU Standard Contractual Clauses (Module Two: Controller to Processor) adopted by the European Commission in Decision 2021/914, which the parties incorporate into this DPA by reference;
(c) the UK International Data Transfer Addendum to the EU SCCs (the "UK IDTA") for transfers from the United Kingdom; and
(d) the Swiss Federal Data Protection Authority's recognized SCC modifications for transfers from Switzerland.
The parties agree that the Customer is the data exporter and Vestry is the data importer. Annex I to this DPA (Description of Transfer) and Annex II (Technical and Organizational Measures) supplement the SCCs.
4.2 Onward Transfers to Sub-Processors
Sub-Processors located outside the EEA, UK, or Switzerland are subject to equivalent transfer mechanisms (typically the SCCs or other lawful transfer tools) in their agreements with Vestry.
5. CCPA / CPRA — Service-Provider Status
For purposes of CCPA / CPRA, Vestry acts as a service provider as defined in Cal. Civ. Code § 1798.140(ag). Vestry:
(a) Processes Personal Information only for the limited and specified purposes set forth in this DPA and the Agreement;
(b) does not sell or share Personal Information for cross-context behavioral advertising;
(c) does not retain, use, or disclose Personal Information outside of the direct business relationship with the Customer or for any commercial purpose other than providing the Service;
(d) does not combine Personal Information received from the Customer with Personal Information received from any other source, except as authorized by the Customer or for the operational purposes described in the Privacy Policy;
(e) will notify the Customer if Vestry determines it can no longer meet its CCPA / CPRA obligations as a service provider; and
(f) acknowledges the Customer's right to take reasonable and appropriate steps to ensure Vestry uses Personal Information consistent with the Customer's CCPA / CPRA obligations and to stop and remediate any unauthorized use.
This Section 5 also applies to equivalent service-provider / processor classifications under VCDPA, CPA, CTDPA, TDPSA, and other US state privacy laws.
6. Quebec Law 25 — Person in Charge
For purposes of Quebec's An Act to modernize legislative provisions as regards the protection of personal information ("Quebec Law 25"), Vestry's person in charge of personal information is Lawrence Chen, reachable at privacy@getvestry.com.
7. Liability
Each party's liability under this DPA is subject to the limitation of liability provisions in the Agreement, except to the extent that those limitations are unenforceable under Applicable Data Protection Laws (in which case the unenforceability is limited to what the law specifically requires).
8. Order of Precedence and Severability
In the event of conflict between this DPA and any other agreement between the parties (including the Agreement), this DPA controls with respect to Processing of Personal Data. If any provision of this DPA is held to be unenforceable, the remaining provisions remain in full force and effect.
9. Governing Law
This DPA is governed by the laws of the Commonwealth of Virginia, without regard to conflict-of-laws principles, except that the SCCs incorporated under Section 4.1 are governed by the law of an EU member state as specified in those clauses. Disputes arising from this DPA are subject to the dispute-resolution provisions of the Agreement.
Annex I — Description of Transfer (for SCCs)
Data Exporter: the Customer, as identified in its Vestry account and the Agreement.
Data Importer: Vestry LLC, a Virginia limited liability company located at 8401 Mayland Dr Ste A, Richmond, VA 23294-4648, United States.
Categories of Data Subjects: as described in Section 2.4 of this DPA.
Categories of Personal Data: as described in Section 2.5 of this DPA.
Special Categories of Data: none, except as the Customer specifically authorizes (see Section 2.6).
Frequency of Transfer: continuous.
Nature of Processing: as described in Section 2.3 of this DPA.
Purpose of Transfer: providing the Service to the Customer.
Period of Retention: as described in the Privacy Policy and Section 3.9 of this DPA.
Sub-Processors: as listed at getvestry.com/subprocessors.
Competent Supervisory Authority: the supervisory authority of the EU member state in which the data exporter is established (or, if the data exporter is not in the EU, the authority designated by Module Two of the SCCs).
Annex II — Technical and Organizational Measures
Available on request. This Annex describes Vestry's technical and organizational measures in detail, including encryption practices, access controls, authentication, monitoring, incident-response procedures, and personnel security. It is provided separately on request to customers who require it.
A summary is included in Section 3.3 of this DPA.
Acceptance
This DPA is entered into electronically. By accepting the Terms of Service or using the Service, the Customer agrees to this DPA, which forms part of the Agreement. No physical or electronic signature is required for this DPA to be binding. A countersigned copy is available to customers who require one for their records by contacting legal@getvestry.com.