Data Processing Addendum

Defined responsibilities for church-controlled data.

This Data Processing Addendum is a proposed operational baseline for customers that need written controller and processor terms. A signed version or order form is required to make it part of a customer agreement.

Version: 2026-07-18 · Effective: July 18, 2026

1. Parties, scope, and roles

This addendum applies when a customer and the Stewardex contracting entity sign or expressly incorporate it into an order. For personal data a church submits and controls, the church is the controller or business and Stewardex is the processor or service provider. Each party remains responsible for obligations applicable to its own role.

2. Processing instructions

Stewardex will process customer personal data only to provide, secure, support, maintain, and improve the contracted service; comply with documented customer instructions; or satisfy law. If an instruction appears unlawful, Stewardex may pause it and notify the customer.

3. Processing details

  • Subject matter: church inventory, identity, access, checkout, maintenance, reservation, audit, support, and related records.
  • Duration: the subscription or pilot term plus the documented return, deletion, and backup period.
  • People: church staff, volunteers, authorized users, borrowers, contacts, vendors, and other people a customer chooses to identify.
  • Data: names, business contact details, roles, department access, activity history, asset assignments, support communications, device and security evidence, and customer-selected record contents.
  • Purpose: operate the customer’s Stewardex workspace and fulfill the agreement.

4. Confidentiality and security

Stewardex will limit personal-data access to personnel and providers with a need to perform the service and confidentiality duties. Stewardex will maintain reasonable administrative, technical, and organizational safeguards appropriate to the service and risk, including authenticated access, role enforcement, tenant separation, audit records, managed infrastructure, and incident procedures. Additional current information appears on the Security page.

5. Subprocessors

The customer authorizes the providers on the Subprocessor List. Stewardex will contractually require subprocessors to protect customer personal data consistent with their function. Material additions will be handled under the notice and objection process stated in the signed addendum or order.

6. Requests and assistance

Considering the nature of processing and information available, Stewardex will reasonably assist the customer with verified data-subject requests, security assessments, breach obligations, and legally required impact assessments. The customer is responsible for deciding how to respond and for ensuring instructions are lawful.

7. Security incidents

Stewardex will notify the customer without undue delay after confirming a breach of customer personal data and will provide available information reasonably needed for the customer’s legal obligations. Notice is not an admission of fault. The customer will give Stewardex an accurate security contact and cooperate with containment.

8. Return and deletion

During an active account, authorized administrators can use available exports. After confirmed closure, Stewardex will delete or de-identify customer data according to the documented retention schedule unless law requires retention. Protected backup copies may remain until they age out and will remain restricted from ordinary use.

9. Audits

On reasonable written request and subject to confidentiality, Stewardex will provide information reasonably necessary to demonstrate compliance. The parties will first use current documentation and remote evidence. Any additional audit must avoid disrupting the service, protect other customers, occur no more than annually unless law or a material incident requires otherwise, and be paid by the customer unless it identifies a material breach by Stewardex.

10. International transfers

The parties will use a legally valid transfer mechanism when one is required for processing outside the data’s originating jurisdiction. Before supporting customers whose laws require special transfer terms, Stewardex and the customer will execute the applicable clauses.

11. Order of precedence and execution

A signed DPA controls over conflicting general Terms only for personal-data processing. The customer’s order form controls the commercial scope. This public page alone is not a signed DPA and does not identify the contracting legal entity, customer, governing order, security contact, or signatures.